Report: Document Verification Platform Exposes 10,000s Students in India and Israel in Massive Data Breach
Led by Noam Rotem, vpnMentor’s research team discovered a data breach in a Microsoft Azure cloud account belonging to the company Myeasydocs.
Myeasydocs is an online platform that allows people to submit documents for verification to banks, universities, law enforcement agencies, and much more.
The breach we discovered was connected to an Israeli URL owned by a company that appeared to facilitate Indian students submitting documents to educational institutes in Israel and India. As a result, over 50,000 current and former students of the universities were exposed to a wide range of online frauds and attacks.
Data Breach Summary
Company | MyEasyDocs |
Headquarters | Chennai, India |
Industry | Cloud services |
Size of data in gigabytes | 30.5GB |
Suspected no. of files | Up to 57,400 |
No. of people exposed | Up to 57,400 |
Date range/timeline | 26th April ‘16 - 31st August ‘21 |
Geographical scope | India and Israel |
Types of data exposed | Educational records; PII data |
Potential impact | Phishing; fraud; identity theft |
Data storage format | Microsoft Azure |
Timeline of Discovery and Owner Reaction
- Date discovered: 2nd February 2022
- Date Israel CERT Contacted: 3rd February 2022
- Date vendors contacted: 8th February 2022
- Date of 2nd contact attempt (if relevant):
- Date of Response: 14th February 2022
- Date of Action: 14th February 2022
Myeasydocs was using a Microsoft Azure account to store documents and data collected from files submitted via its software. However, they failed to implement any security measures on the account’s servers, leaving the contents totally exposed and easily accessible to anyone with a web browser.
As the company’s Israeli website was unavailable at the time we discovered the breach, we first informed the Israeli CERT of the breach and how it affected residents of Israel. We then contacted the company’s main office to notify them of the breach and offer our assistance.
Examples of Data Exposed
Myeasydoc’s Azure storage account contained over 57,400 files, a mix of diplomas and grade certificates, each relieving huge amounts of PII and personal/academic details about the person exposed.
In total, 10,000s people were exposed in the breach.
The private personal user data we viewed included:
- Full names
- Subject Majors
- National ID and university/college registration numbers
- Dates of graduation
- Grades
- Emails
- Phone numbers
Data Breach Impact
For Users
Had malicious or criminal hackers discovered Myeasydoc’s Azure account before it was secured, they could have used it against the people exposed in numerous ways, including:
- Phishing campaigns to trick people into providing additional PII data (i.e., social security numbers) or private information (i.e., bank account details), input debit or credit card details into a fake payment portal, or clicking a link embedded with malicious software that infects a user’s device, such as malware, spyware, and ransomware.
- Impersonating students using their diplomas and grade charts, PII data, etc. to commit fraud.
- Harass or dox the students online.
- Selling a new identity - the diplomas and PII data could be used to sell someone a new identity. Academic documents are a key ingredient to identity theft, and are often sold as part of a “new identity” package on the dark web.
For Myeasydocs
The company could also experience negative backlash, such as:
- Loss of business, customers, partners - universities most likely have plenty of alternative software providers to choose from.
- Bad publicity - cybersecurity is taken extremely seriously in Israel. Fallout may mean company loses access to an entire market.
Furthermore, the government of India has introduced its first cybersecurity policy, demanding companies declare data breaches within 6 hours of them being flagged. While the law doesn’t come into effect until later this year, if Myeasydocs’ data breach had been discovered by this time, it would be liable for government action as a result.
Advice from the Experts
Myeasydoc could have easily avoided exposing its customers’ data if it had taken some basic security measures. These include, but are not limited to:
- Securing its servers and data stores.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online data from hackers.
For Myeasydocs Users
If you’ve used Myeasydocs to verify documents and are concerned about how this breach, contact the company directly to find out what steps it's taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in Myeasydocs’s data as part of a huge web mapping project undertaken to make the internet safer for all users. We search for unsecured data stores exposing private information and examine each data store for any data being leaked.
Our team was able to access Myeasydoc’s Azure account because it was completely unsecured and unencrypted.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Myeasydocs to inform them of the vulnerability and to suggest ways they could make their system secure.
We have no evidence - and no way of knowing - whether Myeasydoc’s data has been accessed or leaked by anyone else - only the company can know that.
During our security research, we ensure that no information we come across is ever sold, stored, or exposed.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.
This has included an enormous data breach by a Ghanaian government agency that exposed 100,000s of the country’s citizens. We also revealed that an Australian marketing company was harvesting and exposing data collected from 100,000s of people. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
Help Us Protect The Internet!
Introducing The Leak Box
The Leak Box is hosted on the Dark Web and allows ethical hackers to anonymously report any data breach they find online. Alternatively, anyone can submit a breach here on vpnMentor, any time, from anywhere, without compromising your privacy.
Please, comment on how to improve this article. Your feedback matters!