What’s Happening with eLearning Companies?
eLearning websites have been growing in popularity as they provide an entertaining and fun way to learn for children and teenagers. However, as some of these platforms are used predominantly by underage users, it’s important for companies to acknowledge the severity of appropriate data protection. Children’s data protection should be the utmost priority for every company collecting vulnerable information of users under the age of 18. Unfortunately, it seems that not all businesses understand the seriousness and dangers of mishandling such information. The exposed data included:
Whose Data Was Exposed?
WizCase hacktivist team uncovered multiple open servers from 5 popular educational platforms.
1. Escola Digital — Online Digital Courses
Escola Digital is a Brazilian website which offers digital courses. It’s predominantly aimed at children and young people, but can also be used by adults. The exposed bucket, alongside the specific data, names, and logos stored within the files, showed a clear connection to the Escola Digital website. However, the breach didn’t include the most recent information — the data found consisted of files collected in 2016 and 2017. The misconfigured bucket contained several CSV files with user’s personal identifiable information (PII), such as full names, email addresses, Brazilian ID numbers, school names, position held (i.e. student or teacher), phone numbers, home addresses, and links to certificates of users who finished Escola Digital courses.
2. MyTopDog — Children-Orientated Study Platform
MyTopDog is an online website with personalized learning courses for school-aged children. It allows each student to study at their own pace while providing multi-sensory lessons, practice tests, and interactive games. We found 4 types of data exposed:
50,000 entries in an Excel file with PII of users who registered in 2016-2017, but are described as inactive on the platform 14,000 entries within the same Excel file with data of users who registered in 2016-2017 and are described as active on the platform A CSV file with nearly 800,000 user entries with their full names, cell phone numbers, date of birth, gender, and guardian contact details. The file also stored several backups of the exposed information from December 2019 to March 2020. A PDF file that seems to be a part of a business agreement between MyTopDog and Vodacom, alongside confidential Vodacom files.
3. Okoo — Online Learning Platform for Children
Okoo provides an e-learning programming platform for students in Kazakhstan. The courses are available in Russian and can be used for both individual learning as well as group classes. Approximately 7,200 user records exposed in the leak revealed PII, like full names, cleartext passwords, email addresses, completed courses, and quiz scores. However, almost 1,000,000 records found included users’ interaction with the site, such as quiz participation, results, analytic tracking of users, and general course information. The vulnerability also exposed an entry that seemed to include admin credentials, however those weren’t tested for ethical reasons. This poses multiple threats to the site and its users as attackers could use administrative login details to manipulate Okoo content and easily access extensive user data.
4. Square Panda — Educational Phonics Learning Online System
Square Panda is a virtual platform launched to help children learn how to read and write through various online games and multisensory kits available for home use. The site provides a cloud-based monitoring system that allows parents and teachers to track everyone’s progress and plan next learning steps. Around 15,000 entries were found in an exposed CSV file stored within the open bucket. The file held a backup of users’ personal data, including full names, email addresses, phone numbers, and their account type (parent or teacher).
5. Playground Sessions — Virtual Piano Lessons for Everyone
Playground Sessions Inc. is an American website which offers virtual piano lessons. Endorsed by many celebrities, such as its co-founder Quincy Jones and Harry Connick Jr, the platform provides fun and interactive music experience for users of all ages. The breach exposed users’ private information, including their full names, usernames, emails, hashed passwords, and app scores earned through piano lessons. The CSV file with the leaked data seems to be the platform’s backup from 2011-2013.
What Are the Consequences of These Leaks?
As many users whose data was leaked aren’t active on the sites anymore, they’re less likely to realize these companies still have their information. However, it’s still possible that their data can be used to aid in various types of online crimes. These dangers are even bigger since many of the users affected by the leaks are children and young people. There are several possible dangers that could arise if an attacker obtained the vulnerable data. These include, but are not limited to: It’s clear to see that whenever you decide to share your personal information online, you lose all control over who can access it. Regardless of extensive privacy protection policies and deleting your accounts, that data can still be kept and stored without your knowledge. And if it still exists on the server, it’s always possible it’ll be involved in a data leak.
Here’s How to Protect Your Private Information
You can never be 100% confident your data will be kept safe, no matter how trustworthy a website may seem. Luckily, there are many steps you can take to protect your personal information online and prevent it from accidental server leaks.
1. Regularly Check Account for Unusual Activity
Monitoring your accounts for unusual activity is the best practice to see if your data has been stolen. The changes might be small and almost unnoticeable at first, but pay extra attention even to the slightest details. Should you find something you don’t recognize, report it and, if possible change your password or add two-factor authentication. To add an extra layer of protection, always use strong passwords and store them in password managers.
2. Avoid Opening Links Attached in Suspicious Emails
Unless you’re fully confident the email was sent by one of the educational platforms, don’t click on any attachments in the message. Very often, they will direct you to malicious sites or will download malware on your device straight away. If you receive an unexpected email, check for minor variations in the sender address — it may appear genuine at first, but upon further inspection differs from the original. Additionally, contact the company it appears to be from and confirm the source of the email. Only then, you can safely open the links and attachments.
3. Never Share Additional Personal Information Online or on the Phone
Scammers are most likely to contact you in a way that doesn’t require additional form of identification, for example through emails or phone calls. That’s why it’s crucial to refrain from giving any information to someone you don’t know or can’t fully identify. Remember that reputable institutions, like banks or insurance companies, would never request personal details in such unsecure ways. Should you doubt if the person is genuine, make sure to check with the actual company to verify the nature of the call or email before giving your private data.
Why Should I Trust WizCase?
WizCase is an online cybersecurity leader. We’ve gained trust from readers all over the world through consistently providing top quality tips on improving your internet safety. Our team regularly uncovers data breaches, including previous data security issues in the education sector and medical data leaks. In order to protect the exposed user data, we always contact the vulnerable companies prior to publishing each report. Unfortunately, despite our efforts, companies often choose to ignore our warnings. In this case, we contacted local Cyber Incident Response Teams (CERT) in each country, which assisted us in securing some of the leaks and reaching out to the companies. We hope that publishing this report will encourage the companies involved to secure the breaches.