Security researchers from WizCase discovered unprotected databases belonging to multiple e-learning platforms that were exposed online without password protection. The unencrypted databases leaked personally identifiable information (PII ) such as names, emails, passwords, ID numbers, contact numbers, addresses, birth dates, course details, and school information, of one million users.
The databases were hosted on misconfigured servers, which allowed anyone to access it without any authentication. WizCase stated that it found five breaches from separate online educational institutions across the globe. The data was stored and managed on four Amazon S3 buckets and one ElasticSearch server.
According to WizCase, the five e-learning platforms that suffered data breaches include:
- Escola Digital, a Brazil-based online learning platform, suffered a data leak that exposed over 75,000 private records (15MB) of students and teachers.
- South Africa-based online learning platform MyTopDog lost over 800,000 students’ personal records (40-50MB).
- Okoo, a Kazakhstan-based online course portal, lost around 7,200 records (418MB) that held students’ personally identifiable information and administrative data.
- The U.S.-based online education platform Square Panda lost around 15,000 personal records (1MB) of parents and teachers.
- S.-based virtual learning platform Playground Sessions’ data leak exposed nearly 4,100 user records (1.2MB).
The vulnerable data poses myriad cyberthreats and can be used in several online crimes, since many of the affected users are children and young people. Threat actors can use the leaked data to launch various attacks like identity theft, stalking, blackmailing, and phishing scams.
Cyberattacks on E-Learning Platforms Rise
There has been a surge in the usage of online learning platforms during the ongoing pandemic. Hackers targeted multiple e-learning portals to steal users’ personal information. Recently, India-based online learning platform Unacademy suffered a data breach that exposed details of 22 million users. Cybersecurity firm Cyble revealed that the unknown hackers kept 21,909,707 user records for sale at $2,000 on darknet forums. The compromised information included usernames, hashed passwords, date of joining, last login date, account status, email addresses, first and last names, and other account profile details. Earlier, a Spanish e-Learning platform 8Belts suffered a data breach that exposed personal data of over 100,000 e-learners across the globe.
