WizCase researchers have stumbled upon five leaky e-learning websites that exposed the personal information of nearly 1 million users, including minors. Each exposed database was housed on misconfigured and unsecured servers, allowing unauthorized access to sensitive information.
Cybersecurity researchers noted that the platforms were predominantly used by underage people, and the exposed data included full names, email addresses, ID numbers, phone numbers, home addresses and date of birth and school or course information.
Escola Digital, a Brazilian website offering a wide range of digital courses for both students and teachers was found leaking the personal records of nearly 75,000 active users between 2016 and 2017. On top of personal identifiable information, the misconfigured bucket included links to certificates of users who attended the platform’s online classes.
MyTopDog, a South African children-oriented study platform providing practice tests and interactive games, exposed over 800,000 student records, courtesy of a misconfigured Amazon S3 bucket. Within a 50MB database, researchers discovered various types of data:
• An Excel file containing 50,000 entries of PII of users registered in 2016-2017
• A CSV file with 800,000 user entries with full names, cellphone numbers, date of birth, gender and guarding contact information
• PDF file that seemed to be part of business agreement between the e-learning platform and a local school
Okoo, an online learning platform for children in Kazakhstan, exposed 7,200 user records that included PII and nearly 1 million entries regarding user activity on the platform and analytics. The misconfigured 418 MB database revealed PII such as full names, clear-text passwords, email addresses, completed courses, and quiz scores of students. Additionally, researchers found an entry that appeared to include admin credentials.
“However, those weren’t tested for ethical reasons,” the team of investigators said. “This poses multiple threats to the site and its users as attackers could use administrative login details to manipulate Okoo content and easily access extensive user data.”
Square Panda, a US-based virtual platform that helps children learn how to read and write, exposed the information of nearly 15,000 users. A MB CVS file stored a backup users’ personal data, including full names, email addresses, phone numbers, and account type (parent or teacher).
Playground Sessions, a virtual piano lesson platform in the United States, revealed the private information of around 4,100 users registered between 2011 and 2013. Besides full names, usernames, emails and hashed passwords, the leak included app scores, lessons and practice records.
Researchers warn that the risks for parents, students and teachers to fall victim to identity theft or fraud are high.
“As many users whose data was leaked aren’t active on the sites anymore, they’re less likely to realize these companies still have their information,” the investigators said. “However, it’s still possible that their data can be used to aid in various types of online crimes. These dangers are even bigger since many of the users affected by the leaks are children and young people.”