[BreachExchange] K12.com exposed 7 million student records for a week

[Destry Winant]

https://www.engadget.com/2019/07/10/k12-exposed-student-data/

K12.com, an online education platform, inadvertently exposed the
personal information of nearly seven million students, according to
security researchers at Comparitech. The exposed database contained
full names, email addresses, birthdates and gender identities, as well
as the school that the students attend, authentication keys for
accessing their accounts and other internal data. The information was
available online for more than one week, and it's unclear if the
database was at any point accessed by malicious actors. Engadget
reached out to K12.com for additional information regarding the data
exposure and will update this story if we hear back.

According to the researchers who discovered the exposure, the issue
affected K12.com's A+nyWhere Learning System (A+LS), which is utilized
by more than 1,100 school districts in the US. The database was
misconfigured, resulting in it being publicly accessible and
discoverable on BinaryEdge and Shodan, two search engines that
specialize in indexing public-facing databases. The exposure, which
was discovered on June 25th, first occurred on June 23rd and wasn't
fixed until July 1st.

It's become shockingly common for misconfigured databases to expose
huge swaths of personal information collected and held by companies.
Just in the last few months, public-facing databases have exposed
contact information for Instagram influencers, the medical records of
rehab patients, subscribers to AMC Networks premium services. In one
instance, a database containing sensitive information on more than 80
million households in the US was discovered. In these cases, it's
difficult to determine if anyone malicious accessed the information.