Code.org suffered a security breach on its website this week, the non-profit has confirmed. A firm based in Singapore managed to access some personal data on Code.org website leveraging a client-side vulnerability. As a result, Code.org says, more than 12,000 volunteer email addresses, and some locations data were compromised.
On Saturday, Code.org began to inform users whose email address or locations data had been compromised. The organisation confirmed to Gadgets 360 that the email was indeed genuine, with the CEO Hadi Partovi pointing us to the publication of a blog post on his website. The organisation said that it first wanted to warn the impacted users.
In the blog post, Code.org, a website that aims to encourage people to learn Computer Science, shed more light on the nature of the attack. It noted that only engineers and others who had volunteered to help in classrooms were impacted. The organisation insists that none of its 10 million student or teacher accounts are impacted.
“Earlier this week, a volunteer engineer told us he received an unsolicited recruiting email from a technical freelancing firm in Singapore,” the firm wrote on a blog post. “We determined the firm was able to retrieve the volunteer’s private email address by exploiting a client-side vulnerability on our volunteer map. We’ve since had 6 similar cases reported.”
Code.org also noted that it has fixed the vulnerability and all private data was “secured against future attacks late Friday. We also inspected and secured the rest of our site from similar vulnerabilities.”
Code.org also interestingly reached out to the Singapore-based recruiting firm which had exploited the vulnerability on its website. Here’s the email the firm sent to Partovi. “Sorry about this…. our intention was we thought it’d be good to get them more opportunities to improve their own Computer Scienceskills beyond the opportunities available in their geographical boundaries / location. We’ve told our team to stop this with immediate effect. No one should be receiving anymore e-mails from us from this point onwards. You have my word that we will delete their email addresses from our mailing lists. They should not receive anymore emails from us.”
Update 11:30PM IST: Partovi says that the Singapore-based firm has assured them that it will remove all the emails from its database.