‘Byju’ User Details Leaked Online Due to Server Misconfiguration

  • Byju user data was exposed online for two whole weeks due to a vendor’s misconfiguration.
  • The data contained in the instance includes names, email addresses, phone numbers, and more.
  • The owner of the server claims that it was a non-production instance affecting a small subset of users.

Salesken.ai has failed to properly secure one of its servers, irreversibly exposing the details of the users of one of its customers, Byju. The particular platform happens to be one of India’s largest and most valuable online education portals, which offers students of all ages access to educational videos that cover a wide range of topics. Byju reports having 4 crores (40 million) users in total and 30 lakh (3 million) paying subscribers. As such, the exposure is pretty serious and far-reaching.

The discovery of the unprotected server was the work of security researcher Anurag Sen, who found the instance on June 14, 2021. The man reached out to TechCrunch to get help in reporting the problem to the firm, and after some back and forth communication, the server was eventually pulled offline yesterday. As such, the total time of exposure was roughly two weeks, which is more than enough for malicious actors to have found it, accessed, and copied the data.

The details that have been exposed now include the following:

  • Full names
  • Classes taken
  • Email addresses
  • Phone numbers
  • Chat logs
  • Staff comments
  • Copies of emails containing codes for password reset tokens
  • Various internal Salesken.ai data

Upon realizing that the story was going public soon, the co-founder of Salesken.ai has shared the following statement:

Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India-based end-of-life sales logs for a fortnight. Salesken.ai follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device.

That “immediately” though is just a word for “two weeks”, and also, keeping real user data on a non-production instance is a weird statement that has no believable explanation other than poor security practices and disrespect to people’s data privacy.

If you have an account on Byju, you should treat your personal details as compromised out of abundance of caution. Be aware of scamming and phishing attempts either via email or SMS or phone calls, and proceed with resetting your password on the platform as soon as possible.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari