OneClass unsecured S3 bucket exposes PII on more than one million students, instructors

An unsecured database belonging remote learning platform OneClass has exposed information associated with more than a million students in North America who use the platform to access study guides and educational assistance.

“By not securing its users' data, OneClass has created a goldmine for criminal hackers, jeopardizing the privacy and security of over a million young people and their families,” according to a report from researchers led by Noam Rotem and Ran Locar at vpnMentor.

Info exposed included full names, email addresses (some masked), schools and universities attended, phone numbers, school and university course enrollment details and OneClass account details.

“Hackers can extract value from PII in many ways; specifically here, getting such a huge database of people who are making online purchases is a valuable commodity in the cybercriminal community,” the researchers told SC Media. “This information can be used to pivot to other online services the users are using, and exploit them as well.”

The vpnMentor researchers discovered the database on May 20 and contacted the vendor on May 25. OneClass responded a day later and took down the database, claiming that it was a test server whose data “had no relation to real individuals,’ the researchers wrote. But that claim doesn’t gibe with the researchers’ findings.

“The exposed database was built on an Elasticsearch framework and it was hosted on AWS, but left completely unsecured,” vpnMentor said. “It contained over 27 GB of data, totaling 8.9 million records, and exposed over one million individual OneClass users.”

During their investigation, they “had used publicly available information to verify a small sample of records in the database,” the researchers wrote, and were able to use the PII data to find “the social profiles of lecturers and other users on various platforms that matched the records in OneClass's database,” casting doubt on the e-learning company’s claim. “We can't know what they were thinking, but we can assume, based on previous experience, many companies use live data in their development and staging environments, and treat it less securely although it's real live data,” the researchers told SC Media. “All the data we checked was linked to real people, both for professors and students/users.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.