University admission platform Leverage EDU exposed student passports

The popular university admission platform Leverage EDU leaked almost 240,000 sensitive files, including students’ passports, financial documents, certificates, and exam results.

The Cybernews research team discovered that Leverage EDU leaked extremely sensitive data due to the misconfiguration of their systems. As no authentication was required, anybody could access all of the student’s personal information needed to apply to universities.

Leverage EDU works as a one-stop admission platform for students seeking to study abroad. It claims to have a network of over 650 educational institutions worldwide and 80 million users over the last year.

With branches throughout India, the company has quadrupled its workforce since the pandemic and secured $22 million in funding from international investors. It runs offices in the UK and Australia.

Cybernews reached out to the company, and access to users’ data was secured. The company confirmed to journalists that the problem was solved and that it started an investigation of their systems.

Screenshot of the leaked passport. Image by Cybernews

A treasure trove of personal data

On January 31st, the Cybernews research team discovered a misconfigured and publicly accessible cloud storage – an Amazon S3 bucket.

Total number of files stored in the bucket. Image by Cybernews

The bucket contained countless zip folders with almost 240,000 files exposing prospective students’ sensitive data and personally identifiable information (PII).

Among the leaked data were degree certificates, student report cards, exam results, CVs, and filled application forms, along with phone numbers, emails, and home addresses.

Screenshot of a zipped folder stored in the bucket. Image by Cybernews

The researchers noticed numerous personal identification documents, including passport photos belonging to students and their parents, which is a cause for serious concern.

Graduation certificate. Image by Cybernews

The open bucket also exposed users’ financial information, including bank statements, student loan documents, loan co-signers’ identification documents, and payslips.

Screenshot of leaked confirmation email by Leverage EDU. Image by Cybernews

A malicious actor could have exploited the leaked personal data to commit identity theft and fraud. A data leak of such magnitude creates an opportunity for criminals to craft spear-phishing attacks and target individuals with greater precision putting their financial and other accounts at risk.

Application form. Image by Cybernews

If you want to know how Leverage EDU should mitigate the risks give a look at the original post at CyberNews:

https://cybernews.com/security/leverage-edu-exposed-student-passports/

About the author: Paulina Okunytė, Journalist at CyberNews

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Leverage EDU)

---