Researchers find user data exposed on LectureNotes learning app

Misconfigured database was leaking data of more than 2 million users

clock • 2 min read
Data leak exposes over two million users on LectureNotes learning app
Image:

Data leak exposes over two million users on LectureNotes learning app

The database exposed a trove of personal details, including usernames, full names, email addresses, and encrypted passwords

A significant data leak has affected the LectureNotes learning app, leaving over two million users' personal information exposed due to a misconfigured database. Established in 2017, LectureNotes has been at the forefront of providing online notes to undergraduate students.

The platform, available across web, Android, and iOS platforms, offers a plethora of services including handwritten notes via LectureNotes, live learning through LecturePrime, AI-driven content personalization via LectureRooms, institutionalized courses via Lecture Academy, and video conferencing infrastructure via LectureRemote.

One of LectureNotes' core objectives, according to the company, is to foster localised learning ecosystems through a community-building approach. The platform boasts a user base of over 2 million and a staggering 3 million pages of content.

In December 2023, Cybernews researchers stumbled upon a misconfigured MongoDB database linked to LectureNotes.

The database was found to be updating in real-time and inadvertently divulged sensitive user and administrative data.

A staggering 2,165,139 user records were exposed, comprising a trove of personal details, including usernames, full names, email addresses, encrypted passwords, phone numbers, IP addresses, user-agent information, and session tokens.

Moreover, critical admin authorisation data, such as IDs and secrets, found its way into the exposed dataset.

The leak poses severe risks, with researchers at Cybernews warning of potential exploitation of session tokens to gain unauthorized access to user accounts without requiring passwords. Additionally, leaked admin credentials could empower cyber attackers to execute ransomware attacks, phishing schemes, and other malicious activities, endangering the integrity and security of the platform.

Following responsible disclosure, LectureNotes addressed the issue within two days.

Attributing the breach to a misconfigured MongoDB database left public, researchers stressed the importance of robust authentication and access controls to prevent such incidents. They advocate MongoDB administrators enforcing stringent security measures, including enabling authentication, implementing strong passwords, and employing keyfile authentication to bolster security.

Furthermore, researchers emphasise the necessity of monitoring solutions to detect anomalous activity and potential security threats promptly, urging organisations to set up alerts for suspicious events to enable swift intervention.

MongoDB, renowned for its flexible data storage format akin to JSON, is a popular choice for NoSQL database solutions. However, its default configurations often lack robust security features, making it susceptible to misconfigurations and subsequent data leaks.

According to researchers, misconfigured databases exposing sensitive information about companies or people has become an all-too-common occurrence.

In September last year, a misconfigured link enabled public access to 38TB of Microsoft's confidential data from two employees' workstations, opening up the potential for injecting malicious code into Microsoft's AI models.

In 2019, an unsecured Elasticsearch database belonging to Honda Motor Company was found exposing sensitive information about the company's internal systems and device data.

In 2020, Virgin Media admitted to a 10-month long data breach that occurred as a result of a misconfigured marketing database.

You may also like
Cisco patches critical flaw in Secure Email Gateway appliances

Threats and Risks

Patch devices immediately

clock 19 July 2024 • 3 min read
Disney faces potential data breach, hacker group claims massive leak

Hacking

NullBulge says motive is to expose potential corporate malpractices

clock 15 July 2024 • 2 min read
AT&T data breach exposes call records of 'nearly all' wireless customers

Hacking

Stolen data isn't publicly available yet, the company claims

clock 14 July 2024 • 3 min read

More on Threats and Risks

Cisco patches critical flaw in Secure Email Gateway appliances

Cisco patches critical flaw in Secure Email Gateway appliances

Patch devices immediately

clock 19 July 2024 • 3 min read
Nearly 7% of all internet traffic is malicious, says Cloudflare

Nearly 7% of all internet traffic is malicious, says Cloudflare

Volume and scale of DDoS attacks ‘vast’

Penny Horwood
clock 17 July 2024 • 2 min read
Malicious Python packages found exfiltrating user data to Telegram bot

Malicious Python packages found exfiltrating user data to Telegram bot

Appears to be part of a wider operation by crime gang based in Iraq, say Checkmarx researchers

John Leonard
clock 15 July 2024 • 2 min read