Indian tech startup exposed Byju's student data ' TechCrunch

Salesken.ai, a technology startup based in India, has secured a server that was leaking sensitive data to Byjus, an education tech giant and India's most valuable startup.According to Shodan's historical data, the server had been unprotected at least since June 14, according Shodan, which is a search engine that exposes databases and devices. The server didn't have a password so anyone could see the data. Anurag Sen, a security researcher, discovered the server and requested TechCrunch's assistance in reporting it to TechCrunch.We contacted Salesken.ai Tuesday afternoon to have the server taken offline.Salesken.ai offers customer relationship technology to Byjus companies to help them better engage with customers. In 2020, the startup based in Bengaluru raised $8 million in Series B funding from Sequoia Capital India. This was two years after it was founded.WhiteHat Jr. was an online coding school that students in India as well as the U.S. found on the server. Byjus purchased it for $300 million in 2020. After raising $1.5 billion earlier in the year, Byjus' current value is more than $16 million.The server also contained information about students, including their names and classes. It also had email addresses and telephone numbers for parents and teachers. Other data about students was also stored on the server, including chat logs between parents and WhiteHat Jr. staff as well as comments made by teachers about students.Also, the server contained duplicates of emails that contained codes for resetting user accounts and other Salesken.ai data.Surga Thilakan is the co-founder and chief executive of Salesken.ai. She told TechCrunch that the startup was evaluating the security issue but didn't dispute the type of data found on the server.Thilakan stated that the device exposed appears to be a staging example of one of our integration service having access to less then 1% of India-based end-of life sales logs for a week. Salesken.ai adheres to strict data security standards and is certified according to the highest standards for global safety and security. In an abundance of caution we have immediately blocked access to the cloud device.TechCrunch sent Thilakan an email, but she did not reply. TechCrunch also asked Thilakan why user data was stored on what Thilakan claims to be a staging server. TechCrunch did not receive a follow-up email from Thilakan asking why real user data was stored in what the company claims is a non-production, staging server. The company would not confirm if logs are available or if any evidence exists to prove that data was accessed.WhiteHat Jr. spokesperson Sameer Bajaj stated that the company is in contact with Salesken.ai regarding the incident and will take the appropriate actions according to our strict security policies.