India-based educational technology firm Vedantu has suffered a data breach, exposing “extensive personal information” on 687,000 users.
Affected personal details include email and IP addresses, names, phone numbers, website activity and genders. Passwords were also exposed but were stored as bcrypt hashes, which means they were not visible in plaintext.
Vedantu, headquartered in Bengaluru, provides interactive online tutoring for children age 11 to 18.
Security researcher Troy Hunt first reported the breach, adding it to his site Have I Been Pwned, a free site that notifies users if their details have been exposed in a breach.
The Vedantu data breach took place on the 8 July 2019. Exposed data was stored in a JSON format and dumped onto a database leak forum where Vedantu customer data was exchanged by forum members.
Data appears to have been leaked via an unsecured MongoDB instance. Many data leaks have occurred simply because firms have failed to protect the database program with a password.
“MongoDB is a popular piece of database software which unfortunately to this day does not come with mandatory access control where the administrator has to manually enable access control and set a password,” said Tom Van de Wiele, principal security consultant at Finnish cybersecurity firm F-Secure.
New breach: Indian training site Vedantu had 687k records exposed in July. Exposed data includes IP and email addresses, names, phone numbers, genders and passwords stored as bcrypt hashes. 28% of addresses were already in @haveibeenpwned https://t.co/LGaAnj1hUA
— Have I Been Pwned (@haveibeenpwned) November 1, 2019
Last week Verdict approached Vedantu for comment but is yet to receive a response.
Vamsi Krishna, the co-founder of Vedantu, told the Economic Times that “no sensitive details would have been compromised” and that the vulnerability was fixed within a few days.
He added that it would have been difficult to misuse the exposed data because they were stored in an encrypted format. Krishna also said that customers were informed of the breach and advised to change their passwords.
However, Hunt told Verdict that “there was no encryption”, pointing out that while bcrypt hashes provide a layer of protection, “passwords can certainly still be cracked, albeit at a much slower rate than with many other algorithms”.
“This is why they’re recommending password resets, because there is actually still risk,” he added.
Vedantu data breach: “Another poorly secured database”
While India has data protection laws in place, they are less severe and more loosely enforced compared with Europe’s General Data Protection Regulation (GDPR).
“This is a predictable surprise,” said Matt Walmsley, director EMEA at cybersecurity firm Vectra. “Here we have yet another poorly secured database on the internet that’s been copied. Startups, by their very nature, are extremely agile, but this can’t be at the expense of good data management and security practices.”
Joseph Carson, chief security scientist & advisory CISO at cybersecurity firm Thycotic, said:
“For years and years, cybercriminals are correlating each major data breach dump of email addresses and passwords so they can abuse them to gain access into employees accounts to steal sensitive data, conduct financial fraud or blackmail into further access.
“Some of these are hidden in the dark net or shared directly between cybercriminals. It is critical to know whether your email and password are impacted by this latest password dump and urgently change your password immediately to ensure further abuse is prevented. To make your life easier choose a password manager to make creating or generating a new password easier.”
In August, Vedantu raised $42m to expand its online tutoring service in a Series C financing round. The startup has raised $58m in total.