After performing a web application security testing, the operators of Wyzant, well-known website to contact and hire personal tutors in more than 200 different subjects, have confirmed a data breach that exposes sensitive details of the users of the platform. Currently Wyzant has over two million users and more than 70k active tutors.
Wyzant sent a notification via email to the affected users; in the message, the company claims that an unidentified attacker got access to one of the databases at the end of April. Wyzant operators mention that they detected the incident a week later.
According to those responsible for the web application security testing, among the personal details obtained by the attackers are:
- Full names
- Email Address
- Address details
- Facebook profile details (only in some cases)
It should be noted that the exposed information does not include passwords, payment card details or activity logs in Wyzant.
The company has not mentioned additional information, such as technical details of the attack or its scope, as they have only ensured that the vulnerability the attackers exploited to access its database has already been corrected.
Wyzant says it will keep implementing its web application security testing process across its IT infrastructure; the company has also assured that customers will be alerted on any new relevant information.
“We have implemented some additional security measures, such as reviewing our security policies and protocols to face this kind of incidents; the privacy protection of our users will be guaranteed in the future “, mentions the Wyzant statement.
Several members of the community have also tried to contact the company to find out more details about the incident; Wyzant states that it will publish a report once the investigation is completed.
Specialists from the International Institute of Cyber Security (IICS) recommend that affected users be alert to possible phishing campaigns arising from this incident, as multiple groups of malicious actors could have achieved access to the compromised database.