Tuesday, November 5

Code.org Hacked, Emails and Locations Data of Volunteers Compromised

An anonymous reader allegedly quoting an email from Code.org, claims that the database of the non-profit organization has been breached:

Some personal data was accessed on our web site by a firm exploiting a client-side vulnerability. Your email address and your location, if you provided it, were compromised and may have been read. The exploit was limited to engineers and others who volunteered to help in classrooms.

No student or teacher accounts were impacted, nor passwords or additional information. The exploit did not give hackers access to any of our servers. Earlier this week, a volunteer engineer told us he received an unsolicited recruiting email from a technical freelancing firm in Singapore.

We determined the firm was able to retrieve the volunteer’s private email address by exploiting a client-side vulnerability on our volunteer map. We’ve since had 6 similar cases reported. We’ve fixed the problem, and all private data was secured against future attacks late Friday. We also inspected and secured the rest of our site from similar vulnerabilities.

Code.org has confirmed to Slashdot that it has indeed suffered a breach. The non-profit separately wrote in a blog post that a Singapore-based recruiting firm had exploited a vulnerability on its website to send emails to Code.org members.

Following is an email sent by the recruiting firm to Hadi Partovi, CEO, Code.org. “Sorry about this… our intention was we thought it’d be good to get them more opportunities to improve their own Computer Science skills beyond the opportunities available in their geographical boundaries / location. We’ve told our team to stop this with immediate effect. No one should be receiving anymore e-mails from us from this point onwards. You have my word that we will delete their email addresses from our mailing lists. They should not receive anymore emails from us.”