Information associated with more than 10 lakh students in North America has been exposed. These students were identified as those who used the OneClas platform to access study guides and educational assistance.
According to a report published by researchers led by Noam Rotem and Ran Locar at vpnMentor, “By not securing its users’ data, OneClass has created a goldmine for criminal hackers, jeopardizing the privacy and security of over a million young people and their families.” The information which was leaked included full names, email addresses (some masked), schools and universities attended, phone numbers, school, and university course enrollment details, and OneClass account details.
According to the researchers about the hack while talking about it with the SC media, “Hackers can extract value from PII in many ways; specifically here, getting such a huge database of people who are making online purchases is a valuable commodity in the cybercriminal community.” “This information can be used to pivot to other online services the users are using and exploit them as well.”
The vpnMentor researchers discovered the hack on May 20, and the vendor was contacted on May 25. OneClass responded to the message on May 26 and took down the database, claiming that it was a test server whose data “had no relation to real individuals,’ the researchers wrote. The claim doesn’t go with what the researchers found out.
“The exposed database was built on an Elasticsearch framework, and it was hosted on AWS but left completely unsecured,” vpnMentor said. “It contained over 27 GB of data, totaling 8.9 million records, and exposed over one million individual OneClass users.”
While doing their investigation, they “had used publicly available information to verify a small sample of records in the database,” the researchers wrote and were able to use the PII data to find “the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database,” which cast doubt on the e-learning company’s claim. “We can’t know what they were thinking, but we can assume, based on previous experience, many companies use live data in their development and staging environments and treat it less securely although it’s real live data,” the researchers told SC Media. “All the data we checked was linked to real people, both for professors and students/users.”