Security researchers from SafetyDetectives discovered an unsecured Elasticsearch server belonging to an Indian e-learning platform Edureka, which exposed the personal information of around 2 million users. The researchers stated that the server was left online without password protection, allowing open access to the information in it.
The researchers found the vulnerability on August 1, 2020, with prominent security flaws. The leaky database was secured after SafetyDetectives reported the issue to the Indian Computer Emergency Response Team (CERT-In). The server, located in the U.S. and hosted by AWS, exposed more than 45 million records totaling to 27 gigabytes, including first names, email addresses, phone numbers, country of residence, login activity records, Auth token information, and courses/information users had accessed previously.
The Breach Impact
The data breach could impact users if the exposed information falls into the wrong hands. Cybercriminals could exploit the stolen personal information to launch various socially engineered attacks and phishing scams.
“Users’ contact details could be harnessed to conduct a wide variety of scams while personal information from the leak could be used to encourage click-throughs and malware downloads. Personal information is also used by hackers to build up rapport and trust, with a view of carrying out a larger magnitude intrusion in the future. With access to highly sensitive information, Edureka’s compromised server security could have been devastating to entire organizations such as other universities, companies, or government departments,” SafetyDetectives said.
E-Learning Platforms @ Risk
There has been a surge in the usage of online learning platforms during the ongoing pandemic. In the recent past, hackers targeted multiple e-learning portals to steal users’ personal information. India-based online learning platform Unacademy also suffered a data breach that exposed details of 22 million users. Cybersecurity firm Cyble revealed that the unknown hackers kept 21,909,707 user records for sale at $2,000 on darknet forums. The compromised information included usernames, hashed passwords, date of joining, last login date, account status, email addresses, first and last names, and other account profile details. Earlier, a Spanish e-Learning platform 8Belts suffered a data breach that exposed personal data of over 100,000 e-learners across the globe.