It鈥檚 been a tough few days for Edmodo.
Last Thursday, that the popular classroom-learning platform was the victim of a hack that led to tens of million of users鈥 account details (including email addresses) being put up for illicit sale on the so-called 鈥榙ark web鈥 (a section of the internet that requires special software to access and allows users to remain anonymous):
A vendor going under the name of nclay is currently listing the Edmodo data on the dark web marketplace Hansa for just over $1,000. In all, nclay claims to have 77 million accounts, and according to LeakBase, around 40 million include an email address. (Motherboard has not seen the full alleged database). The accounts were stolen last month according to nclay鈥檚 dark web listing. The vendor did not respond to a request for clarification.
Edmodo soon posted a response, saying they were investigating the hack and did not believe users鈥 passwords had been compromised.
Just two days later, however, education privacy researcher detailing what he described as Edmodo鈥檚 practice of tracking students鈥 and teachers鈥 activity on their web-based platform, then sending the information to data brokers:
The presence of ad trackers for both teachers and students can be observed when we inspect traffic via an intercepting proxy. Some obvious questions that come to mind are: How aware are teachers in the Edmodo community that they are being tracked by ad brokers permitted on the site by Edmodo? How aware are students, teachers, and parents that ad brokers can collect data on students while using Edmodo? How does the presence of ad trackers that push information about student use to data brokers improve student learning? Are Edmodo Ambassadors briefed on the student-level tracking that occurs within Edmodo? If not, why not?
Edmodo currently claims well over 70 million users. For teachers, the platform is intended to give 鈥渃omplete control over your digital classroom,鈥 according to the Edmodo website. That means allowing users to moderate classroom discussions, assign information and quizzes, track student progress, store information, and more.
The company did not respond to a request for an interview. A spokeswoman provided a statement to 澳门跑狗论坛 via email. Here鈥檚 what it said with regard to the hack:
Edmodo recently learned about a potential security incident. We immediately retained leading information security experts to investigate this incident and reported it to law enforcement. We have no indication at this time that any user passwords have been compromised; the passwords were hashed using the bcrypt algorithm, which is a strong and robust method of encryption, and salted, which adds an additional significant layer of security. Protecting the privacy of our users is of the utmost importance to Edmodo. We will be providing our users with additional information shortly, and will provide you with any additional information once we have it.
And re: ad-tracking, the Edmodo statement said that the problematic code pointed out by Fitzgerald 鈥渉as been removed from our system,鈥 saying it was left over from a previous program.
The statement also addressed the question of Edmodo directly serving ads to teachers and students on its platform:
For our current program where we are beta testing serving ads on Edmodo, we adopted a policy that prohibits the behavioral targeting of ads to our users. To prevent such targeted ads, we turned on the COPPA-compliant tag functionality associated with the ads. The COPPA-compliant tag is supposed to prevent behavioral tracking, but we are investigating even further to make sure it is working properly. To be safe, we have turned off these ads entirely for now.
Given the large number of users implicated, as well as the general public鈥檚 existing frame of reference for understanding hacking, it鈥檚 not surprising that this piece of the story has garnered considerable attention.
Behind-the-scenes ad-tech is much more opaque and confusing. But Fitzgerald said it鈥檚 also a problem. He observed that the tracking code that triggered the tracking was present within Edmodo鈥檚 site, which suggests that, at some point, someone made a decision to allow the practice to occur.
Fitzgerald did credit Edmodo for being shortly after his post was published.
鈥淭he speed with which they did it was really good,鈥 he said. 鈥淭hat鈥檚 the correct response.鈥
See also: