Edureka e-learning platform caught exposing data of 20 lakh students
Amid growing cases of cyber-attacks and data breaches, Edureka, a renowned Bengaluru-based online learning platform, has been caught exposing personal user information. The start-up leaked the data of two million (20 lakh) users through an unprotected Elasticsearch server, leaving it open to access by anyone who knew where to look on the internet. Here's what went down.
Unsecured server spotted during routine check
During recent IP-address checks on specific ports, the team at SafetyDetectives found the Elasticsearch server in question. They found that the server had no password protection or security wall of any kind and all the information on it was available to be accessed publicly. "Mere knowledge of the server's IP address provided access to the entirety of this particular database," the team said.
Records of two million users on the database
On the unprotected server, the team found a 25GB database with as many as 45 million records. Some of the records were duplicated, but the researchers estimate that they contained information on at least two million users. Most of the users that had their information leaked were from India, with a select few cases from other countries, including the United States.
Numbers, emails, addresses leaked
The database exposed a wide variety of information pertaining to these two million users, including their names, email addresses, phone numbers, countries, and login activity records. Plus, it also detailed which courses/information the users had accessed, something a threat actor could easily use for a phishing attack or sell to other course providers in the market.
Action taken two weeks after discovery
SafetyDetectives discovered the database on August 1 and tried notifying Edureka directly about the issue. However, when the company did not issue a response, they alerted the Indian Computer Emergency Response Team (CERT-In) about the problem. Shortly after that, by August 13-14, the unprotected database was secured, with user information no longer being exposed to the public.
Now, Edureka has confirmed the leak
Following the report, Edureka confirmed the leak but said its users' information was not accessed by any malicious actor. "Our infrastructure is on AWS, and we rely on their security insights too. Having said that, we are also doing an in-depth security audit to find and fix any other possible vulnerabilities," the company's spokesperson said in a statement.
