Tech

Code.org volunteer emails exposed in information leak

As a result, a Singaporean firm decided to try and poach a few members.

Written by Charlie Osborne, Contributing Writer March 14, 2016 at 5:59 a.m. PT

A number of email addresses belonging to volunteers working for Code.org have been compromised, leading to peculiar "job offers" from Asia.

Code.org, a non-profit aimed at improving computer science skills for today's students, offers online classes to students in 180 countries.

The network relies on volunteers to keep going, and unfortunately for some, their email addresses have been compromised.

You would be forgiven for thinking the data breach was caused by the exploit of a database vulnerability or phishing campaign, as is often the case.

Snapchat, for example, was recently left apologising and blushing in embarrassment after a cyberattacker impersonated the CEO, Evan Spiegel, in the quest for employee data.

Oblivious, the hapless staff member handed over files documenting payroll information belonging to current and former employees.

In this case, however, CEO of Code.org Hadi Partovi said in a blog post the information leak was caused not by a cyberattacker, but rather a coding failure which left volunteer email addresses open to the eyes of the Internet.

Security

The executive said that the Code.org team found and fixed an "error" in the organisation's domain late Friday. The error allowed public access to a number of databases containing the email addresses of volunteers through standard Web browsers, and as a result, at least 10 volunteers received "job offers" from a recruitment firm in Singapore.

"This wasn't a case of hackers breaching our security systems, rather it was our mistake of leaving volunteer email addresses accessible via the web browser," Partovi says. "None of our servers were ever vulnerable, nor were our 10 million student/teacher accounts or passwords or other information ever vulnerable."

The recruitment firm in question which used the information leak to send these emails said they were sorry and would remove the email addresses from mailing lists. However, the unnamed company was quick to say its intention was simply to "get them more opportunities to improve their own Computer Science skills beyond the opportunities available in their geographical boundaries / location."

Code.org's CEO described the problem as both an "error" and "vulnerability," and does not know how widespread the problem may be. To prevent any further data leaks caused by the same problem, the team has secured the Web domain and double-checked their databases.

The CEO has apologised for the data leak, which in the grand scheme of things, is small and of relatively low risk in comparison to many of the data breaches we hear about every week.

However, the case does highlight just how far information can spread through the smallest of errors.