[BreachExchange] Edureka's database breached, 2 million user records potentially at risk

[Destry Winant]

https://www.livemint.com/companies/start-ups/edureka-s-database-breached-2-million-user-records-potentially-at-risk-11601450797202.html

The Bengaluru-based startup allegedly left a server exposed without
any password protection putting personal data of its users at risk

Bengaluru: Online education startup Edureka has suffered a significant
data leak that exposed sensitive personal information such as names,
addresses, phone numbers of at least 2 million users, said a team of
security experts from SafetyDetectives on Wednesday.

The Bengaluru-based startup allegedly left a server exposed without
any password protection putting personal data of its users at risk.
This meant that mere knowledge of the server’s IP address provided
unfettered access to a part of the company’s database containing user
names, email addresses, phone numbers, login activity records, on
Amazon servers hosted in the US.

SafetyDetectives’ security research team led by Anurag Sen found more
than 45 million breached records totaling to more than 25 gigabytes
including email addresses, full names, and phone numbers, although
some of these records could be duplicate records.

Edureka is an e-learning platform and online education marketplace
co-founded in 2011 led by chief executive Lovleen Bhatia. It currently
offers online education programs including higher education courses,
masters and postgraduate courses from Indian universities, using a
combination of live and recorded instructor-led programs to working
professionals and experienced corporate leaders.

The SafetyDetectives team said it first discovered the Edureka
vulnerability on 1 August, “while running routine IP address checks"
on specific ports. The research team then attempted to contact Edureka
on 6 August to notify and brief the company of its findings. After
failing to receive a response, the SafetyDetectives team then reached
out to the Indian Computer Emergency Response Team (CERT-In) on 13
August and the exposed Edureka server and data were secured soon
after.

CERT-In is an office affiliated to the Ministry of Electronics and
Information Technology which deals with cybersecurity threats and data
breaches in India.

“Given that Edureka provides professional-grade online courses to
people, often in significant or powerful positions and with access to
highly-sensitive information, the company’s compromised server
security could have been devastating to entire organizations such as
universities, companies or government departments," said Sen, a lead
security researcher in SafetyDetectives.

A spokesperson from Edureka confirmed the data breach on its servers
but denied that sensitive personal information of its users was
exposed due to to this. The edtech firm also added that it reminds
users to change their passwords “from time to time".

“Our infrastructure is on AWS and we rely on their security insights
too…Having said that, we are also doing an in-depth security audit to
find and fix any other possible vulnerabilities," the Edureka
spokesperson added.

Edureka’s data breach comes at a time when Indian tech firms and
startups have found to be ignoring basic data protection and
cybersecurity practices. Independent security researchers had earlier
unearthed similar data breaches across consumer Internet firms such as
online fashion and beauty retailer Nykaa, two-wheeler rental platform
Bounce, furniture e-tailer Pepperfry, and search engine Justdial.

On 25 August, SafetyDetectives reported that sensitive data including
names, credit and debit card details belonging to 700,000 RailYatri
users were breached due to similar server vulnerability. RailYatri,
however, denied that financial information was breached. RailYatri is
a train ticketing platform headquartered in New Delhi.

Similarly, in August last year CashKaro, a cashback platform was found
to have left its server exposed, leading to a data breach of around
3.5 million users. SafetyDetectives had reported the breach last year
but CashKaro had also denied that there was a data breach.

Sen said that the liability of securing servers that maintain
sensitive databases lies with the company, and not just the server
host. In the case of Edureka’s data breach, the server location was in
the US, and was hosted by Amazon Web Services.

“It is a simple configuration mistake. The server should have been set
as private and instead, they (Edureka) made it public, accessible to
anyone with the URL. The liability lies 100% on Edureka who didn’t set
up the server properly. For example, if you install a safe at home and
leave it wide open without password or key protection, with your money
in it – it’s not the shop who sold you the safe who’s responsible in
case of robbery, you are," Sen said in an email response.