WhiteHat Jr, a startup that teaches coding to kids, doesn’t know how to fix its own bugs. It exposes data of 2.8 million users

A serious cybersecurity incident has been revealed. WhiteHat Jr, an online coding platform targeted for children, has been leaking personal data of over 2.8 million students and teachers. The incident seems consequence of the exploitation of multiple security bugs on the platform.    

The finding was possible thanks to the work of an independent security researcher, who responsibly reported the leak to WhiteHat Jr. According to the report, the company left its backend server open, which allowed threat actors to access to a hughe collection of plaint text data, which included details such as:

  • Students’ full names
  • Birth dates
  • Gender
  • User IDs
  • Parents’ names
  • Progress reports

The researcher, who prefers remain anonymous, confirmed that the company answered his report the next day. In response to the incident, WhiteHack Jr shut down access to its Amazon Web Services (AWS) servers. Besides, a company spokesperson stated: “We wanted to point out that no data breach has been detected in the context of the company’s systems or networks; nonetheless, we will keep investigating the incident”.

WhiteHat Jr was founded in 2018 by Karan Bajaj as an educational technology platform meant to teach coding to small children and teenagers. Last August the company was absorbed by Byju’s for nearly $300 million USD.

Minors were not the only affected by this data leaking. The anonymous researcher also mentioned that the servers exposed teachers’ information as well. This registers include details such as salary documentation, contracts and hundreds of sessions recorded in video.   

The expert also found that WhiteHat Jr is leaking personal data due to its API where one user is able to view another’s data including financial details, but no official statement has been published about it. While multiple researchers have claimed that the company had left the servers open for several months, it is impossible to conclude such information as for now.