1. Home
  2. business
  3. startups
  4. news
  5. From WhiteHat Jr, Big Basket, and Unacademy to Dunzo — these are the Indian startups that reported data leaks over the past few months

From WhiteHat Jr, Big Basket, and Unacademy to Dunzo — these are the Indian startups that reported data leaks over the past few months

From WhiteHat Jr, Big Basket, and Unacademy to Dunzo — these are the Indian startups that reported data leaks over the past few months
Business1 min read
  • The growing startups which have access to millions of users haven't been able to stay away from the threat of cyber-attacks.
  • Recently, WhiteHat Jr, BigBasket, and more have all reported massive data breaches.
  • Startups and SMEs in India are the most vulnerable segment when it comes to cyberattacks.
India, which is home to some of the top tech solution companies globally, is also one of the major victims of cybersecurity attacks.

The rapid digital shift has worked wonders for startups, but they also increasingly face the threat of cyber attacks. According to a CyberPeace Foundation report (CPF), startups and SMEs in India are the most vulnerable segment when it comes to cyberattacks.

Recently, National Cyber Security Coordinator Lt Gen (retd) Rajesh Pant had said that every day, 4 lakh malware is found, and 375 cyber-attacks are witnessed in India. WhiteHat Jr, Big Basket, and Dunzo are some of the startups that saw their data getting compromised over the last few months.

India's startup ecosystem has to reassess and build a robust cybersecurity system, as the number of users has increased with the push towards digital adaptation. "Successful ongoing cyber resilience should require the strategic alignment of cyber strategies with incident response, business continuity, and disaster recovery planning. We've got to involve the entire enterprise — from the front office to back," said Akhilesh Tuteja, Global Cyber Security, Co-Leader KPMG International, in a recent report by KPMG on how businesses should prepare for the growing number of cyberattacks.

Here's a look at the Indian startups who recently reported data breaches or bugs in their security system.

WhiteHat Jr

WhiteHat Jr
WhiteHat Jr/Facebook

Indian edtech startup WhiteHat Jr, which has found itself in a potboiler of controversies recently, had a bug in its system, making its data of over 2.8 lakh students vulnerable. On November 25, the Quint quoted a security researcher who reported the bug to WhiteHat Jr, who said, "According to what I found out the personal data of over 2.80 lakh students including names of their parents were lying exposed due to a vulnerability on the company's server-side."

WhiteHat Jr said that all vulnerabilities were fixed within 24 hours and stressed that there was no data leak.

According to the security researcher, WhiteHat Jr's back-end server was left open, allowing access to student names, age, gender, images, user IDs, parents' names, and progress reports. The report also said that access to the company's AWS servers was restricted as of November 20.


BI India

One of India's popular e-grocery startups, BigBasket, has faced a security breach that compromised almost 20 million users' data. The blog by cybersecurity research firm Cyble said that their research team found the database of BigBasket being sold for over $40,000 in the cyber-crime market.

BigBasket admitted that a breach had happened. While BigBasket had said it was evaluating the breach, there has been no update on the same.

Cyble said that the hacked data could mean that crucial information like users' full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), complete addresses, date of birth, location, and IP addresses of login could have been leaked.



During the coronavirus lockdown, another hyperlocal delivery startup, Dunzo, had reported a breach in its user data. In July 2020, the personal data of 3.4 million users of Dunzo was exposed.

"Our investigation so far suggests that the servers of a third party we work with were compromised. This allowed the attacker to get unauthorized access and breach our database. This database contained a user phone number and email address information. No payment information like credit card numbers was compromised as we do not store this data on our servers," Dunzo had said in a statement then.



Edtech unicorn Unacademy had reportedly suffered a data breach in January 2020, according to security research firm Cyble which left data of over 22 million users up for sale.

"As per our internal investigations, email data of around 11 million users has been compromised as against 22 million stated in reports. This is on account of only around 11 million email data of users available on the Unacademy platform. We have been closely monitoring the situation and would like to assure our users that no sensitive information such as financial data or location has been breached," the company's Chief Technology Officer and co-founder Hemesh Singh had told ET in May.



Another edtech startup Edureka had suffered a data breach in September 2020, which potentially left data including names, addresses, phone numbers of at least 2 million users, according to a team of security experts from SafetyDetectives. The startup's data breach had occurred because it left a server open without being protected by a password.


Newsletter BI Logo

Get your weekly dose of essential news delivered right to you, plus explore a world of insights with our diverse newsletter subscription options.

  • Weekly newsletter
  • Uncover the latest in Tech, Finance, Business, and more
  • Handpicked web stories, in-depth articles, and expert analyses
Copylink BI