The misconfigured Elasticsearch database apparently belonged to the US-based software solution provider Transact Campus.
SafetyDetectives’ cybersecurity research team led by Anurag Sen identified a misconfigured Elasticsearch server that exposed the data of Transact Campus app. According to their analysis, the server was internet-connected and didn’t need a password to allow access to data.
Resultantly, around 1 million records were leaked, revealing personally identifiable information of over 30,000 to 40,000 students.
About Transact Campus
Transact Campus is an American payment software provider headquartered in Phoenix, Arizona. The company offers technological solutions for integrating versatile payment functions into a single mobile platform.
Its software solutions are mainly used to facilitate student purchases at higher education institutes and streamline payment processes for institutions and students.
What was Exposed?
SafetyDetectives wrote in the report that the 5GB worth of database leaked by the server contained details of students who are account holders at Transact Campus. Most of the impacted individuals are US nationals.
The exposed data included students’
Full namesPhone numbersEmail addressesCredit card detailsTransaction detailsLogin information (username and passwords), etc.
It is worth noting that the login data, including username and password, was stored in plain text format. On the other