Researchers at vpnMentor have discovered a data leak affecting over 100,000 students of the world-renowned education platform McGraw Hill.
The data breach stemmed from two unsecured Amazon Web Services (AWS) S3 buckets belonging to the online education platform that were found leaking over 22 TB of data and over 117 million files.
The buckets included “one production bucket with more than 47 million files and 12TB+ of data, as well as one non-production bucket with more than 69 million files and 10TB+ of data,” according to the researchers who discovered them. “In total, the buckets contained more than 22 TB of data and over 117 million files.”
The researchers uncovered the leaky databases on June 12, and reported that the exposed information includes:
The report also warns that, although no malicious access to the unsecured buckets was detected, “the exposed data would have been enough for skilled hackers to commit many of the most common forms of fraud or online attack against the students exposed.”
This includes identity theft, doxing, targeted phishing attacks and harassment. In the case of phishing, threat actors could have leveraged the exposed data to trick students into giving out additional PII and financial information or downloading malicious software onto their devices.
An analysis of a small batch of student records also allowed investigators to find the social media profiles of students, which means that anyone with malicious intent could have done the same.
“This breach from McGraw Hill was significant in both the amount of data exposed, as well as the number of people and organizations it could affect,” vpnMentor said. “If malicious or criminal actors discovered the exposed data, it could bring harm to students, teachers, universities, and McGraw Hill itself.”
Sensitive files were removed from the public buckets on July 20, and researchers advise students or individuals who are concerned about the breach and how it may directly impact their privacy to reach out to McGraw Hill for more information.
Bitdefender offers comprehensive identity protection solutions that immediately alert you when your personal information is at risk and helps you prevent damages and financial losses associated with identity theft.