Data breach at e-learning platform Edureka

A data breach has occurred at Bengaluru-based e-learning platform Edureka, impacting up to 2 million users, when its server was left publicly exposed without password protection, according to security research firm SafetyDetectives. On its part, the company said no sensitive personal information was exposed.

Almost all of the affected are based in India. The impact of this data breach on users could be severely compromising, both personally and professionally, the security firm, which posted the report today on its website, said.

“Our security team found more than 45 million records totalling 27 GB, including email addresses, full names and phone numbers, although, some records were duplicated,” it said.

Other potentially important information that was made publicly available includes details of login activity, including which courses or information users had accessed previously.

Login activity information could be used as part of more elaborate scams or deceitful practices such as selling of personal information to commercial third parties. For example, by knowing which courses or topics are most important to the user, malicious hackers could lure the user into a financial scam or sell the user’s contact details to other course providers, the security firm warned.

“Server logs did not indicate the precise number of users affected by the server vulnerability. However, according to our security team, the database contained about 2 million user records, although several entries were duplicated,” it said.

Users’ contact details could be harnessed to conduct a wide variety of scams while personal information from the leak could be used to encourage click-throughs and malware downloads. Personal information is also used by hackers to build up rapport and trust, with a view of carrying out a larger magnitude intrusion in the future.

When contacted, Edureka Co-founder and CEO Lovleen Bhatia, said: “We would like to inform you that we have stringent security policies in place and conduct regular security audits. Our infrastructure is on AWS and we rely on their security insights too. As per our initial investigation, no sensitive personal information of our users has been exposed”.

“Edureka is committed to privacy and protection of users' personal information and we ask our users to change their password from time to time from this perspective. Please note that we have adopted reasonable security practices and procedures designed to protect sensitive personal information from unauthorised access,” he added.

The SafetyDetectives team first discovered the Edureka vulnerability on August 1, while running routine IP address checks on specific ports. In line with its security protocols, SafetyDetectives attempted to contact Edureka on August 6, and brief the company of its findings. Failing to receive a response, the SafetyDetectives team reached out to the Indian Computer Emergency Response Team (CERT-In) on August 13, 2020, and the exposed Edureka server and data were secured soon after.