India-based technology startup Salescan.com has secured an open server that spills the personal and confidential data of one of its clients, Baijur, an educational technology giant and India’s most valuable startup. The server has been unprotected since at least June 14, according to historical data from search engine shodan for open devices and databases. Since the server has no password, anyone can access the data contained in it. Security Investigator Senator Anurag I found the leaked server and asked TechCrunch for help reporting it to the company.
The server went offline after we contacted Salescan. on Tuesday. SalesCain.com provides customer relationship technology to companies like Baiju to better connect with customers. In 2020, two years after the Bengaluru-based startup was founded, Sequoia Capital India raised $8 million in Series a funding. Much of the information on the open server is from White Hat Jr., an online coding school for students in India and the United States, which Baiju bought in 2020 for $300 million $1.5 billion Earlier this year.
The server contains the names and classes taken by the students and the email addresses and phone numbers of the parents and teachers. The server also contains other student-related data such as chat logs between parents, marked by their phone numbers and comments made by teachers about White Hat Junior staff as well as their students. Copies of the emails contained in the code for resetting user accounts and other internal salescan.e data are also on the server. Surga Thilakan, co-founder and CEO of Salescan.com, told TechCrunch that the startup was “evaluating” security incidents, but did not question what kind of data was found on the open server.
“Our assessment shows that the open device is seen as an op-production platform of our integration services that has access to India’s end-of-life sales record for fifteen days.”Salescan.ei adheres to strict data protection standards and is certified under the highest global security and safety standards. We have been extremely cautious in blocking access to cloud devices.” Thilakan TechCrunch did not respond to follow-up emails asking why the actual user data was stored. The company says it is a non-productive “staging” server. The company also does not say if there is a log or any evidence to determine whether the data was accessed or downloaded as a result of a security error.