Edureka is one of the known online education startups based in India, and its server is based in the US. As per the report of SafetyDetective, the largest antivirus review website, its security team has discovered a completely unsecured Elasticsearch server of the e-learning platform. The team, lead by Anurag Sen, found this vulnerability while routing IP-address checks on specific ports and figure out over 25GB of personal data was publicly available. Not sure about the exact number, but there were around 2 million Edureka users’ personal data, including first name, email address, phone number, country of residence, login activity records, and Miscellaneous Auth token information.
The SafetyDetective team spotted this vulnerability on 1st August and reached the Edureka team on 6th August to notify them. In addition to vulnerability, there were also some significant security flaws. As the platform didn’t respond, SafelyDetetive reached the Indian Computer Emergency Response Team (CERT-In) on 13th August.
The login activity details in the exposed data can be used in scams or even can be handed over to the commercial third parties. 2 million users’ data is not a small amount. Apart from these, the contact details – phone number and email addresses- can also be used in various kinds of fraud.
Do Check Out 👇🏼