Over 400,000 Student records from Thailand exposed
The server contained data from Office of Basic Education Commission (OBEC) including over 11,500 login credentials.
Who is OBEC?
“The Office of the Basic Education Commission (OBEC) is a Thai governmental agency, founded in 2003. It is an office of the Thai Ministry of Education (MOE). Its mission is to organize and promote basic education from primary school to high school” according to Wikipedia.
Finding the exposed data
On October 7th 2024 while looking at some publicly exposed data I found a server with some exposed databases and one of them contained a table named “students” with over 438,000 records.
The data was in Thai and contained records from 2015 to October 2024 that included fields such as:
School and student ID First and last name National ID number Address Blood type Date of birth Nationality and regilion
It also contained father/mother/guardian information such as:
First and last name National ID number Phone Income and occupation
This table alone wasn’t enough to ID who owned this data so I looked at what else was exposed on the server and after looking for a bit I found references to OBEC and https://asset.bopp-obec.info.
I also found a table with 11,642 user logins for some service from OBEC, not exactly sure what, the data was named “ObecMaster”.
This table contained fields such as:
First and last name Username Email Phone number Workplace MD5 hashes Plaintext password
Yes, that’s not a mistake, the password was both hashed and in plaintext on the same table.
I checked my logs to see how long this was exposed for and notice that since October 4th 2024, at least 13 IPs were linked to this data exposure, all from what looked like the same shared network.
Now that I knew at least who the data seemed to belong to I started looking for emails to contact.
Notifying OBEC
I looked online for a bit and found a couple emails from OBEC and since I’ve had positive experiences with ThaiCERT in the past, on October 9th I sent an email and also CC’d the CERT team so they could maybe help get the message to someone who could fix this. I got what I assume is an automated reply from ThaiCERT and just waited.
On October 21st the data was still exposed so I sent another email, this time just to ThaiCERT (the 2 OBEC emails I tried never replied back to me) where I asked if there was any update on this, since I could see everything was still exposed. I got the same exact reply that I got to my first email and I wasn’t sure what else I could do so I just waited while I dealt with other issues.
Someone closed this?
At the end of the year I was looking at my long list of pending cases and went to check if this was still exposed and noticed none of the IPs worked anymore.
I checked my logs to see when was the last time any of the IPs was flagged as working and from my logs it looks like this was fixed around December 24th 2024.
Final notes
I did not get any replies at all regarding this besides automated emails so I can’t confirm if my notification was what lead to this being fixed.
I was looking online to see if this was ever disclosed and I did not find anything related to this, but it looks like OBEC had another incident in 2023 with over 3 million records of student data leaked according to an article from Resecurity.
If you’re interested in more incidents I dealt with, you can check all my public finds indexed by country on the post below:
