14 DAY TRIAL // A security breach, which seems to have been caused by a programming error, exposed thousands of e-mails sent by Ecademy members to the website's technical support department. According to the company running the website, the issue was fixed within 30 minutes since the moment it became aware of it.
Ecademy is one of the first UK-based social networking services, and is mostly aimed at businesses and professionals. The website has been criticized many times during the years, for multiple reasons, ranging from its methods of operation to membership fees and banning practices.
The data leak incident was discovered and partially documented by famous British IT entrepreneur Paul Walsh on his blog, who notes that he joined the website a few years back, but never really used its services. “I still get connection requests from weirdo life coaches,” he says.
Mr. Walsh explains that, by cycling through numbers from 1 to 22400 in the http://www.ecademy.com/node.php?id=###### URL, where # represent digits forming the number, one could have read what he initially thought were confidential conversations between the website members. The company running the site confirmed the security breach, but stressed that it only disclosed e-mails sent by members to the support department and not among them.
The company said that, while these exposed communications should also have been confidential, they mostly contained bug reports and requests for help. It also specified that there were a total of 19,000 support requests in their system and that it was more concerned about a small number of them in which certain users were reporting the misbehavior of other members.
The confusion about the nature of the e-mails stemmed from the fact that Mr. Walsh happened to post the contents of exactly one of the support e-mails, in which a user was registering a complaint against another. Paul Walsh also updated his blog after being contacted by Ecademy's CTO, with an entry clarifying that “The problem was related to support related queries and has now been resolved.”
“Ecademy treats the privacy of its members as a top priority, and apologises for any inconvenience or distress caused by this fault,” the company concludes in a statement cited by The Register. “For those of you requesting more information about the emails to which I refer above; I never intended to disclose them,” Mr. Walsh further adds.
Identity thieves and scammers usually go to great lengths in order to acquire personal information or real names associated with e-mail addresses, because access to such data significantly increases the success rate of their spam campaigns. Such URL manipulation breaches are dangerous and developers should do anything in their power to avoid them, because they basically hand out sensitive data without attackers making any effort to obtain it.
Other similar data leak incidents that we previously covered include the website of an important Scottish newspaper disclosing the personal information of its subscribers, one involving the online image sharing service ImageShack, which uncovered the IPs of the uploaders, or a case where a preparatory firm accidentally made the personal information of its students available to search engines through its website.