A US education non-profit appears to have unwittingly leaked the personal information of thousands of students after leaving two online MongoDB databases exposed.

The privacy snafu was discovered by noted researcher Bob Diachenko and affected the Institute of International Education (IIE), an organization set up to promote educational and cultural exchanges with other countries.

“Although the database itself did not contain documents, it did contain links with active access tokens to documents stored elsewhere,” explained Security Discovery. “Links to passport scans, application forms, visas, emails, and other documents were discovered.”

Also among the leaked data were medical forms, funding information, student dossiers, US arrival documents and tax forms.

As the links to the sensitive personal documents were contained in around three million log files, it’s hard to estimate the total number of affected students, but Diachenko claimed they run into the thousands “if not more.”

Two identical MongoDB databases hosted at different IP addresses were left unsecured in the same manner, allowing anyone scanning for exposed systems to open them and take a look inside.

If either database was accessed it could provide a treasure trove of sensitive information for use in follow-on fraud, according to Security Discovery.

“An identity thief couldn’t ask for a better payload. The alarming amount of personal and financial data would make it easy for a criminal to open up new accounts and lines of credit in victims’ names, for example,” it warned.

“College-aged students are prime targets for identity theft because they often have clean credit reports and decent credit scores. We strongly urge impacted students to check their credit reports regularly in the upcoming months. Tax fraud is another threat, so impacted students should be on the lookout for tax scams during the upcoming tax season.”

Although IIE secured the data on February 6, eight days after being alerted to the leak by Diachenko, it did not respond personally to any of his messages, or to provide any public comment to those affected.