Byju's Data Breach: Indian Tech Startup Student Data Exposed

Data Breach Exposes Sensitive Information of Byju’s Customers

Salesken.ai, a technology startup located in India, experienced a security incident involving an unprotected server. This server inadvertently revealed private and confidential data belonging to one of its clients, Byju’s, a prominent education technology company and India’s highest-valued startup.

Server Vulnerability and Discovery

According to data from Shodan, a search engine specializing in identifying exposed devices and databases, the server remained vulnerable for at least since June 14th. The absence of password protection allowed unrestricted access to the data it contained. Security researcher Anurag Sen discovered the exposed server and subsequently contacted TechCrunch for assistance in notifying the company.

The server was taken offline shortly after Salesken.ai was contacted by TechCrunch on Tuesday.

Salesken.ai and Byju’s Relationship

Salesken.ai offers customer relationship technology designed to enhance customer engagement for businesses such as Byju’s. Founded in 2018, the Bengaluru-based startup secured $8 million in Series A funding from Sequoia Capital India in 2020.

Data Related to WhiteHat Jr.

A significant portion of the exposed data concerned WhiteHat Jr., an online coding academy catering to students in India and the United States. Byju’s acquired WhiteHat Jr. in 2020 for $300 million. Currently, Byju’s boasts a valuation exceeding $16 billion, following a $1.5 billion funding round earlier this year.

Types of Compromised Data

The server contained student names and the courses they were enrolled in. Furthermore, it held contact information, including email addresses and phone numbers, for both parents and teachers.

Additional student-related data was present, encompassing chat logs between parents – identified by their phone numbers – and WhiteHat Jr. staff. Teacher comments regarding student performance were also recorded on the server.

Copies of emails containing user account reset codes, alongside other internal data belonging to Salesken.ai, were also found.

Salesken.ai’s Response

Surga Thilakan, co-founder and CEO of Salesken.ai, acknowledged the security incident to TechCrunch, stating the company was “evaluating” the situation. He did not, however, dispute the nature of the data discovered on the exposed server.

“Our assessment indicates the exposed device was a non-production, staging instance of one of our integration services, with access to less than 1% of end-of-life sales logs for India-based customers over a two-week period,” Thilakan explained. “Salesken.ai adheres to strict data security standards and is certified under the highest global security and safety benchmarks. As a precautionary measure, we have immediately terminated access to the cloud device.”

Unanswered Questions

Thilakan did not respond to a subsequent inquiry from TechCrunch regarding the presence of real user data on a server the company designates as “non-production” and “staging.” The company also refrained from confirming whether logs exist, or if there is any evidence to determine if the data was accessed or downloaded during the security breach.

Byju’s Statement

Sameer Bajaj, a spokesperson for WhiteHat Jr., stated that the company is “currently communicating with Salesken.ai regarding the incident and will take appropriate action in line with our stringent security policies.”