SECURITY
SECURITY
SECURITY
Data belonging to 1M students exposed by online study service OneClass
Data belonging to more than one million students in the U.S. and Canada who are users of online study service OneClass have been found exposed online in the latest case of cloud database misconfiguration.
The breach was revealed by security researchers at vpnMentor late last week. The 27-gigabyte database with nearly 9 million records was found on an unsecured Amazon Web Services Inc. Elasticsearch instance. The database included full names, email addresses, schools and universities attended, phone numbers, school enrollment details and OneClass account details.
OneClass, founded in 2010 is venture capital-backed startup that allows students to collaborate and share study resources from self-created lecture notes to study guides. The service also offers subject experts that create video tutorials on common subjects.
The database was originally discovered on May 20 and OneClass was contacted on May 25. The database was taken offline May 26. OneClass claims that the database was used for testing purposes only and had no relationship to real individuals. But the vpnMentor researchers contend that that’s not true, noting that they were able to match data in the exposed database to publicly available information.
The exposure, coming as online learning has surged during the COVID-19 pandemic, has serious security risks given that it included personally identifiable information of students who use the service.
“As remote learning continues to rise due to the pandemic, cyberthreats also increase,” Anurag Kahol, chief technology officer of cloud access security broker Bitglass Inc., told SiliconANGLE. “Schools and universities must take proper measures to keep student data safe in remote environments.”
He added that though there’s no evidence that the data was misused, the temporary exposure still could enable highly targeted phishing attacks that elicit sensitive information from the victims.
Rene Paap, senior product manager at secure access solutions provider Pulse Secure LLC, noted that there have been other breaches of education technology companies, most notably Chegg in late April and Mathway in May.
“Malicious actors have greatly escalated attacks against the education sector, turning unsecured databases into serious threats, particularly as the compromised information makes victims easier targets for phishing schemes,” he said. “Security controls across the edtech supply chain need to adapt to an expanded attack surface as institutions extend e-learning scope options and are targeted.”
Image: OneClass
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
