[BreachExchange] OneClass unsecured S3 bucket exposes PII on more than one million students, instructors

Destry Winant destry at riskbasedsecurity.com
Mon Jun 29 10:13:16 EDT 2020


An unsecured database belonging remote learning platform OneClass has
exposed information associated with more than a million students in
North America who use the platform to access study guides and
educational assistance.

“By not securing its users’ data, OneClass has created a goldmine for
criminal hackers, jeopardizing the privacy and security of over a
million young people and their families,” according to a report from
researchers led by Noam Rotem and Ran Locar at vpnMentor.

Info exposed included full names, email addresses (some masked),
schools and universities attended, phone numbers, school and
university course enrollment details and OneClass account details.

“Hackers can extract value from PII in many ways; specifically here,
getting such a huge database of people who are making online purchases
is a valuable commodity in the cybercriminal community,” the
researchers told SC Media. “This information can be used to pivot to
other online services the users are using, and exploit them as well.”

The vpnMentor researchers discovered the database on May 20 and
contacted the vendor on May 25. OneClass responded a day later and
took down the database, claiming that it was a test server whose data
“had no relation to real individuals,’ the researchers wrote. But that
claim doesn’t gibe with the researchers’ findings.

“The exposed database was built on an Elasticsearch framework and it
was hosted on AWS, but left completely unsecured,” vpnMentor said. “It
contained over 27 GB of data, totaling 8.9 million records, and
exposed over one million individual OneClass users.”

During their investigation, they “had used publicly available
information to verify a small sample of records in the database,” the
researchers wrote, and were able to use the PII data to find “the
social profiles of lecturers and other users on various platforms that
matched the records in OneClass’s database,” casting doubt on the
e-learning company’s claim. “We can’t know what they were thinking,
but we can assume, based on previous experience, many companies use
live data in their development and staging environments, and treat it
less securely although it’s real live data,” the researchers told SC
Media. “All the data we checked was linked to real people, both for
professors and students/users.”

More information about the BreachExchange mailing list