Its security researchers WizCase discovered unprotected databases belonging to various e-learning platforms, which were exposed online without password protection. Unencrypted databases have leaked personally identifiable information (PII) to over 1 million e-learning platform users. Leaked user data includes names, e-mail, passwords, ID numbers, telephone numbers, home addresses, dates of birth, as well as information related to courses conducted on e-learning platforms.
The databases were hosted on servers with "bad" configuration, and so anyone could have access without authentication. WizCase said it found violations in five different online educational institutions. The data was stored in four Amazon S3 buckets and on an ElasticSearch server.
Η infringement identified by Wizcase researchers, affects 5 different e-learning companies:
- Digital School: Many CSV files with the personal data of its users were leaked from the e-learning website of Brazil. The leaked data were collected from 2016 to 2017.
- MyTopDog: The platform, aimed specifically at South African schoolchildren, features data from more than 800.000 students, as well as other business information.
- Okoo: The e-learning platform for children, exposes almost 1 million entries of user activity.
- Square Panda: The virtual platform created to help children learn to read and write through various online games, exposes files of over 15.000 users.
- Playground Sessions: The platform, which offers virtual piano lessons, has leaked files to more than 4.000 users. Many of the users affected by the breach are children and young people, and attackers may Phishing attacks and fraud attacks using this data.
With the outbreak of its global pandemic COVID-19, increased use of e-learning platforms. So, hackers targeted numerous e-learning portals, to steal users' personal information. Recently, the e-learning platform "Unacademy" based in India underwent data breach which revealed information of 22 million users. Cyber security company Cyble has revealed that hackers sold 21,909,707 user files for sale in underground forums for $ 2.000. Information that was compromised included usernames, passwords, sign-up dates, last login date, account status, email addresses, first and last names, and other user account information. Also, Spanish e-learning platform "8Belts" suffered a data breach that resulted in the leak of personal data of more than 100.000 e-learners from around the world.