"Nearly one million records containing the personal information of online students have been leaked after cloud misconfigurations by five e-learning platforms, according to WizCase.
The VPN comparison site found four misconfigured and unencrypted AWS S3 buckets and one unsecured Elasticsearch server, compromising the details of countless e-learners, including many children, as well as their parents and teachers.
The personal information (PII) exposed included full names, home and email addresses, ID numbers, phone numbers, dates of birth and course/school information.
WizCase warned users of potential follow-on identity fraud, phishing attacks, stalking and blackmail.
“As many users whose data was leaked aren’t active on the sites anymore, they’re less likely to realize these companies still have their information,” it added.
“However, it’s still possible that their data can be used to aid in various types of online crimes. These dangers are even bigger since many of the users affected by the leaks are children and young people.”
The affected companies include Escola Digital, a Brazilian site that leaked 15MB of data, amounting to 75,000 records, although many came from 2016 and 2017.
South African site MyTopDog exposed over 800,000 records via a misconfigured S3 bucket, including documents related to business partner Vodacom School.
Kazakhstan-based Okoo leaked 7200 records via an Elasticsearch server, while US sites Square Panda (15,000) and Playground Sessions (4100) round-out the affected platforms.