A prominent Indian e-learning platform was discovered to be operating a completely unsecure Elasticsearch server based in the US. The vulnerability meant that more than 25 gigabytes of personal information belonging to around 2 million Edureka users was publicly available until the server was secured.
Our security team, led by Anurag Sen, discovered the elastic server vulnerability during routine IP-address checks on specific ports. Edureka’s server was left publicly exposed without password protection which meant that mere knowledge of the server’s IP address provided access to the entirety of this particular database.
Our team first discovered the vulnerability on 1 August 2020, including its significant security flaws. In line with our security protocols, SafetyDetectives attempted to contact Edureka on 6 August 2020, to notify and brief the company of our findings. Failing to receive a response, our security team informed the Indian Computer Emergency Response Team (CERT-In) of Edureka’s data leak on 13 August 2020, with the server secured soon after.
Almost all affected users are based in India, although some instances of other nationalities were recorded including users in the US.
Who is Edureka?
Edureka is an e-learning platform providing a wide range of online education solutions, including higher education courses, masters and postgraduate programs from Indian universities.
Led by founder and current CEO Lovleen Bhatia, the company describes itself as an “online education marketplace” and offers a combination of live and recorded instructor-led courses, catering to working professionals seeking digitally powered skills enhancement.
Founded in 2011 and headquartered in Bangalore, India, the company is privately owned and operated by parent company Brain4ce Education Ltd. In its mission statement, Edureka claims to be the region’s fastest growing e-learning platform and aspires to “become the largest online learning ecosystem for continuing education, in partnership with corporates and academia”.
What was leaked?
Shown below, is a list of information discovered on Edureka’s unsecured server:
- First names
- Email addresses
- Phone numbers
- Country of residence (implied from phone number info)
- Login activity records
- Miscellaneous Auth token information
Other potentially important information was made publicly available including details of login activity including which courses/information users had accessed previously.
Login activity information could be used as part of more elaborate scams or deceitful practices such as selling of personal information to commercial third parties. For example, by knowing which courses/topics are most important to the user, malicious hackers could lure the user with a financial scam or sell the user’s contact details to other course providers.
Our security team found more than 45 million records totaling more than 25 gigabytes including email addresses, full names and phone numbers, although, some records were duplicated.
Server logs did not indicate the precise number of users affected by the server vulnerability. However, according to our security team, the database contained approximately 2 million user records although several entries were duplicated.
As a contrasting indicator, Edureka’s YouTube channel has 1.98 million subscribers, which suggests a high level of popularity for the company’s content, and, therefore, a large subscriber base that provided personal information to the company, either as free demonstration or paid users.
|Number of leaked records:||45 million|
|Number of affected users:||up to 2 million|
|Size of breach:||27 gigabytes|
|Server location:||United States, hosted by Amazon.com|
|Company location:||Bangalore, India|
Data Breach Impact
The impact of this data breach on users could be severely compromising, both personally and professionally.
Multiple instances of personal information being leaked together – which in Edureka’s case meant details like names, email addresses and phone numbers – severely undermines affected users because it gives malicious hackers the source material they need to launch socially-engineered attacks that are customized to the target.
Users’ contact details could be harnessed to conduct a wide variety of scams while personal information from the leak could be used to encourage click-throughs and malware downloads. Personal information is also used by hackers to build up rapport and trust, with a view of carrying out a larger magnitude intrusion in the future.
Given the fact that Edureka provides professional-grade online courses to people often operating in significant or powerful positions in society, with access to highly-sensitive information, Edureka’s compromised server security could have been devastating to entire organizations such as other universities, companies or government departments.
Preventing Data Exposure
How can you prevent your personal information from being exposed in a data leak and ensure that you are not a victim of attacks – cyber or real-world – if it is leaked?
- Be cautious of what information you give out and to whom
- Check that the website you are on is secure (look for https and/or a closed lock in address bar)
- Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
- Create secure passwords by combining letters, numbers, and symbols
- Do not click links in emails unless you are sure that the sender is legitimate
- Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
- Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks
- Find out more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware
is the world’s largest antivirus review website.
The SafetyDetectives research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on how to protect their users’ data.
Previous cybersecurity reports compiled by SafetyDetectives include:
- India’s most popular travel booking site RailYatri was exposed without adequate security measures leading to a catastrophic loss of private user information.
- Prominent cosmetics brand Avon suffered a significant data breach with over 7GB of data leaked in June 2020
- Cashback brands Pouringpounds.com and Cashkaro.com unwittingly made over 2 terabytes of information relating to their active users available to the public in October 2019.