[Update] Sensitive Data Of Whitehat Jr Users Exposed Online

[Update] Sensitive Data Of Whitehat Jr Users Exposed Online

SUMMARY

Salesken.ai which provides CRM tools to Whitehat Jr. exposed personal sensitive data belonging to students, teachers, and parents 

Details such as  names and classes taken by students and email addresses and phone numbers of parents and teachers were left exposed in public

The server was, however, taken offline shortly after a cybersecurity researcher appraised Salesken.ai, BYJUs and Whitehat Jr about the data leak

Personal and sensitive data belonging to edtech unicorn BYJU’S subsidiary company Whitehat Jr were left exposed due to an unsecured database.

The server which is owned and maintained by customer relationship management (CRM) platform Salesken.ai was left exposed since June 14. Bengaluru-based Salesken.ai provides CRM management tools to Whitehat Jr. Salesken.ai is backed by prominent VCs such as Sequoia India, Unitus Ventures and Michael and Susan Dell Foundation. 

Details about the unsecured database were visible on Shodan.com which maintains a database of unsecured servers. Since the Salseken.ai server was left exposed without a password, details such as names and classes taken by students and email addresses and phone numbers of parents and teachers were left exposed in public, according to TechCrunch

The unsecured server also exposed other personal and sensitive data such as chat logs between parents and WhiteHat Jr. staff, phone numbers of parents, and feedback commentary written by teachers about their students.

The server also stored a record of emails containing sensitive codes that could allow anyone to reset user accounts as well as other internal Salesken.ai data.

The server was, however, taken offline shortly after the publication contacted Salesken.ai on Tuesday (29th June). 

“Salesken.ai, one of WhiteHat Jr’s vendor for India operations, has experienced a potential security incident. We are currently communicating with Salesken.ai about the incident and will take appropriate action in accordance with our rigorous security policies, WhiteHat Jr. spokesperson Sameer Bajaj also said in response to Inc42’s queries.

Anurag Sen, a security researcher who first reported the breach told Inc42 that the Salesken.ai server was left unsecured without any password protection, and was discovered during a routine web mapping project that he was working on.

“Mostly the files were from WhiteHat Jr, including some files from BYJU’s future school. The number of students (impacted) is hard to figure out due to multiple entries but it was more than 100k entries for student and parents details,” added Sen.

“Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India based end-of-life sales logs for a fortnight…Salesken.ai follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device,” Thilakan told the publication.

BYJU’S is currently the most valued startup in the Indian startup ecosystem at a towering valuation of $16.5 Bn. BYJU’S has acquired Mumbai-based Whitehat Jr. for $300 Mn, which was one of the most celebrated deals in India’s consumer Internet space. 

BYJU’S also has a sizable number of users. The company had added 25 Mn new students to its platform between March 2020 to November 2020, growing its user base to 75 Mn students, including 4.2 Mn annual paid subscribers. 

WhiteHat Jr., on the other hand, has over 1.5 lakh paid students of which 70% of them are in India with more users from other countries such as the US, Australia and New Zealand. 

Inc42 had earlier pointed out that due to a global pandemic sweeping through the world, Indian companies have become more vulnerable to cyberattacks and data breaches and many of the top tech startups have fallen victims. 

Recently a slew of data breaches uncovered in India’s startup ecosystem has set alarm bells ringing among regulators and government agencies. Like Mobikwik in March 2021 — around 100 Mn users are said to be affected by the data breach, prompting public outcry and hints of regulatory intervention from the RBI. However, what surprised most observers was the staunch denial of responsibility from the fintech firm

Given that India lacks a comprehensive data protection act, which has been stuck in limbo for more than three years, Mobikwik and others before it have been able to deny responsibility and skip any legal repercussions. In the last five years alone, more than two dozen consumer tech startups have either directly or indirectly been responsible for exposing personal and non-personal data of billions of customers cumulatively.

Startups in hyperlocal delivery, fintech, edtech, mobility, and content streaming were the worst affected. Big tech firms like Twitter and Facebook have also been impacted on several occasions. Government-run Aadhaar has also been involved in several data leaks in the past.


Update | 30th July, 9:44 PM

An earlier version of the story stated that users belonging to edtech major BYJU’s were also affected due to the data breach, however, a spokesperson from WhiteHat Jr informed Inc42 post publishing of the article that the breach affected only users of Whitehat Jr. Salesken.ai supplies CRM tools to WhiteHat Jr. only and not to BYJU’s. The story’s headline and lede have been updated to reflect the changes.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

[Update] Sensitive Data Of Whitehat Jr Users Exposed Online-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

[Update] Sensitive Data Of Whitehat Jr Users Exposed Online-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

[Update] Sensitive Data Of Whitehat Jr Users Exposed Online-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

[Update] Sensitive Data Of Whitehat Jr Users Exposed Online-Inc42 Media
[Update] Sensitive Data Of Whitehat Jr Users Exposed Online-Inc42 Media
You’re in Good company