Researchers find user data exposed on LectureNotes learning app

Misconfigured database was leaking data of more than 2 million users

clock • 2 min read
Data leak exposes over two million users on LectureNotes learning app
Image:

Data leak exposes over two million users on LectureNotes learning app

The database exposed a trove of personal details, including usernames, full names, email addresses, and encrypted passwords

A significant data leak has affected the LectureNotes learning app, leaving over two million users' personal information exposed due to a misconfigured database. Established in 2017, LectureNotes has been at the forefront of providing online notes to undergraduate students.

The platform, available across web, Android, and iOS platforms, offers a plethora of services including handwritten notes via LectureNotes, live learning through LecturePrime, AI-driven content personalization via LectureRooms, institutionalized courses via Lecture Academy, and video conferencing infrastructure via LectureRemote.

One of LectureNotes' core objectives, according to the company, is to foster localised learning ecosystems through a community-building approach. The platform boasts a user base of over 2 million and a staggering 3 million pages of content.

In December 2023, Cybernews researchers stumbled upon a misconfigured MongoDB database linked to LectureNotes.

The database was found to be updating in real-time and inadvertently divulged sensitive user and administrative data.

A staggering 2,165,139 user records were exposed, comprising a trove of personal details, including usernames, full names, email addresses, encrypted passwords, phone numbers, IP addresses, user-agent information, and session tokens.

Moreover, critical admin authorisation data, such as IDs and secrets, found its way into the exposed dataset.

The leak poses severe risks, with researchers at Cybernews warning of potential exploitation of session tokens to gain unauthorized access to user accounts without requiring passwords. Additionally, leaked admin credentials could empower cyber attackers to execute ransomware attacks, phishing schemes, and other malicious activities, endangering the integrity and security of the platform.

Following responsible disclosure, LectureNotes addressed the issue within two days.

Attributing the breach to a misconfigured MongoDB database left public, researchers stressed the importance of robust authentication and access controls to prevent such incidents. They advocate MongoDB administrators enforcing stringent security measures, including enabling authentication, implementing strong passwords, and employing keyfile authentication to bolster security.

Furthermore, researchers emphasise the necessity of monitoring solutions to detect anomalous activity and potential security threats promptly, urging organisations to set up alerts for suspicious events to enable swift intervention.

MongoDB, renowned for its flexible data storage format akin to JSON, is a popular choice for NoSQL database solutions. However, its default configurations often lack robust security features, making it susceptible to misconfigurations and subsequent data leaks.

According to researchers, misconfigured databases exposing sensitive information about companies or people has become an all-too-common occurrence.

In September last year, a misconfigured link enabled public access to 38TB of Microsoft's confidential data from two employees' workstations, opening up the potential for injecting malicious code into Microsoft's AI models.

In 2019, an unsecured Elasticsearch database belonging to Honda Motor Company was found exposing sensitive information about the company's internal systems and device data.

In 2020, Virgin Media admitted to a 10-month long data breach that occurred as a result of a misconfigured marketing database.

You may also like
Massive data leak exposes Chinese infosec vendor's cyberattacks-for-hire

Threats and Risks

Documents outline the use of hardware hacking devices, including a malicious power bank designed to surreptitiously upload data into victims' systems

clock 23 February 2024 • 3 min read
Southern Water confirms customer data breach

Hacking

Stems from Black Basta attack last month

clock 14 February 2024 • 2 min read
Bank of America admits data breach after supply chain hack

Security

Customer info exposed

clock 13 February 2024 • 2 min read
Most read
01

'Microsoft Copilot is a gimmick', says top CIO

28 February 2024 • 2 min read
02

Cyber incident disrupts another UK university

25 February 2024 • 2 min read
03
04
05

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Threats and Risks

US, UK, Canada seek global coalition to combat state disinformation

US, UK, Canada seek global coalition to combat state disinformation

US, UK and Canada have endorsed a framework to tackle information manipulation

clock 27 February 2024 • 3 min read
LockBit re-emerges a week after takedown

LockBit re-emerges a week after takedown

'Damage control for the LockBit brand, a show of strength'

John Leonard
clock 26 February 2024 • 2 min read
Massive data leak exposes Chinese infosec vendor's cyberattacks-for-hire

Massive data leak exposes Chinese infosec vendor's cyberattacks-for-hire

Documents outline the use of hardware hacking devices, including a malicious power bank designed to surreptitiously upload data into victims' systems

clock 23 February 2024 • 3 min read