Byju’s, the edtech giant, has fixed a server-side misconfiguration that was exposing the sensitive data of its students.
Byju has exposed some students’ names, phone numbers, addresses, and email IDs. The exposed data also included loan details such as payouts, links to scanned documents, and transactional information related to some students.
Security researcher Bob Diachenko found the exposure due to a misconfigured Apache Kafka server used by Byju’s to send and receive data in real-time. Diachenko explained that there were several IP addresses with the misconfigured server, which enabled anyone to access the queue to read the records without a password.
As per the shodan, the data was first found to be exposed on August 15. The exact number of students whose data was exposed is unclear, Diachenko said one to two million records were accessible due to the issue.
The issue to Byju’s directly on August 22. Byju’s confirmed it had fixed the security lapse but claimed “no data or information was exposed or compromised” during the week that the servers were exposed.
Byju’s did not confirm the exact number of students affected and did not respond to a question regarding whether the company had notified students of the lapse. Byju’s also would not say if it had the technical means to determine what data, if any, was accessed, and by whom.
In June 2021, a server-side issue affecting Byju’s third-party service provider Salesken.ai exposed student data, including the personal details about what classes students were taking through the startup’s online coding platform WhiteHatJr. Salesken.ai pulled the server offline shortly after TechCrunch reached out to the startup.
Unlike the previous exposure due to the misconfiguration in a Salesken.ai server, the latest issue specifically affects Byju’s infrastructure.