It’s been a tough few days for Edmodo.
Last Thursday, Motherboard broke news that the popular classroom-learning platform was the victim of a hack that led to tens of million of users’ account details (including email addresses) being put up for illicit sale on the so-called ‘dark web’ (a section of the internet that requires special software to access and allows users to remain anonymous):
A vendor going under the name of nclay is currently listing the Edmodo data on the dark web marketplace Hansa for just over $1,000. In all, nclay claims to have 77 million accounts, and according to LeakBase, around 40 million include an email address. (Motherboard has not seen the full alleged database). The accounts were stolen last month according to nclay’s dark web listing. The vendor did not respond to a request for clarification.
Edmodo soon posted a response, saying they were investigating the hack and did not believe users’ passwords had been compromised.
Just two days later, however, education privacy researcher Bill Fitzgerald published a blog post detailing what he described as Edmodo’s practice of tracking students’ and teachers’ activity on their web-based platform, then sending the information to data brokers:
The presence of ad trackers for both teachers and students can be observed when we inspect traffic via an intercepting proxy. Some obvious questions that come to mind are: How aware are teachers in the Edmodo community that they are being tracked by ad brokers permitted on the site by Edmodo? How aware are students, teachers, and parents that ad brokers can collect data on students while using Edmodo? How does the presence of ad trackers that push information about student use to data brokers improve student learning? Are Edmodo Ambassadors briefed on the student-level tracking that occurs within Edmodo? If not, why not?
Edmodo currently claims well over 70 million users. For teachers, the platform is intended to give “complete control over your digital classroom,” according to the Edmodo website. That means allowing users to moderate classroom discussions, assign information and quizzes, track student progress, store information, and more.
The company did not respond to a request for an interview. A spokeswoman provided a statement to Education Week via email. Here’s what it said with regard to the hack:
Edmodo recently learned about a potential security incident. We immediately retained leading information security experts to investigate this incident and reported it to law enforcement. We have no indication at this time that any user passwords have been compromised; the passwords were hashed using the bcrypt algorithm, which is a strong and robust method of encryption, and salted, which adds an additional significant layer of security. Protecting the privacy of our users is of the utmost importance to Edmodo. We will be providing our users with additional information shortly, and will provide you with any additional information once we have it.
And re: ad-tracking, the Edmodo statement said that the problematic code pointed out by Fitzgerald “has been removed from our system,” saying it was left over from a previous program.
The statement also addressed the question of Edmodo directly serving ads to teachers and students on its platform:
For our current program where we are beta testing serving ads on Edmodo, we adopted a policy that prohibits the behavioral targeting of ads to our users. To prevent such targeted ads, we turned on the COPPA-compliant tag functionality associated with the ads. The COPPA-compliant tag is supposed to prevent behavioral tracking, but we are investigating even further to make sure it is working properly. To be safe, we have turned off these ads entirely for now.
Given the large number of users implicated, as well as the general public’s existing frame of reference for understanding hacking, it’s not surprising that this piece of the story has garnered considerable attention.
Behind-the-scenes ad-tech is much more opaque and confusing. But Fitzgerald said it’s also a problem. He observed that the tracking code that triggered the tracking was present within Edmodo’s site, which suggests that, at some point, someone made a decision to allow the practice to occur.
Fitzgerald did credit Edmodo for being quick to remove its ad-tracking code shortly after his post was published.
“The speed with which they did it was really good,” he said. “That’s the correct response.”
- Prominent Ed-Tech Players’ Data-Privacy Policies Attract Scrutiny
- K-12 Dealmaking: Edmodo Raises $30 Million From New Investors
A version of this news article first appeared in the Digital Education blog.