Byju's, the edtech giant and India's most valuable startup, has fixed a server-side misconfiguration that was exposing sensitive data of its students.
The Indian startup exposed some students' names, phone numbers, addresses and email IDs. The exposed data also included loan details such as payouts, links to scanned documents and transactional information related to some students.
Security researcher Bob Diachenko found the exposure due to a misconfigured Apache Kafka server used by Byju's to send and receive data in real time. Diachenko told TechCrunch that there were several IP addresses with the misconfigured server, which enabled anyone to access the queue to read the records without a password.
"Anyone could have connected to the queue and read or download the messages," the researcher told TechCrunch.
The data was first found to be exposed on August 15, according to Shodan, a search engine for exposed devices and databases.
While the exact number of students whose data was exposed is unclear, Diachenko said one to two million records were accessible due to the issue.
Diachenko reported the issue to Byju's directly on August 22. The misconfiguration was fixed soon after the researcher posted its details on X, the platform formerly known as Twitter, a day later.
Byju's confirmed to TechCrunch it had fixed the security lapse but claimed "no data or information was exposed or compromised" during the week that the servers were exposed.
"There was a temporary exposure of a small fraction of our systems for a very short duration," said Anil Goel, Byju's chief technology officer, in a prepared statement. "Our technical team has promptly resolved this issue as soon as it came to our notice. We would like to reiterate that all our systems have been built around safeguarding the privacy and security of our data."
Byju's did not confirm the exact number of students affected and did not respond to a question regarding whether the company had notified students of the lapse. Byju's also would not say if it had the technical means to determine what data, if any, was accessed, and by whom.
TechCrunch informed India's computer emergency response team CERT-In about the incident after receiving details from the researcher.
In June 2021, a server-side issue affecting Byju's third-party service provider Salesken.ai exposed student data, including the personal details about what classes students were taking through the startup's online coding platform WhiteHatJr. Salesken.ai pulled the server offline shortly after TechCrunch reached out to the startup.
Unlike the previous exposure due to the misconfiguration in a Salesken.ai server, the latest issue specifically affects Byju's infrastructure.
The data exposure added to the woes of Byju's, a Bengaluru-based startup valued at $22 billion, which is currently grappling with multiple challenges.
The startup's three key investors — Peak XV Partners (erstwhile Sequoia Capital India & SEA), Prosus and Chan Zuckerberg Initiative — quit its board in June, a year after it attracted global scrutiny over delaying financial reporting. Prosus, one of the largest investors in Byju's, said on its exit from board that its reporting and governance structures "did not evolve sufficiently for a company of that scale." The investment firm also slashed the valuation of the edtech startup to $5.1 billion in June from the $6 billion it had valued until November.
Earlier this year, Deloitte also made an early exit from Byju's as its auditor for long delaying its financial statements.
Moreover, Byju's saw searches from the Indian anti-money laundering agency at its offices, and reportedly a probe by the country's corporate affairs ministry and tensions with its lenders on a $1.2 billion term loan — all at the time it was looking to raise more capital after a $250 million round in May.