Researchers find user data exposed on LectureNotes learning app

Misconfigured database was leaking data of more than 2 million users

Data leak exposes over two million users on LectureNotes learning app

Image:
Data leak exposes over two million users on LectureNotes learning app

The database exposed a trove of personal details, including usernames, full names, email addresses, and encrypted passwords

A significant data leak has affected the LectureNotes learning app, leaving over two million users' personal information exposed due to a misconfigured database. Established in 2017, LectureNotes has been at the forefront of providing online notes to undergraduate students.

The platform, available across web, Android, and iOS platforms, offers a plethora of services including handwritten notes via LectureNotes, live learning through LecturePrime, AI-driven content personalization via LectureRooms, institutionalized courses via Lecture Academy, and video conferencing infrastructure via LectureRemote.

One of LectureNotes' core objectives, according to the company, is to foster localised learning ecosystems through a community-building approach. The platform boasts a user base of over 2 million and a staggering 3 million pages of content.

In December 2023, Cybernews researchers stumbled upon a misconfigured MongoDB database linked to LectureNotes.

The database was found to be updating in real-time and inadvertently divulged sensitive user and administrative data.

A staggering 2,165,139 user records were exposed, comprising a trove of personal details, including usernames, full names, email addresses, encrypted passwords, phone numbers, IP addresses, user-agent information, and session tokens.

Moreover, critical admin authorisation data, such as IDs and secrets, found its way into the exposed dataset.

The leak poses severe risks, with researchers at Cybernews warning of potential exploitation of session tokens to gain unauthorized access to user accounts without requiring passwords. Additionally, leaked admin credentials could empower cyber attackers to execute ransomware attacks, phishing schemes, and other malicious activities, endangering the integrity and security of the platform.

Following responsible disclosure, LectureNotes addressed the issue within two days.

Attributing the breach to a misconfigured MongoDB database left public, researchers stressed the importance of robust authentication and access controls to prevent such incidents. They advocate MongoDB administrators enforcing stringent security measures, including enabling authentication, implementing strong passwords, and employing keyfile authentication to bolster security.

Furthermore, researchers emphasise the necessity of monitoring solutions to detect anomalous activity and potential security threats promptly, urging organisations to set up alerts for suspicious events to enable swift intervention.

MongoDB, renowned for its flexible data storage format akin to JSON, is a popular choice for NoSQL database solutions. However, its default configurations often lack robust security features, making it susceptible to misconfigurations and subsequent data leaks.

According to researchers, misconfigured databases exposing sensitive information about companies or people has become an all-too-common occurrence.

In September last year, a misconfigured link enabled public access to 38TB of Microsoft's confidential data from two employees' workstations, opening up the potential for injecting malicious code into Microsoft's AI models.

In 2019, an unsecured Elasticsearch database belonging to Honda Motor Company was found exposing sensitive information about the company's internal systems and device data.

In 2020, Virgin Media admitted to a 10-month long data breach that occurred as a result of a misconfigured marketing database.