Byju’s, India’s leading ed-tech startup, has exposed the data of some of it’s students publicly for a week before patching the server-side misconfiguration.
The exposed details include students’ names, phone numbers, email addresses and other PII. While Byju’s didn’t disclose how many students were impacted by this incident, Bob Diachenko, the security researcher who found this leak, estimated the leaked records to be between 1 and 2 million.
Byju’s Leaking Student Database
India’s leading tech startup, Byju’s has reportedly exposed some of it’s students’ PII this week due to a misconfigured server. This was initially spotted by Bob Diachenko, a security researcher, on August 15th via Shodan.
Talking to TechCrunch, Diachenko said the leak was due to a misconfigured Apache Kafka server by Byju’s to send and receive data in real-time. Anyone with the server’s IP addresses can read the records without a password, said the researcher.
Byju’s, an education technology giant and India’s most valuable startup, exposed data of its customers via misconfigured service instance. While there is no response from the company, personal data of students, incl. loan and payment details along with other info, is at risk. pic.twitter.com/we1WkrWarg
— Bob Diachenko 🇺🇦 (@MayhemDayOne) August 23, 2023
This was reported to Byju’s on August 22nd, leading to the company patching it immediately. Yet, the exposed details remained accessible for a week, leaking the students’ names, phone numbers, addresses and email IDs. The dump also contains student loan details like payouts, links to scanned documents and transactional information.
Though Byju’s fixed the server, it didn’t inform how many students were affected by this exposure, whether the company had notified students of this lapse or if it had the technical means to determine what data, if any, was accessed and by whom.
All these questions asked by TechCrunch gone unanswered but the company claimed that “no data or information was exposed or compromised” during the week-long exposure. Bob Diachenko, in his estimates, said the leaked data may contain anywhere between one to two million records.
This was the second cybersecurity incident concerning Byju’s, after the company’s subsidiary WhiteHat Jr. suffered a similar data breach in 2021, where it’s third-party service provider Salesken.ai, exposed students data.
Other Trending News:- News
