Connect with us

Hi, what are you looking for?


Data Protection

e-Learning Platform OneClass Exposed Data on Students, Lecturers

An Elasticsearch database pertaining to e-learning platform OneClass was found to expose data on over one million students and lecturers, vpnMentor reveals.

An Elasticsearch database pertaining to e-learning platform OneClass was found to expose data on over one million students and lecturers, vpnMentor reveals.

Headquartered in Toronto, Canada, the remote learning platform provides students in North America with study guides and educational materials. The company claims to have served over 600,000 students to date.

In May this year, vpnMentor discovered an Elasticsearch database hosted on Amazon Web Services (AWS) that was left completely unsecured, thus allowing anyone with an Internet connection to access the information stored within.

With a size of 27 GB, the database was found to include a total of 8,972,251 records representing information on more than 1 million people. Collected prior to 2019, the data included personally identifiable information (PII) and educational data.

The data stored in the database, vpnMentor says, includes not only information on the platform’s members, but also details of people whose membership was not approved.

The security researchers discovered the exposed database on May 20 and contacted the vendor on May 25. The database was secured the next day.

OneClass, the security firm explains, confirmed that it was the owner of the database, but downplayed the impact, claiming that it was a test server, and that the data stored there “had no relation to real individuals.”

Advertisement. Scroll to continue reading.

“However, during our investigation, we had used publicly available information to verify a small sample of records in the database. Taking the PII data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database,” vpnMentor says.

Records in the database included PII such as full names and phone numbers, email addresses, information on attended schools and universities, school/university course enrollment details, and other information related to the OneClass account.

In some cases, additional information on students and courses was stored, such as faculty details, and access to protected textbooks and exercises. Most of the data on OneClass is free, but some content is available to paying users only.

“It’s also possible that some of the data belongs to minors, as OneClass includes resources for high school students and accepts users from 13 years old and above,” the security firm says.

The exposed information, vpnMentor says, could prove a boon for phishers and other threat actors, assuming that the database was accessed by malicious hackers during the time it was exposed.

Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment

Related: Microsoft Exposed 250 Million Customer Support Records

Related: Unprotected Database Exposed 5 Billion Previously Leaked Records

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...