3 min read.Updated: 30 Sep 2020, 01:05 PM ISTSalman SH
The Bengaluru-based startup allegedly left a server exposed without any password protection putting personal data of its users at risk
Bengaluru: Online education startup Edureka has suffered a significant data leak that exposed sensitive personal information such as names, addresses, phone numbers of at least 2 million users, said a team of security experts from SafetyDetectives on Wednesday.
The Bengaluru-based startup allegedly left a server exposed without any password protection putting personal data of its users at risk. This meant that mere knowledge of the server’s IP address provided unfettered access to a part of the company’s database containing user names, email addresses, phone numbers, login activity records, on Amazon servers hosted in the US.
SafetyDetectives’ security research team led by Anurag Sen found more than 45 million breached records totaling to more than 25 gigabytes including email addresses, full names, and phone numbers, although some of these records could be duplicate records.
Edureka is an e-learning platform and online education marketplace co-founded in 2011 led by chief executive Lovleen Bhatia. It currently offers online education programs including higher education courses, masters and postgraduate courses from Indian universities, using a combination of live and recorded instructor-led programs to working professionals and experienced corporate leaders.
The SafetyDetectives team said it first discovered the Edureka vulnerability on 1 August, “while running routine IP address checks" on specific ports. The research team then attempted to contact Edureka on 6 August to notify and brief the company of its findings. After failing to receive a response, the SafetyDetectives team then reached out to the Indian Computer Emergency Response Team (CERT-In) on 13 August and the exposed Edureka server and data were secured soon after.
CERT-In is an office affiliated to the Ministry of Electronics and Information Technology which deals with cybersecurity threats and data breaches in India.
“Given that Edureka provides professional-grade online courses to people, often in significant or powerful positions and with access to highly-sensitive information, the company’s compromised server security could have been devastating to entire organizations such as universities, companies or government departments," said Sen, a lead security researcher in SafetyDetectives.
A spokesperson from Edureka confirmed the data breach on its servers but denied that sensitive personal information of its users was exposed due to to this. The edtech firm also added that it reminds users to change their passwords “from time to time".
“Our infrastructure is on AWS and we rely on their security insights too…Having said that, we are also doing an in-depth security audit to find and fix any other possible vulnerabilities," the Edureka spokesperson added.
Edureka’s data breach comes at a time when Indian tech firms and startups have found to be ignoring basic data protection and cybersecurity practices. Independent security researchers had earlier unearthed similar data breaches across consumer Internet firms such as online fashion and beauty retailer Nykaa, two-wheeler rental platform Bounce, furniture e-tailer Pepperfry, and search engine Justdial.
On 25 August, SafetyDetectives reported that sensitive data including names, credit and debit card details belonging to 700,000 RailYatri users were breached due to similar server vulnerability. RailYatri, however, denied that financial information was breached. RailYatri is a train ticketing platform headquartered in New Delhi.
Similarly, in August last year CashKaro, a cashback platform was found to have left its server exposed, leading to a data breach of around 3.5 million users. SafetyDetectives had reported the breach last year but CashKaro had also denied that there was a data breach.
Sen said that the liability of securing servers that maintain sensitive databases lies with the company, and not just the server host. In the case of Edureka’s data breach, the server location was in the US, and was hosted by Amazon Web Services.
“It is a simple configuration mistake. The server should have been set as private and instead, they (Edureka) made it public, accessible to anyone with the URL. The liability lies 100% on Edureka who didn’t set up the server properly. For example, if you install a safe at home and leave it wide open without password or key protection, with your money in it – it’s not the shop who sold you the safe who’s responsible in case of robbery, you are," Sen said in an email response.