Photo firm exposes 43K American uni students


A US-based graduation photo maker exposed the personal details of thousands of students from hundreds of American universities, the Cybernews research team has discovered.

Digital Pix & Composites left an open Microsoft Azure Blob, an online storage service, containing hundreds of text files with personal details, our researchers claim.

Since Digital Pix & Composites specializes in sorority, fraternity and graduation composites, the exposed individuals are students from US-based universities.

ADVERTISEMENT

According to the team, the exposed instance contained 469 text files with data on 43,000 students, including their full names, home addresses, and institutions they attended. In total, students from 222 universities across the US were exposed.

Researchers noted that students from Stanford, University of California, University of Michigan, Washington University, University of Texas, University of Maryland, University of Georgia, and many others were exposed in the leak.

The team discovered the leak in late November 2023 and immediately contacted the company behind it. Digital Pix & Composites closed down the instance only after publishing of this article.

We’ve reached out to the company for a comment but did not receive a reply before publishing.

Sample data
Sample of the leaked data. Image by Cybernews.

Dangers of leaking student data

Researchers believe that exposing students' full names, home addresses, and educational affiliations poses a severe risk to their privacy. Attackers could use the data for spear phishing attacks, for example.

“The data leak could aid cybercriminals in their efforts to obtain more information about the affected individuals by connecting the stolen information with additional details that are readily available on the internet,” researchers explained.

ADVERTISEMENT

Attackers could also target exposed students with social engineering attacks, leveraging the leaked data to manipulate them into divulging additional sensitive information or taking actions that could compromise their security.

“Cybercriminals may use the leaked information to attempt to gain unauthorized access to students’ existing accounts. Some services use personal information like home addresses for identity verification purposes,” the team said.

Data exposure may also lead to Doxxing, a practice of disclosing or publishing personal information about a person without that person's permission. Motivation for such practice ranges from personal grievances to monetary gain.

“When a person's home address is leaked, their personal safety and security are jeopardized. For example, criminals might use the exposed data to target specific homes for theft, burglary, or invasion,” researchers said.

To secure the data and avoid similar incidents in the future, researchers advise to:

  • Retrospectively monitor access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Update the permissions and access controls on the impacted Azure blob right away to prevent unwanted access. Modify the configuration to guarantee that access is granted only to the necessary users or services.
  • Check for and remove unnecessary public access configurations. Ensure that the blob is not publicly accessible unless absolutely necessary.
  • Conduct a thorough audit of the access controls for the Azure blob. Review Azure Role-Based Access Control (RBAC) settings and ensure that the principle of least privilege is followed.
  • Enhance monitoring and logging for the Azure blob to track access and detect any suspicious activities. Configure Azure Storage Analytics to capture relevant logs.

Updated on June 6th [12:45 p.m. GMT] with information about the company closing the previously exposed instance.