Higher education institutions have embraced online platforms to facilitate communication and collaboration among students, faculty, and alumni. However, with convenience comes risk, and this risk has been starkly highlighted by a recent discovery made by CloudDefense.AI.
The Unsecured Database: How Did It Happen?
An unsecured database containing personal information of millions of users of a higher education social platform was recently discovered by a security researcher. The social platform, formerly known as CampusKudos and now called PeopleGrove, left an internal database exposed to the internet without a password, allowing anyone with knowledge of its IP address to access the data using a web browser.
Database Exposed
The exposed database contained gigabytes of personal information, including email addresses, phone numbers, addresses, details of university achievements and scores, and resumes containing detailed work histories and employment details. Shockingly, none of the exposed data was encrypted, making it easy for anyone to access and steal sensitive personal information.
CloudDefense.AI’s Discovery and Response
CloudDefense.AI security researcher, Anurag Sen, discovered the database on Thursday and immediately contacted TechCrunch, who then notified PeopleGrove. The server hosting the database became inaccessible soon after.
PeopleGrove’s Chief Technology Officer, Reilly Davis, confirmed that the database was for their development servers and that most of the data was non-production test data. However, it’s still unclear why the test database contained real people’s information, and the company is currently investigating how and why the database became accessible from the internet.
TechCrunch Verified
TechCrunch verified the exposed data by matching contact information using public records, social media profiles, and career social networks like LinkedIn. Shockingly, some of the exposed information included details of a user’s former top secret security clearance and personal contact information, including home address, personal email, and phone number.
PeopleGrove’s Website Claim
At the time of discovery, the database had more than 25 million logs, while PeopleGrove’s website claims to have more than 20 million users. PeopleGrove’s CTO, Davis, has promised to notify affected users “if we do find their sensitive data was exposed” and said that the company has implemented logging within its Google Cloud environment to determine what data may have been accessed or exfiltrated.
This recent incident highlights the importance of proper security measures when storing sensitive personal information. It also serves as a warning to companies to regularly check and monitor their databases for any vulnerabilities that could lead to data breaches.
Conclusion
The unsecured database discovery by CloudDefense.AI serves as a stark reminder of the vulnerabilities in our digital world. Data security is not an option but a necessity. It underscores the need for companies to regularly audit and monitor their databases for vulnerabilities that could potentially lead to devastating data breaches. As we navigate an increasingly interconnected digital landscape, safeguarding personal data must remain a paramount priority for all organizations.
Related Articles:
- CloudDefense.AI exposes security flaw in breast pump company’s data storage, leaving millions of documents at risk
- CloudDefense.AI Discovered Yes Madam’s Security Breach, Exposing Sensitive Data of 900,000 Customers and Gig Workers
Abhishek Arora, a co-founder and Chief Operating Officer at CloudDefense.AI, is a serial entrepreneur and investor. With a background in Computer Science, Agile Software Development, and Agile Product Development, Abhishek has been a driving force behind CloudDefense.AI’s mission to rapidly identify and mitigate critical risks in Applications and Infrastructure as Code.
