UPDATED 23:06 EDT / JUNE 29 2020

SECURITY

Data belonging to 1M students exposed by online study service OneClass

Data belonging to more than one million students in the U.S. and Canada who are users of online study service OneClass have been found exposed online in the latest case of cloud database misconfiguration.

The breach was revealed by security researchers at vpnMentor late last week. The 27-gigabyte database with nearly 9 million records was found on an unsecured Amazon Web Services Inc. Elasticsearch instance. The database included full names, email addresses, schools and universities attended, phone numbers, school enrollment details and OneClass account details.

OneClass, founded in 2010 is venture capital-backed startup that allows students to collaborate and share study resources from self-created lecture notes to study guides. The service also offers subject experts that create video tutorials on common subjects.

The database was originally discovered on May 20 and OneClass was contacted on May 25. The database was taken offline May 26. OneClass claims that the database was used for testing purposes only and had no relationship to real individuals. But the vpnMentor researchers contend that that’s not true, noting that they were able to match data in the exposed database to publicly available information.

The exposure, coming as online learning has surged during the COVID-19 pandemic, has serious security risks given that it included personally identifiable information of students who use the service.

“As remote learning continues to rise due to the pandemic, cyberthreats also increase,” Anurag Kahol, chief technology officer of cloud access security broker Bitglass Inc., told SiliconANGLE. “Schools and universities must take proper measures to keep student data safe in remote environments.”

He added that though there’s no evidence that the data was misused, the temporary exposure still could enable highly targeted phishing attacks that elicit sensitive information from the victims.

Rene Paap, senior product manager at secure access solutions provider Pulse Secure LLC, noted that there have been other breaches of education technology companies, most notably Chegg in late April and Mathway in May.

“Malicious actors have greatly escalated attacks against the education sector, turning unsecured databases into serious threats, particularly as the compromised information makes victims easier targets for phishing schemes,” he said. “Security controls across the edtech supply chain need to adapt to an expanded attack surface as institutions extend e-learning scope options and are targeted.”

Image: OneClass

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU