Byju's & WhiteHat Logo
Image Source: Metacept

BYJU’S-owned WhiteHat Jr Students’ Sensitive data was at risk

Due to an unprotected database, students’ data from popular learning e-portal BYJU’S-owned online coding platform WhiteHat Jr was accidentally left exposed on an unsecured server of

Since June 14, the server belonging to, a customer relationship management (CRM) platform, has been compromised. The server’s data included student’s names and classes and parent and teacher’s email addresses and phone numbers. It also included recorded conversations between parents and staff and remarks from teachers about their children. Internal data and copies of emails with codes to reset user accounts were also discovered on the server. approaches companies like Byju’s and WhiteHat Jr, in this case, to engage with customers more effectively by providing customer relationship technology hosted on the company’s server., based in Bengaluru, is backed by notable venture capital firms like Sequoia Capital India, Unitus Ventures, and the Michael and Susan Dell Foundation., which maintains a database of unprotected servers, revealed information regarding the unsecured database. Because the server was left unprotected without any password or encryption and was noticed during a normal web mapping exercise by a security researcher, Mr. Anurag Sen. Apparently, the server was taken down immediately after the incident came into the news.

The company is communicating with “about the incident and will take appropriate action by our rigorous security policies,” said WhiteHat Jr., Spokesperson Sameer Bajaj.

Earlier, it was reported that the personal data of 2.8 Lakh teachers and students enrolled on the online coding platform operated by BYJU’s owned WhiteHat Jr has been exposed to the server for an unspecified time until mid-November of 2020 because of several vulnerabilities. The servers of the Amazon Web Services (AWS) and the S3 buckets where data was stored were left accessible to access documents, files, data, and videos contained in folders. These folders are usually only accessible with a username and a password by authorized company employees.

As cyberattacks and data breaches have become more widespread in recent years, the necessity for cybersecurity has skyrocketed. Data breaches occurred not long ago at well-known organizations such as Domino’s, LinkedIn, Air India, Mobikwik, Bizongo, and Upstox. It is always debatable that the internet already is a toxic place for teenagers and young people, and the argument gets stronger only with their personal data are easily accessible to anyone.

So the question is, Are these tech companies really be able to protect our precious personal information in the first place?