Skip to main content

1 million students exposed in massive study-guide data leak

student affected by data breach
(Image credit: Shutterstock)

The personal information of more than one million students, mostly in North America, who use a Canadian study-aid service could have been accessed by anyone as a result of an improperly secured online database.

The data leak affected e-learning platform OneClass, which offers class notes and study guides. A database comprising 8.9 million records and 27GB of data was put at risk.

The breach was discovered by researchers at VPNMentor in May. 

“By not securing its users’ data, OneClass created a goldmine for criminal hackers, jeopardizing the privacy and security of over a million young people and their families," the VPNMentor report said.

The database, which used the Elasticsearch framework and was hosted on Amazon Web Services, included the personally identifiable information of current students, rejected students and academics.

Huge leak

The records involved in the leak included full names, email addresses, schools and universities attended, phone numbers, course enrollment details and OneClass account details.

What’s even more alarming is that the leak may have impacted minors, with the researchers pointing out that OneClass “includes resources for high school students and accepts users from 13 years old and above.”

Luckily, the database does not appear to have been accessed by cybercriminals. But the researchers warned that if it had been, then anyone who had access to the data could have gone on to “pursue a wide range of illegal activities,” including staging phishing campaigns. 

“As OneClass has a paid subscription plan for premium content and resources, hackers could use this to their advantage when coercing someone into providing any financial information,” the VPNMentor report warned.

“Furthermore, OneClass users are very young -- including minors -- and will generally be unaware of most criminal schemes and frauds online. This makes them particularly vulnerable targets. It’s also likely many of them use their parent’s credit cards to sign up, exposing their whole family to risk.”

Taking action

The researchers have made OneClass aware of the breach.

“In response, OneClass immediately secured the database but claimed that it was a test server, and any data stored within had no relation to real individuals," the researchers said.

“However, during our investigation, we had used publicly available information to verify a small sample of records in the database. Taking the PII data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database.”

According to VPNMentor, the breach would have been avoidable by OneClass  “securing its servers, implementing proper access rules and never leaving a system that doesn’t require authentication open to the internet”.

It urged customers worried by the breach to “contact the company directly to determine what steps it’s taking to protect your data”.

  • Read more: Stay protected online for less with the best cheap VPN