PeopleGrove security lapse exposed users' personal information

PeopleGrove confirmed Thursday that it's investigating after a security lapse exposed users' personal information online.

The company, formerly CampusKudos, which provides and hosts a social platform for higher education institutions and alumni networks, left the server hosting an internal database exposed to the internet without a password, allowing anyone to access the data using only a web browser and knowing its IP address.

The database contained gigabytes of personal information, including email addresses, phone numbers, addresses, details of university achievements and scores, and resumes containing detailed work histories and employment details. The records also contained links to the user's profile photo.

None of the exposed data was encrypted.

CloudDefense cloud security researcher Anurag Sen discovered the database on Thursday and contacted TechCrunch so we could notify PeopleGrove. The server became inaccessible a short time later.

"The database identified is a database for our development servers," said PeopleGrove chief technology officer Reilly Davis, when reached by email. "I do know that most of the data in those databases is non-production test data, so we are investigating exactly what data is contained in there, and how any production data was included."

Davis said an investigation was underway but did not say why the internal database became accessible from the internet. It's also unclear why the apparent test database contained real people's information.

TechCrunch verified a portion of the exposed data by matching contact information using public records, social media profiles and other career social networks like LinkedIn. One user, whose profile said they served as a U.S. intelligence officer, had details of their former top secret security clearance exposed in their user record, along with their home address, personal email address and phone number. Another user, whose information was found in the data but asked not to be named for this story, confirmed to TechCrunch that their exposed information was accurate but could not explain how it had been collected, or by whom.

At the time it was discovered, the database had more than 25 million logs. PeopleGrove's website says it has more than 20 million users.

PeopleGrove CTO Davis said the company would notify affected users "if we do find their sensitive data was exposed." Davis said the company has logging in place within its Google Cloud environment to determine what data may have been accessed or exfiltrated.

PeopleGrove chief executive Adam Saven, who was copied on the email, did not comment.