After performing a web application security testing, the operators of Wyzant, well-known website to contact and hire personal tutors in more than 200 different subjects, have confirmed a data breach that exposes sensitive details of the users of the platform. Currently Wyzant has over two million users and more than 70k active tutors.
Wyzant sent a notification via email to the affected
users; in the message, the company claims that an unidentified attacker got
access to one of the databases
at the end of April. Wyzant operators mention that they detected the incident a
week later.
According to those responsible for the web
application security testing, among the personal details obtained by the
attackers are:
- Full
names - Email
Address - Address
details -
Facebook profile details (only in some
cases)
It should be noted that the exposed information
does not include passwords, payment card details or activity logs in Wyzant.
The company has not mentioned additional
information, such as technical details of the attack or its scope, as they have
only ensured that the vulnerability the attackers exploited to access its
database has already been corrected.
Wyzant says it will keep implementing its web
application security testing process across its IT infrastructure; the company
has also assured that customers will be alerted on any new relevant
information.
“We have implemented some additional
security measures, such as reviewing our security policies and protocols to face
this kind of incidents; the privacy protection of our users will be guaranteed
in the future “, mentions the Wyzant statement.
Several members of the community have also
tried to contact the company to find out more details about the incident;
Wyzant states that it will publish a report once the investigation is
completed.
Specialists from the International Institute of
Cyber Security (IICS) recommend that affected users be alert to possible
phishing campaigns arising from this incident, as multiple groups of malicious
actors could have achieved access to the compromised database.
