The Cybernews research team discovered that Leverage EDU leaked extremely sensitive data due to the misconfiguration of their systems. As no authentication was required, anybody could access all of the student’s personal information needed to apply to universities.
Leverage EDU works as a one-stop admission platform for students seeking to study abroad. It claims to have a network of over 650 educational institutions worldwide and 80 million users over the last year.
With branches throughout India, the company has quadrupled its workforce since the pandemic and secured $22 million in funding from international investors. It runs offices in the UK and Australia.
Cybernews reached out to the company, and access to users’ data was secured. The company confirmed to journalists that the problem was solved and that it started an investigation of their systems.
On January 31st, the Cybernews research team discovered a misconfigured and publicly accessible cloud storage – an Amazon S3 bucket.
The bucket contained countless zip folders with almost 240,000 files exposing prospective students’ sensitive data and personally identifiable information (PII).
Among the leaked data were degree certificates, student report cards, exam results, CVs, and filled application forms, along with phone numbers, emails, and home addresses.
The researchers noticed numerous personal identification documents, including passport photos belonging to students and their parents, which is a cause for serious concern.
The open bucket also exposed users’ financial information, including bank statements, student loan documents, loan co-signers’ identification documents, and payslips.
A malicious actor could have exploited the leaked personal data to commit identity theft and fraud. A data leak of such magnitude creates an opportunity for criminals to craft spear-phishing attacks and target individuals with greater precision putting their financial and other accounts at risk.
If you want to know how Leverage EDU should mitigate the risks give a look at the original post at CyberNews:
About the author: Paulina Okunytė, Journalist at CyberNews
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Leverage EDU)