A Stanford University database holding more than 500,000 files, including student and visitor contact information, invoices, receipts, and database backups was left exposed online, with no password or other authentication required to access it, as discovered by Pixel Privacy researchers.
Our security team discovered the database on November 6, 2020. They uncovered an S3 bucket that contained files belonging to the Stanford Technology Ventures Program (STVP), part of Stanford University’s School of Engineering. In total, there were over half a million files, including thousands of lead details, scanned invoices and receipts, WordPress (WP) and SQL database backups, and configuration files for potentially accessing a WordPress server, along with other information.
Our researchers informed Stanford University of the exposure and the bucket was immediately secured. They received the following response:
“We have investigated the matter, taken actions to secure the data, and let affected individuals know about it, in the interests of transparency. We appreciate your responsible disclosure of this matter.”
Timeline of the exposure
The exact timeframe of the exposure is unclear but it’s known that the data was first seen around mid-September. Here’s what else we know:
- November 6th, 2020: Our researchers discovered the database and sent a responsible disclosure to Stanford University.
- November 7th, 2020: The database was partially secured (some files were still accessible when using a direct link).
- November 10th, 2020: The security team at Stanford acknowledged the exposure and extended their appreciation for the responsible disclosure.
We don’t know at this time whether or not any unauthorized parties gained access to the database while it was exposed to the public.
What data was exposed?
The data was discovered on a publicly exposed Amazon S3 bucket. In total, 560,783 files were exposed. The bucket contained a range of different types of files, including:
- Student and visitor contact details
- Contact form submissions
- Receipts
- Orders
- Reservations
- WP database backups
- SQL backups
Some of the files included entrepreneur lead details (associated with email addresses with the stanford.edu domain name), scanned invoices and receipts, partial web application credentials, and SQL database backups (115 of the files were SQLs). In addition, we found configuration files that could potentially be used to access the STVP’s WordPress server.
Dangers of exposed data
The partial web application credentials and configuration files are particularly concerning as these could be used to hack into the STVP’s systems. With access to these, malicious actors could steal, change, or destroy information in the backend of the site. However, Stanford has secured the data and presumably taken action to ensure that any exposed credentials have been changed.
The main threat related to the other details in the database (such as student and visitor details, contact form submissions, invoices, and receipts) is targeted phishing. Fraudsters could use the information found in the database to send targeted emails to students or other individuals whose information has been exposed.
For example, scammers could pose as Stanford personnel to convince victims to hand over more information that could be used in crimes such as account takeover fraud, credit card fraud, or identity theft. Details from this exposure could also be cross-referenced with information from other data leaks to make correspondence even more convincing.
Anyone affected by this data exposure should be on the lookout for unsolicited emails or messages and avoid clicking attachments or links on emails or other messages.
About the Stanford Technology Ventures Program (STVP)
The Stanford Technology Ventures Program (STVP) is an entrepreneurship center that’s part of Stanford’s School of Engineering. It runs courses for students as well as extracurricular programs for the Stanford community. It puts a focus on scholarly research related to tech ventures and creates educational resources for organizations, entrepreneurs, and educators.
This isn’t the first time Stanford University has been involved in a data leak. A breach was reported in February 2019 when it was discovered that a third-party vulnerability allowed students to view the admission files of other students. Leaked information included sensitive data such as Social Security numbers, home addresses, and criminal status. In addition, in 2017, Stanford University issued a press release detailing two other security incidents.
That said, Stanford is certainly not the only educational institution to be involved in a data leak. It has been reported that since 2005, US schools have leaked more than 20 million records in over 1,300 breaches.
Why we reported this data incident
Pixel Privacy’s team of researchers scan the internet to uncover publicly accessible databases containing personal information. When we discover exposed data, we determine its nature as well as who is responsible for managing it. In addition, we find out who may be affected by the exposure and how it impacts them.
Once we find out the data source, we notify them immediately so that the data may be secured. We also produce an article such as this one to inform readers about the exposure and to provide education regarding data exposures in general. Ultimately, we seek to minimize the potential damage incurred as a result of the leak.
Featured image source: Stanford STVP
