LectureNotes learning app leaks user data of more than 2 million users

published: Feb. 8, 2024

Learn More

The LectureNotes learning app has left exposed a database compromising the personal information of over two million users. This breach was the result of a misconfigured MongoDB database discovered in December 2023 by researchers from Cybernews.

LectureNotes, established in 2017, is known for providing a comprehensive online learning platform catering to undergraduate students across various digital mediums such as web, Android, and iOS. The platform offers a range of educational services including handwritten notes, live learning sessions, AI-driven content personalization, institutionalized courses, and video conferencing.

This breach exposed a significant amount of sensitive user information, including

  • usernames,
  • full names,
  • email addresses,
  • encrypted passwords,
  • phone numbers,
  • IP addresses,
  • user-agent details,
  • session tokens
  • authorization data, including IDs and secrets

The exposure of session tokens, in particular, raises the risk of unauthorized access to user accounts without the need for passwords, while the leaked identities and contact data could potentially facilitate phising, scams and even ransomware attacks.

LectureNotes locked down the database within two days of the responsible disclosure. The leak was attributed to a publicly accessible MongoDB database due to improper configuration.

LectureNotes learning app leaks user data of more than 2 million users