A data breach at Edmodo has been reported that has affected tens of millions of users of the education platform, among them teachers, students and parents.
Edmodo is a platform used for K-12 school lesson planning, homework assignments and to assign grades and school reports. There are over 78 million registered users of the platform. The cyber criminal responsible for the Edmodo data breach claims to have obtained the credentials of 77 million users.
This allegation has been partially verified by Motherboard, which was given a sample of 2 million records that were used for verification reasons. While the full 77 million-record data set has not been reviewed, it would appear the claim is authentic.
The hacker, nclay, has placed the data for sale on the darknet marketplace Hansa and has asked to be paid $1,000 for the complete list. The data incorporates usernames, hashed passwords and email addresses. Email addresses for approximately 40 million users are thought to have been obtained by the cyber criminal.
The passwords in question have been salted and encrypted using the bcrypt algorithm. While it is possible that the passwords can be decrypted, it would be a long and painstaking process. Edmodo users have therefore been given a some time to reset their passwords and safeguard their accounts.
The Edmodo data breach is now being looked into and third party cybersecurity experts have been hired to complete a full analysis to determine how access to its system was obtained. All users of the platform have been emailed and advised to change their passwords.
Even if access to the accounts cannot be obtained, 40 million email addresses would be valuable to online spammers. Users of the platform are likely to face a heightened danger of phishing and other spam emails, should nclay find a buyer for the stolen information.
This is not the only large-scale data breach to impact the education sector this year. Schoolzilla, a data warehousing service for K-12 schools, also suffered a serious cyberattack this year. The data breach was noticed last month and is believed to have lead to in the theft of 1.3 million students’ data. In the case of Schoolzilla, the hacker took targeted a backup file configuration error.