e-Learning Platform OneClass Exposed Data on Students, Lecturers

An Elasticsearch database pertaining to e-learning platform OneClass was found to expose data on over one million students and lecturers, vpnMentor reveals.

An Elasticsearch database pertaining to e-learning platform OneClass was found to expose data on over one million students and lecturers, vpnMentor reveals.

Headquartered in Toronto, Canada, the remote learning platform provides students in North America with study guides and educational materials. The company claims to have served over 600,000 students to date.

In May this year, vpnMentor discovered an Elasticsearch database hosted on Amazon Web Services (AWS) that was left completely unsecured, thus allowing anyone with an Internet connection to access the information stored within.

With a size of 27 GB, the database was found to include a total of 8,972,251 records representing information on more than 1 million people. Collected prior to 2019, the data included personally identifiable information (PII) and educational data.

The data stored in the database, vpnMentor says, includes not only information on the platform’s members, but also details of people whose membership was not approved.

The security researchers discovered the exposed database on May 20 and contacted the vendor on May 25. The database was secured the next day.

OneClass, the security firm explains, confirmed that it was the owner of the database, but downplayed the impact, claiming that it was a test server, and that the data stored there “had no relation to real individuals.”

“However, during our investigation, we had used publicly available information to verify a small sample of records in the database. Taking the PII data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database,” vpnMentor says.

Records in the database included PII such as full names and phone numbers, email addresses, information on attended schools and universities, school/university course enrollment details, and other information related to the OneClass account.

In some cases, additional information on students and courses was stored, such as faculty details, and access to protected textbooks and exercises. Most of the data on OneClass is free, but some content is available to paying users only.

“It’s also possible that some of the data belongs to minors, as OneClass includes resources for high school students and accepts users from 13 years old and above,” the security firm says.

The exposed information, vpnMentor says, could prove a boon for phishers and other threat actors, assuming that the database was accessed by malicious hackers during the time it was exposed.

Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment

Related: Microsoft Exposed 250 Million Customer Support Records

Related: Unprotected Database Exposed 5 Billion Previously Leaked Records

view counter

Original Link