Unsecured MongoDB Database Exposes 7 Mllion Student Records Belonging to K12.com

• The records were available online for more than a week before the database was secured.
• It is unclear whether or not any malicious parties accessed the data during the exposure.

K12.com, an online education platform, had inadvertently exposed almost 7 million student records due to a misconfigured MongoDB database. The records were available online for more than one week before the database was secured.

What information was exposed?

Comapritech along with security researcher Bob Diachenko uncovered the leaky MongoDB database on June 25, 2019. The information contained in the database included:

• Primary personal email address;
• Full name;
• Gender;
• Age;
• Birthdate;
• School name;
• Authentication keys for accessing ALS accounts & presentations; and
• Other internal data.

Where does the issue lie?

It was found that the information was held in an old version of MongoDB (2.6.4), which has been withdrawn since October 2016. Furthermore, the researchers had found that the Remote Desktop was enabled but not secured.

“As a result, the database was indexed by both the Shodan and BinaryEdge search engines. This means the records contained on the database were visible to the public,” said Paul Bischoff of Comparitech.

Duration of exposure

The indexed data is believed to have been exposed to the public since June 23, 2019. It remained publicly accessible until the database was closed on July 1, 2019. It is unclear whether or not any malicious parties accessed the data during the exposure.

How did the company respond?

Diachenko had contacted the K12 representatives to inform them about the issue. The online education platform was quick at addressing the issue and responded with the following statement.

“K12 takes data security very seriously. Whenever we are advised of a potential security issue, we investigate the problem immediately, and take the appropriate actions to remedy the situation,” the company stated.