Indian tech startup exposed Byju’s student data – TechCrunch

India-based tech startup has secured an exposed server that has spilled private and sensitive data on one of its customers, Byju’s, an education technology giant and India’s most valuable startup.

According to historical data from Shodan, a search engine for exposed devices and databases, the server has been unprotected since at least June 14th. Since the server did not have a password, anyone could access the data it contained. Security researcher Anurag Sen found the exposed server and asked TechCrunch for help in reporting it to the company.

The server went offline a short time after we contacted on Tuesday. offers companies like Byjus customer relationship technology to better connect with customers. The Bengaluru-based startup raised $ 8 million in Series A funding from Sequoia Capital India in 2020, two years after the company was founded.

Much of the data contained on the exposed server was related to WhiteHat Jr., an online coding school for high school students in India and the United States, which Byju purchased for $ 300 million in 2020. Byjus is currently valued at more than $ 16 billion after raising $ 1.5 billion earlier this year.

The server contained the names and classes assigned by the students, as well as the email addresses and phone numbers of parents and teachers. The server also contained other student data, such as: B. Chat logs between parents – identified by their phone number – and WhiteHat Jr. staff, as well as comments recorded by teachers on their students.

The server also contained copies of emails with user account reset codes and other internal data.

Surga Thilakan, co-founder and managing director of, told TechCrunch that the startup was “evaluating” the security incident, but did not deny what kind of data was found on the exposed server.

“Our assessment suggests that the exposed device appears to be a non-production staging instance of one of our integration services that has 14-day access to less than 1% of India-based end-of-life sales logs,” Thilakan said . “ follows strict data security standards and is certified according to the highest global security standards. We took great care to immediately disconnect access to the cloud device. “

Thilakan didn’t respond to a follow-up email from TechCrunch asking why real user data was being stored on what the company said was a “non-production staging” server. Nor would the company say whether they have logs or evidence to determine if any data was accessed or downloaded because of the vulnerability.

WhiteHat Jr. spokesman Sameer Bajaj said the company “is currently communicating with about the incident and will take appropriate action in accordance with our strict security guidelines.”

Leave a Comment