K12.com, an online education platform, inadvertently exposed the personal information of nearly seven million students, according to security researchers at Comparitech. The exposed database contained full names, email addresses, birthdates and gender identities, as well as the school that the students attend, authentication keys for accessing their accounts and other internal data. The information was available online for more than one week, and it's unclear if the database was at any point accessed by malicious actors. Engadget reached out to K12.com for additional information regarding the data exposure and will update this story if we hear back.
According to the researchers who discovered the exposure, the issue affected K12.com's A+nyWhere Learning System (A+LS), which is utilized by more than 1,100 school districts in the US. The database was misconfigured, resulting in it being publicly accessible and discoverable on BinaryEdge and Shodan, two search engines that specialize in indexing public-facing databases. The exposure, which was discovered on June 25th, first occurred on June 23rd and wasn't fixed until July 1st.
It's become shockingly common for misconfigured databases to expose huge swaths of personal information collected and held by companies. Just in the last few months, public-facing databases have exposed contact information for Instagram influencers, the medical records of rehab patients, subscribers to AMC Networks premium services. In one instance, a database containing sensitive information on more than 80 million households in the US was discovered. In these cases, it's difficult to determine if anyone malicious accessed the information.