An Indian ed tech provider suffered a serious data breach months ago impacting hundreds of thousands of customers, but is only now informing them of the incident.
Vedantu offers a real-time online learning environment for teachers and students from its headquarters in Bengaluru.
However, it was hit by an attack back in July that exposed the personal data of 687,000 users, according to breach notification site HaveIBeenPwned?
“The JSON formatted database dump exposed extensive personal information including email and IP address, names, phone numbers, genders and passwords stored as bcrypt hashes,” the note explained. “When contacted about the incident, Vedantu advised that they were aware of the breach and were in the process of informing their customers.”
Reports suggest that the culprit may have been an exposed MongoDB instance, although this has yet to be confirmed.
Although the passwords appear to have been encrypted, there’s plenty of other personal information in the breach that could give the hackers an opportunity to craft convincing follow-on phishing attacks and identity theft attempts.
Ray Walsh, digital privacy advocate at ProPrivacy, said it’s a concern the breach wasn’t discovered earlier by Vedantu.
“What’s more, because phone numbers were stolen along with names and addresses, it is possible that users could have fallen victim to phone scams designed to steal their money — or perhaps even a SIM swap attack that could have resulted in the dual-factor authentication for their online accounts, or perhaps even their internet banking, being compromised,” he added.
“Any user who believes they have been affected by this data breach is advised to keep a close eye on any emails, messages, or phone calls they receive that could be using data stolen from Vedantu to coerce them into parting with further data or clicking on malicious links.”