Security researchers have recently discovered a leaky database belonging to the e-learning platform One Class, a remote learning tool that provides educational assistance and study guides to millions of North American students.
Uncovered by vpnMentor researchers during a routine Internet scan, the 27GB database includes 8.9 million records, and is estimated to have improperly stored personal information of more than 1 million students, including those who had their membership rejected by the platform.
The exposed records contained personal identifiable information (PII) including full names, email addresses (some masked), schools and universities attended, phone numbers, course enrollment data, and OneClass account details.
Researchers noted that some of the information could even be linked to minors, since the e-learning platform allows students as young as 13 to register. Additionally, some of the findings include educational data such as faculty details and access different textbooks and online exercises.
The investigators contacted the company on May 25, and OneClass was able to secure the server within 24 hours. However, the company denied any impact, claiming that it was a test server, and the data could not be linked to actual students.
“In response, OneClass immediately secured the database but claimed that it was a test server, and any data stored within had no relation to real individuals,” researchers said. “However, during our investigation, we had used publicly available information to verify a small sample of records in the database. Taking the PII data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database.”
Company officials provided no additional comments or statements. Since it is not clear if any malicious actor also found the data, the extent of the data breach can only be speculated.
If bad actors had managed to steal the information, more than 1 million students could be at risk. Using the information available, criminals could easily deploy a phishing campaign aimed at stealing credit card information of paying members.
“OneClass users are very young – including minors – and will generally be unaware of most criminal schemes and frauds online,” the researchers added. “This makes them particularly vulnerable targets. It’s also likely many of them use their parent’s credit cards to sign up, exposing their whole family to risk”.
Malicious links embedded with various forms of malware could also be sent to unsuspecting students, potentially rendering their devices useless or encrypting their files unless ransom is paid.