Bengaluru-based e-learning platform Edureka was notified by SafetyDetectives of a data breach exposing the personal information of more than 2 million users.
The cybersecurity firm said a majority of people affected by the breach is based in India. It’s also disclosed that the leaked data was caused by the unprotected Elasticsearch server, a free pass for anyone to access the database of the online platform.
Edureka only found out about the breach two weeks after the incident, exposing users’ email addresses, contact information, and addresses. Without the tip, the company wouldn’t found out about the incident as they’ve only conducted a routine check.
SafetyDetectives received no response from the e-learning platform, so they’ve directed the concern to the Indian Computer Emergency Response Team (CERT-In). Since the discovery on Aug. 1, the database was only secured two weeks after the breach.
Following the report from the CERT-In, Edureka has finally confirmed the incident and said no data was accessed by a malicious actor.
“Our infrastructure is on AWS, and we rely on their security insights too. Having said that, we are also doing an in-depth security audit to find and fix any other possible vulnerabilities,” said Edureka spokesperson.
Information Accessed Publicly
SafetyDetective claims the Elasticsearch server had no protection or password, leaving the user information bare for the public to access. The team from the cybersecurity company said their IP-address checks on specific ports led to the discovery of the unprotected security wall.
According to the team, any mere knowledge of the server’s IP address provides free access to the entirety of the database containing the personal information of users. This particular database is 25GB in size, with as many as 45 million records.
Some of the records are duplicated, but the researchers estimate the database has over two million users. Information was leaked from India, with only a small fraction of cases from other countries like the United States.
In addition to personal names, addresses, email addresses, and contact information, login activity records, and course information are also exposed by the breach. A threat actor can easily use a phishing attack to access everything and sell on the black market.
The Ministry of Electronics and Information Technology said data breach incidents greatly increased in 2020, with almost 7lakh cyber attacks in the whole country. Private entities are not only victims of breach and phishing but also the Indian government itself.