Misconfigured LectureNotes database leaks over 2M users’ data

Mobile peer-to-peer class notes sharing platform LectureNotes Learning App had more than 2.1 million users' records exposed as a result of a misconfigured MongoDB database, which has since been addressed, reports Cybernews. Information leaked by the database misconfiguration included individuals' first and last names, usernames, emails, encrypted passwords, IP addresses, phone numbers, session tokens, and user agents, as well as certain admin authorization details, according to Cybernews researchers. Such data leak could have significant implications, with the exposed session tokens and admin authorization information potentially exploitable to achieve user session hijacking and further malicious activities, researchers said. Inherently weak default security settings in MongoDB should prompt the implementation of necessary authentication and access controls, as well as threat monitoring systems that would enable accelerated response to suspicious events. "The rule of thumb for MongoDB administrators is always to enable authentication and ensure that only authorized users can access the database. Using strong passwords and keyfile authentication improves security," added researchers.