A data breach of LectureNotes Learning App has affected over 2 million users. The leaked data totals 2,165,139 records and includes the personal information of its users, such as username, first and last names, session tokens, phone numbers, emails, passwords, IP addresses, user-agents and administrator authorization IDs. 

Security leaders share their thoughts on this breach and how organizations can protect the sensitive information of their users.

Jason Soroko, Senior Vice President of Product at Sectigo:

“This is a serious breach that unfortunately included credentials as well as PII information. Attackers are always on the lookout to gain password credentials because they will attempt to use them for 'password stuffing' attacks in other systems that you may be logging into. The lesson learned here is to ensure that you never use the same password twice, in order to avoid being a victim of a password stuffing attack.  

The most serious issue with this attack is the leaking of session tokens, which can be used by attackers to gain access to the system as you without even having to log in with your credentials. Session tokens are used in many web-based applications in order to be able to have a seamless experience while browsing through the site, as well as potentially for single sign on capabilities to other related web applications. This is most likely due to a configuration error in the database that was used by the victim learning platform. The lesson learned here is that best practices for configuring this can be a challenge because of the complexity level, so be sure to have a skilled practitioner configure your system or consider having a penetration tester evaluate your platform.” 

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security: 

“The severity of this data breach is significantly heightened because of the personal details and critical administrator credentials that were part of the compromised data. All organizations have an inherent obligation to protect their users and their users’ data. When a company is a custodian of personal information, it requires a much higher bar for security and monitoring than other types of organizations. Companies should be regularly auditing their data inventory to not only ensure compliance, but to also make sure that they are only retaining the sensitive data that is required. 

The immediate concern is the potential exploitation of this exposed data, which could lead to various malicious activities such as identity theft, phishing attacks and unauthorized access to user accounts. Current and former users of LectureNotes should assume they’ve already been breached and act accordingly. Proactive steps individuals can take include changing login information for their account with LectureNotes, getting a dark web monitoring service, monitoring or freezing their credit and practicing good cyber hygiene. By using strong and unique passwords for every account, enabling MFA everywhere possible, updating software and always thinking before you click, individuals can greatly increase their personal cybersecurity.

It is very serious any time a database is left exposed to unauthorized access. Special care should be taken to protect databases, and the treasure trove of information they contain, that make them such high priority targets to attackers. Typically there are few scenarios in modern system architectures that necessitate making a database available over the general internet by a routable IP address. When it is necessary, there are steps that can be taken to mitigate the risks involved.

  1. Ensure access to the database is tightly controlled, preferably by implementing a zero-trust network architecture.
  2. Employ a zero-trust access model to databases, and ensure that users or applications only have access to the data necessary to perform their function. 
  3. Database activity and network traffic should be monitored by a SIEM solution to alert when there is anomalous activity.”