WhiteHat Jr left backend server open which left data of 2.8 lakh students and teachers vulnerable, bug fixed now

BYJU'S-owned edtech startup WhiteHat Jr was reportedly found to have left the personal data of 2.80 lakh students and teachers vulnerable through multiple bugs, which has been fixed, confirmed WhiteHat Jr to YourStory.

WhiteHat Jr left backend server open which left data of 2.8 lakh students and teachers vulnerable, bug fixed now

Thursday November 26, 2020,

3 min Read

BYJU'S-owned edtech startup WhiteHat Jr was reportedly found to have left the personal data of 2.80 lakh students and teachers vulnerable through multiple bugs, which has been fixed, confirmed WhiteHat Jr to YourStory.


In a statement, the edtech player said that WhiteHatJr takes security and privacy issues very seriously. "We are committed to both our customers and to our compliance with applicable laws. Based on information received from responsible disclosures, we reviewed our setup and worked to patch specific identified vulnerabilities within 24 hours," the statement said.

"We reiterate that no breach of data has happened in this context on company's computer systems and networks, out of an abundance of caution we are continuing our investigation to ensure that this is the case. We regularly undertake and continue with various initiatives to strengthen our Security and Privacy set-up and have also retained external security experts to assist us," the statement added.

An independent security researcher (who does not want to disclose his identity) disclosed to the edtech player that WhiteHat Jr had left its backend server open that allowed unauthorised access to data such as student names, age, gender, photos, user IDs, parents name, and progress reports. The report further revealed that upon the researcher's disclosure, WhiteHat Jr acknowledged the mail and fixed the issue by restricting access to the company’s AWS servers.

Karan Bajaj, Founder and CEO of WhiteHat Jr.

Karan Bajaj, Founder and CEO of WhiteHat Jr

WhiteHat Jr's spokesperson shared the researcher's email with YourStory, in which, he said, that:

"I can most definitely confirm this that the patch was delivered within 24 hours of disclosure. If I remember it correctly it took 18 hours for the company to patch all vulnerabilities for the mail I had sent on 19th November. There were several follow ups and all other bugs were fixed in a similar time period. Also I have made a responsible disclosure and no local copies of data were copied or shared or breached or obtained at any time at all."


WhiteHat Jr has been in the news ever since edtech unicorn BYJU’S acquired it for $300 million. Founded in 2018 by former Discovery Networks CEO Karan Bajaj, WhiteHat Jr offers AI courses to children aged six to 14 years. The platform was highly criticised for its promotions, implying that after learning coding, kids can start earning money prematurely, and for encouraging parents to push kids to dive into even more 'ambitious' world.


Most recently, Advertising Standards Council of India (ASCI) ordered WhiteHat Jr to remove five advertisements for not adhering to advertising standards. Besides that, there are ongoing controversies where people have called out WhiteHat Jr for alleged malpractices that have attracted defamation cases.

Disclaimer: We have updated the story as well as the headline as we received official communication from the WhiteHat Jr.


Edited by Kanishk Singh