An online maths resource with a large Australian user base appears to be behind a large-scale leak of data touted online as a dataset belonging to the "Australian department of education".
Images of the dataset purporting to contain the data of an unknown number of individuals, including those with vic.edu.au and wa.edu.au email addresses, emerged on Tuesday night.
Alon Gal, chief technology officer at cyber security intelligence firm Hudson Rock, claimed the dataset belonged to the “Australian Department of Education”, which does not exist.
He said on Twitter that the “hacked” dataset contained one million records of students, teachers and staff, including the personal information such as emails, names and hashed passwords.
But by Wednesday afternoon, Australia's computer emergency response team (AusCERT) had traced the suspected source for the data, which it said was “not a government agency”.
“Working with Cosive, we’ve found signs that this is a re-publish of a dataset published in March 2020 or earlier, relating to a service called ‘K7Maths’,” it said.
K7Math is an online database of mathematics resources, which the operator boasts on its website has more than 100,000 teachers worldwide making use of it in the classroom.
“The TLS [Transport Layer Security] on their site also correlates with what seems to be their Australian presence,” AusCERT added.
AusCERT said the data was likely to have originated from an “exposed Elasticsearch instance”.
It also downplayed the seriousness of the data dump, with “no plaintext passwords exposed, just bcrypt hashes, although they can be cracked with enough effort”.
“We think that the only personal information in the dump is email addresses and countries, which would likely not count as a notifiable data breach," AusCERT said.
“Our investigation there is incomplete."
Exposed password hashes are also “harder than usual to crack” as they use the “standard bcrypt algorithm.
AusCERT has urged concerned members to check whether their staff have used the tool and to inspect mailboxes for sign-up emails.
iTnews also contacted the Department of Education, Skills and Employment for comment.
