Researchers at vpnMentor discovered an unsecured Azure database belonging to MyEasyDocs, an Indian company that leaked PII and academic details of thousands of students.
Affected people are the Indian and Israeli students who used MyEasyDocs for submitting their verified certificates to institutions. The company has secured the database after being notified by the vpnMentor researchers. Yet, MyEasyDocs users are advised to be cautious about potential cyber frauds arising out of this.
An Unsecured Microsoft Azure Database
Though Cloud services are picking up popularity for their cheap and efficient way of storage, few users are still not aware of properly configuring them. We’ve seen a number of such instances in the past, where companies leave databases loaded with customer data online without any password – resulting in exposing their PII to anyone!
Now, we see one more incident involving an Indian company named MyEasyDocs – an online document verification service that’s used by banks, universities, law enforcement agencies, etc., in India.
In early February, vpnMentor researchers discovered an unsecured Microsoft Azure database of MyEasyDocs, that contains over 50,000 files belonging to more than 10,000 students! These files are mostly certificates, revealing the academic and personal data of Indian and Israeli students.
Researchers noted a URL connected to the company that’s used by MyEasyDocs for uploading and sharing academic certificates of Indian and Israeli students. Since it was open to anyone on the web, researchers were able to intercept and check what was being shared. They noted the following data as exposed;
- Full names
- Subject Majors
- National ID and university/college registration numbers
- Dates of graduation
- Grades
- Emails
- Phone numbers
Soon, they contacted the Israel CERT to notify them about the breach and the vendors a week later. By mid-February, the company had secured the exposed database. Yet, researchers warned that exposed users might face several cyber threats like phishing and identity attacks, so they should be cautious to avoid them.
