The popular university admission platform Leverage EDU leaked almost 240,000 sensitive files, including students’ passports, financial documents, certificates, and exam results.
The Cybernews research team discovered that Leverage EDU leaked extremely sensitive data due to the misconfiguration of their systems. As no authentication was required, anybody could access all of the student’s personal information needed to apply to universities.
Leverage EDU works as a one-stop admission platform for students seeking to study abroad. It claims to have a network of over 650 educational institutions worldwide and 80 million users over the last year.
With branches throughout India, the company has quadrupled its workforce since the pandemic and secured $22 million in funding from international investors. It runs offices in the UK and Australia.
Cybernews reached out to the company, and access to users' data was secured. The company confirmed to journalists that the problem was solved and that it started an investigation of its systems.
A treasure trove of personal data
On January 31st, the Cybernews research team discovered a misconfigured and publicly accessible cloud storage – an Amazon S3 bucket.
The bucket contained countless zip folders with almost 240,000 files exposing prospective students' sensitive data and personally identifiable information (PII).
Among the leaked data were degree certificates, student report cards, exam results, CVs, and filled application forms, along with phone numbers, emails, and home addresses.
The researchers noticed numerous personal identification documents, including passport photos belonging to students and their parents, which is a cause for serious concern.
The open bucket also exposed users' financial information, including bank statements, student loan documents, loan co-signers' identification documents, and payslips.
A malicious actor could have exploited the leaked personal data to commit identity theft and fraud. A data leak of such magnitude creates an opportunity for criminals to craft spear-phishing attacks and target individuals with greater precision putting their financial and other accounts at risk.
Leverage EDU’s response
In response to the Cybernews investigation, Leverage EDU said that they don't have any “definitive reason to believe” that any malicious party accessed the data.
"We haven't had any malicious data breach,” a company spokesperson told us.
“The link in question was being used by our bank partners to access documents of students who had requested an education loan and given permission for their documents to be shared.”
The company claims that the link became public for a short time during migration to another system. The company assured us that the students' data is secure, as the migration has now been completed.
“In addition to our current measures, we have also engaged a top cybersecurity consulting firm to audit and monitor our technology systems on an ongoing basis to ensure our data remains absolutely secure," concluded the spokesperson.
Mitigate the risks
To prevent such data leaks, Cybernews advises always securing cloud storage buckets. Leverage EDU should mitigate the risk and further damage by notifying its customers of the data leak.
Affected users should monitor their financial accounts for any suspicious activities. To mitigate the risks related to phishing campaigns, users should exercise caution when receiving messages, avoid clicking links, and verify information in suspicious emails via trusted sources before taking action.
The leaked dataset exposed personal documents. Victims should contact the government branches responsible for issuing those documents, ask for them to be invalidated, and for new documents to be issued.
Your email address will not be published. Required fields are markedmarked