An unsecured database containing personal information of millions of users of a higher education social platform was recently discovered by a security researcher. The social platform, formerly known as CampusKudos and now called PeopleGrove, left an internal database exposed to the internet without a password, allowing anyone with knowledge of its IP address to access the data using a web browser.
The exposed database contained gigabytes of personal information, including email addresses, phone numbers, addresses, details of university achievements and scores, and resumes containing detailed work histories and employment details. Shockingly, none of the exposed data was encrypted, making it easy for anyone to access and steal sensitive personal information.
CloudDefense security researcher, Anurag Sen, discovered the database on Thursday and immediately contacted TechCrunch, who then notified PeopleGrove. The server hosting the database became inaccessible soon after.
PeopleGrove's Chief Technology Officer, Reilly Davis, confirmed that the database was for their development servers and that most of the data was non-production test data. However, it's still unclear why the test database contained real people's information, and the company is currently investigating how and why the database became accessible from the internet.
TechCrunch verified the exposed data by matching contact information using public records, social media profiles, and career social networks like LinkedIn. Shockingly, some of the exposed information included details of a user's former top secret security clearance and personal contact information, including home address, personal email, and phone number.
At the time of discovery, the database had more than 25 million logs, while PeopleGrove's website claims to have more than 20 million users. PeopleGrove's CTO, Davis, has promised to notify affected users "if we do find their sensitive data was exposed" and said that the company has implemented logging within its Google Cloud environment to determine what data may have been accessed or exfiltrated.
This recent incident highlights the importance of proper security measures when storing sensitive personal information. It also serves as a warning to companies to regularly check and monitor their databases for any vulnerabilities that could lead to data breaches.