India-based technology startup Salesken.ai has secured an exposed server that was spilling private and sensitive data on one of its customers, Byju's, an education technology giant and India's most valuable startup.
The server was left unprotected since at least June 14, according to historical data provided by Shodan, a search engine for exposed devices and databases. Because the server was without a password, anyone could access the data inside. Security researcher Anurag Sen found the exposed server, and asked TechCrunch for help in reporting it to the company.
The server was pulled offline a short time after we contacted Salesken.ai on Tuesday.
Salesken.ai provides customer relationship technology to companies like Byju's to engage better with customers. The Bengaluru-based startup raised $8 million in Series A funding from Sequoia Capital India in 2020, two years after the company was founded.
Much of the data contained on the exposed server pertained to WhiteHat Jr., an online coding school for students in India and the U.S., which Byju's bought for $300 million in 2020. Byju's is currently valued at more than $16 billion after raising $1.5 billion earlier this year.
The server contained the names and classes taken by students and email addresses and phone numbers of parents and teachers. The server also contained other data related to students, such as chat logs between parents — identified by their phone number — and WhiteHat Jr. staff, as well as comments recorded by teachers about their students.
The server also contained copies of emails containing codes to reset user accounts and other internal Salesken.ai data.
Surga Thilakan, co-founder and chief executive at Salesken.ai, told TechCrunch the startup was "evaluating" the security incident but did not dispute what kind of data was found on the exposed server.
"Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India based end-of-life sales logs for a fortnight," said Thilakan. "Salesken.ai follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device."
Thilakan did not respond to a follow-up email from TechCrunch asking why real user data was stored in what the company claims is a "non-production, staging" server. The company also would not say if it has logs or any evidence to determine if data was accessed or downloaded as a result of the security lapse.
WhiteHat Jr. spokesperson Sameer Bajaj said the company is "currently communicating with Salesken.ai about the incident and will take appropriate action in accordance with our rigorous security policies."