Vulnerability exposed Edureka user data, in excess of 25 GB, and contained more than 45 million records including email addresses, full names and phone numbers
A team of security experts at SafetyDetectives announced the discovery of a massive data breach at Indian e-learning platform Edureka, impacting up to 2 million users, with almost all affected based in India.
The full report, detailing data leak details and samples of images leaked online, has been published on SafetyDetectives site at https://www.safetydetectives.com/blog/edureka-leak-report/
“Multiple instances of personal information being leaked together severely undermines affected users because it gives malicious hackers the source material they need to launch socially-engineered attacks, conduct a variety of scams, encourage user dubious click-throughs, malware downloads and to build up rapport and trust, with a view of carrying out a larger magnitude intrusion in the future,” said Anurag Sen, Lead Researcher at SafetyDetectives, “Given that Edureka provides professional-grade online courses to people, often in significant or powerful positions and with access to highly-sensitive information, the company’s compromised server security could have been devastating to entire organizations such universities, companies or government departments,” he added.
Edureka, a premier e-learning platform and online education marketplace co-founded in 2011 by Lovleen Bhatia, offers online education programs including higher education courses, masters and postgraduate courses from Indian universities, using a combination of live and recorded instructor-led programs to working professionals seeking digitally powered skills enhancement.
Led by Anurag Sen, the SafetyDetectives security research team discovered a massive amount of highly sensitive personal information, belonging to up to 2 million Edureka users, publicly exposed and without password protection. This meant that mere knowledge of the server’s IP address provided access to the entirety of this sensitive database containing user names, email addresses, phone numbers, login activity records, and miscellaneous auth token information on Amazon servers hosted in the US.
The SafetyDetectives team first discovered the Edureka vulnerability on 1st August 2020 while running routine IP address checks on specific ports. In line with its security protocols, SafetyDetectives attempted to contact Edureka on 6 August 2020, to notify and brief the company of its findings. Failing to receive a response, the SafetyDetectives team reached out to the Indian Computer Emergency Response Team (CERT-In) on 13 August 2020, and the exposed Edureka server and data were secured soon after.
This breach could have been easily avoided if Edureka had been more proactive in implementing offensive security testing best practices on its platforms.