Tiger Global-backed tutorial platform Vedantu accused of massive data breach
Bengaluru-based online tutorial platform Vedantu has been accused of a massive data breach running into 687,000 records. The allegation has been made on microblogging platform Twitter by Have I Been Pwned, a free data breach search and notification service that monitors security breaches and password leaks for users’ security. Vedantu confirmed the breach to TechCircle, adding that the breach had affected 10% of its overall user accounts.
New breach: Indian training site Vedantu had 687k records exposed in July. Exposed data includes IP and email addresses, names, phone numbers, genders and passwords stored as bcrypt hashes. 28% of addresses were already in @haveibeenpwned https://t.co/LGaAnj1hUA— Have I Been Pwned (@haveibeenpwned) November 1, 2019
According to its Twitter profile, Have I Been Pwned has around 86,0000 followers and tweeted about the Vedantu data breach today.
The tweet said that Vedantu was exposed in July, which included IP and email addresses, names, phone numbers, gender and passwords stored as bcrypt hashes.
Confirming the breach, the company told TechCircle in an emailed response, "Yes, Vedantu has been subject to a hacker attack. According to our preliminary analysis, some records of 687,000 user accounts have been hacked and breached (10% of total user accounts). Some of the user account information have been compromised owing to this. However, no user accounts have been compromised because all our passwords are encrypted. While our strong IT security system ensures that user passwords were not at all compromised, as a security measure we have still sent proactive emails to our users urging them to change their passwords. We also want to re assure everyone here that no other secured user information/data (including payment related information) have been compromised.”
The statement further said, "“We are always entitled to protect our customer data and hence multiple changes are being inducted in our security infrastructure to prevent any such untoward incidents in the future.”
Another tweet from a user called Troy Hunt alleged that the tutorial company knew about the breach and was aware about customer data was being exchanged online.
Just for the record, I managed to make contact with Vedantu a week ago. They were aware of the incident and advised they were contacting impacted customers. They were also aware their customer data was being exchanged online https://t.co/bguAcm3rh6— Troy Hunt (@troyhunt) November 1, 2019
Hunt’s Twitter profile claims he is the creator of @haveibeenpwned.
Earlier in August, Vedantu raised $42 million in a Series C round led by existing investor Tiger Global Management and new investor Westbridge Capital.