Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Over 2.1m exposed in learning app breach

A data leak on a major learning application has resulted in the data of 2 million users being exposed.

user icon Daniel Croft
Fri, 09 Feb 2024
Over 2.1m exposed in learning app breach
expand image

The research team for cyber security publication Cybernews discovered that the learning app LectureNotes exposed the personal and access data of users and administrators of the application as a result of a misconfigured MongoDB database. This resulted in the database being publicly accessible.

Researchers from Cybernews said that this could have been prevented with simple authentication measures.

“The rule of thumb for MongoDB administrators is always to enable authentication and ensure that only authorised users can access the database. Using strong passwords and keyfile authentication improves security,” said Cybernews researchers.

============
============

A total of 2,165,139 users had their data compromised in the leak, with data including full name, username, phone number, email, encrypted password, IP address, user-agent, session tokens and in some cases, admin authorisation details such as IDs and “secrets”.

“The exposure of session tokens poses a severe threat, potentially allowing a potential attacker to illicitly access user sessions without requiring passwords,” wrote Cybernews researchers.

“Furthermore, the compromised administrator authorisation details, including IDs and secrets, elevate the risk by providing unauthorised access to privileged accounts, possibly leading to malicious activities and unauthorised control over the platform’s functionalities.”

With the stolen session tokens, hackers would be able to access user sessions without password authentication.

Additionally, the admin credentials would allow threat groups to inject malware and deploy other attacks, such as phishing and ransomware.

Cybernews researchers added that MongoDB databases have poor default security options, and this is overlooked.

Researchers from the publication recommend users implement solutions that monitor security issues.

LecutreNotes has been downloaded over half a million times on the Google Play Store and allows students, teachers and educational institutions to share notes peer to peer.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.