A server leak put student data from Byju's at risk, says report

Before it was secured, the sever was left unprotected and vulnerable since June 14

An unsecured server at Salesken.ai had put student data from popular learning e-portal Byju's at risk. According to the report, the server had been unprotected since at least June 14, according to a report by Techcrunch.

Data found on the server contained student names and classes along with email addresses and phone numbers of parents and teachers. It also contained log chats between parents and staff and teacher's comments on their students. Copies of emails with codes to reset user accounts and internal Salesken.ai data were also found on the server.

The flaw was detected by security researcher Anurag Sen, who had asked the publication to help report it to the company. The server was then pulled offline.

Commenting on the incident, a WhiteHat Jr spokesperson said: “Salesken.ai, one of WhiteHat Jr’s vendors for India operations, has experienced a potential security incident. We are currently communicating with Salesken.ai about the incident and will take appropriate action in accordance with our rigorous security policies.”

Speaking with TechCrunch, Surga Thilakan, co-founder of Salesken.ai said, "Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India based end-of-life sales logs for a fortnight."

“Salesken.ai follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device,” he added.

A follow-up mail from TechCrunch asking him why real user data was found on a staging server was not answered. The company has yet to reveal if any logs or data were downloaded because of the lapse.