Skip to content

Leverage EDU leaks nearly 240,000 sensitive files of students

  • by
  • 2 min read

A misconfiguration in one of Leverage EDU’s cloud storages caused a data leak including almost 240,000 sensitive files, including students’ passports, financial documents, certificates and exam results.

The leaked data contains personally identifiable information, which can easily be used to create targeted spear-phishing attacks as well as to commit identity theft and fraud. 

Screenshot of one of the many ZIP folders in the cloud storage bucket. | Source: Cybernews

The exposure was detected by the Cybernews research team on January 31 in the form of a misconfigured and publicly accessible Amazon S3 bucket.

The bucket contained zip folders including sensitive data and PII of multiple students including degree certificates, report cards, exam results, CVs, filled application forms to various universities, phone numbers, emails and physical addresses. Leaked financial information from the bucket included bank statements, student loan documents, loan co-signers identification documents and payslips. 

Cybernews reached out to Leverage EDU with the issue. Upon notification, the company secured access and confirmed that the problem was solved and that it’d be running an internal investigation of its systems. 

With that large a database, a leak of this magnitude and containing this amount of sensitive data can be disastrous for both the company and the victims involved. At the moment, there are no reports of this data being abused by threat actors, but mitigation actions like invalidating documents are recommended. 

A leaked passport from Leverage EDU’s cloud bucket. | Source: Cybernews

Leverage EDU is a major higher education platform for students looking to study abroad and has a flurry of branches throughout India with offices in the UK and Australia. The company claims a network of over 650 educational institutions worldwide and 80 million users in 2022. 

Leverage EDU was also relatively unaffected by the pandemic, securing $22 million in funding from international investors and quadrupling its workforce.

In the News: Google will start deleting inactive accounts this December

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>