OneClass app, a Canada-based online learning platform, suffered a data breach after an unsecured Elasticsearch database exposed personal information of over 1 million students across North America. Security researchers at vpnMentor discovered the leaky database sized over 27GB that contained PII and educational data of the students. The researchers detected the data breach on May 20, 2020 and reported it to OneClass authorities. The database is now secured.
“By not securing its users’ data, OneClass has created a goldmine for criminal hackers, jeopardizing the privacy and security of over a million young people and their families,” the researchers said in a statement.
The exposed information included full names, schools and universities attended, email addresses, phone numbers, school and university course enrollment details and OneClass account details. It is estimated that around 8,972,251 student records may have been exposed in the data breach.
“OneClass users are very young – including minors – and will generally be unaware of most criminal schemes and frauds online. This makes them particularly vulnerable targets. It is also likely many of them use their parent’s credit cards to sign up, exposing their whole family to risk. It is also possible that some of the data belongs to minors, as OneClass includes resources for high school students and accepts users from 13 years old and above. Many records also included additional information on individual students and their courses, including faculty details and access to otherwise protected textbooks and question and answer exercises,” researchers added.
Cyberattacks on E-Learning Platforms
There has been a surge in the usage of online learning platforms during the ongoing pandemic. Hackers targeted multiple e-learning portals to steal users’ personal information. In a similar incident, India-based online learning platform Unacademy suffered a data breach that exposed details of 22 million users. Cybersecurity firm Cyble revealed that the unknown hackers kept 21,909,707 user records for sale at $2,000 on darknet forums. The compromised information included usernames, hashed passwords, date of joining, last login date, account status, email addresses, first and last names, and other account profile details. Earlier, a Spanish e-Learning platform 8Belts suffered a data breach that exposed personal data of over 100,000 e-learners across the globe. According to an investigation report, the 8Belts database was stored on a misconfigured Amazon Web Services (AWS) S3 bucket which resulted in the data leakage.