Edtech startup Edureka has suffered a significant data leak that exposed the sensitive personal information of its users.

As per the team of security experts from SafetyDetectives, information like names, addresses, phone numbers of at least 2 million users has been exposed.

The SafetyDetectives team said it first discovered the security issues on Edureka servers on 1 August, ‘while running routine IP address checks’ on specific ports. On August 6, the team attempted to contact Edureka to notify them about the security issues. But, after failing to receive a response, the SafetyDetectives team then reached out to the Indian Computer Emergency Response Team (CERT-In) on 13 August. Then afterwards, the exposed Edureka server and data were secured.

Talking about the issue, Edureka spokesperson said, 

“Our infrastructure is on AWS, and we rely on their security insights too…Having said that, we are also doing an in-depth security audit to find and fix any other possible vulnerabilities.”

Anurag Sen, a lead security researcher in SafetyDetectives, said that the liability of securing servers that maintain sensitive databases lies with the company and not just the server host.

Anurag said,

“It is a simple configuration mistake. The server should have been set as private and instead, they (Edureka) made it public, accessible to anyone with the URL. The liability lies 100% on Edureka who didn’t set up the server properly. For example, if you install a safe at home and leave it wide open without password or key protection, with your money in it – it’s not the shop who sold you the safe who’s responsible in case of robbery, you are.”

Need legal assistance for your startup? Just contact us.

Follow us and connect with us on Instagram, Facebook, Twitter and LinkedIn.