According to Comparitech’s security researchers, the online education platform K12.com unintentionally exposed the personal information of nearly 7 million students this week. The exposed database contains the full name, email address, date of birth and gender identity, as well as the school where the student is enrolled, as well as access to the account’s authentication key and other internal data.
This information has been available online for more than a week, and it is unclear whether the database is accessed or accessed by malicious actors. According to researchers who discovered data exposure, the issue affected K12.com’s A+nyWhere Learning System (A + LS), which is used by more than 1,100 school districts in the United States.
A database configuration error may be the reason why it can be publicly accessed and discovered on BinaryEdge and Shodan, which are specifically indexed for public-facing databases. The exposure found on June 25, first occurred on June 23 and was not repaired until July 1.
The misconfiguration of databases that expose a large amount of personal information collected and held by companies has become very common in recent years. In recent months, the public-facing database has exposed a large number of contact information for Instagram celebrity accounts, medical records for rehabilitated patients, and more.