Home » Response to Reported Vulnerability in Instructor Access to Learner Data

Response to Reported Vulnerability in Instructor Access to Learner Data

Courserians, we are writing about a topic we take very seriously – user privacy. As some of you may have seen, Stanford instructor and security expert Jonathan Mayer, who teaches a course on Coursera, recently uncovered some security vulnerabilities in the Coursera website.

Before we go into any details, let us emphasize the most important points:


  • Critical Information Kept Private     – At no time were learner credit cards, personal information, or course performance data available to unauthorized personnel.
  • Limited Information Available to Instructors – Learner email addresses from all courses were potentially visible to instructors at our partner institutions who are teaching a Coursera-hosted course.

  • Risk of Third-Party Malware     – Individual learner enrollment information (specifically, a list of the courses a learner is taking) was potentially available if the learner went to a site running malware. Malware running on a separate site poses a security risk for most online services, and everyone should be careful when using an unfamiliar website.
  • No Evidence that Learner Data was Exposed – In our investigation, we have found no reason to believe that these vulnerabilities were abused.

  • Security Vulnerabilities are Now Resolved     – These security gaps have already been fully addressed. We took immediate action as soon as Dr. Mayer brought this to our attention.

    • Partner Trust and Learner Security

    The Coursera platform is built with our trusted partners in mind – instructors, administrators, and institutions who work closely with us to deliver online courses to learners around the world. Our approach has enabled everyone to work efficiently, experiment with innovative ways to teach, and create the best educational experience for Coursera learners.

    In developing Coursera, we have also worked diligently to protect learner data from external attackers on the internet. We have enlisted third-party security consultants to help us evaluate and improve the security of our systems against external attackers. However, given our partnership philosophy, we have focused less effort on deflecting malicious attacks that might be made by one of our trusted partners. This has left open some gaps, such as the one recently uncovered by Dr. Mayer. As we continuously improve our platform, we are actively developing systems to provide a better balance between enabling our partners to innovate freely, but also securely.

    We deeply apologize to our learners for any potential risk to their privacy. In our investigation, we have found no reason to believe that our learners’ personal information has been abused. Our team responded immediately to Dr. Mayer’s report, and has now closed off the vulnerabilities that were uncovered. We continue to monitor and improve our platform to provide the best and safest experience to all learners.

    Thank you, to all learners and to our valued partners, for the continued support and confidence in Coursera. We look forward to continuing to offer high quality education, free to everyone.

    Brennan Saeta
    Information Security Officer, Coursera Infrastructure Team

    Product News Articles

    Explore all Product News
    Explore all Product News