A database containing personal information from Brazilian students is being offered on RaidForums, a marketplace for buying, selling and sharing hacked information. The database, according to the hacker who makes the offer, belongs to Descomplica, famous for online classes for students who want to prepare for Enem and other entrance exams, and contains more than 4.8 million user records on the edtech platform .
Among the personal data of students would be full name, CPF, date of birth, telephone, e-mail account address, in addition to the number of more than 1.4 million credit cards [mascarados], with card verification code (CVC), month and year of validity, token, up to the records of products purchased in the last months. The database also includes student accounts on social networks, such as LinkedIn, Twitter, Facebook, Instagram and WhatsApp.
Altogether, there are 26.3 GB of data, which also includes student records with accounts on AppleStore and Google Play. In addition to password and e-mail, there is information about the date of purchases made in these online stores, the files contain passwords used in orders, type of product purchased and even reasons for canceling purchases.
The hacker says the material is stored at an address on GitHub, the source and file hosting platform, and that all of Descomplica’s code and data repositories are also available.
After the news was published, CISO Advisor received, through the company’s press office, a position on the case, which we publish, in full, below:
Due to an article published on April 28, 2021, about the hacker attack that Descomplica was the victim of in March of this year, the company reports that the passwords were leaked in encrypted format. That way, students will not be harmed, as this does not reveal their access code. To do so, it would be necessary to decrypt passwords – that is, to decrypt the key that protects them. The company reinforces its recommendation for users of the platform to change their passwords periodically.
It also informs that some digits of the credit card numbers that were affected were identified, but points out that this is not sufficient for its improper use, since it does not contain the complete sequence of digits on the card, nor its CVV data (code security) required for transactions.
The company reiterates that it has its entire team working to resolve the inconvenience and informs that it is doing everything possible for the platform to normalize quickly. Descomplica has already activated the responsible authorities and counts on them so that all the appropriate punishment measures for detractors are taken.