Our videos have over 5 million views on Youtube! Visit our channel now »
The listings featured on this site are from companies from which this site receives compensation. Read the Advertising Disclosure for more information
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers, and are based on the reviewers' independent and professional examination of the products/services.

Ownership

vpnMentor is owned by Kape Technologies PLC, which owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that were written by our experts and follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will be based on an independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, which will however not affect the review but might affect the rankings. The latter are determined on the basis of customer satisfaction of previous sales and compensation received.

Reviews Guidelines

The reviews published on vpnMentor are written by experts that examine the products according to our strict reviewing standards. Such standards ensure that each review is based on the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may take into consideration the affiliate commissions we earn for purchases through links on our website.

Report: Document Verification Platform Exposes 10,000s Students in India and Israel in Massive Data Breach

Led by Noam Rotem, vpnMentor’s research team discovered a data breach in a Microsoft Azure cloud account belonging to the company Myeasydocs.

Myeasydocs is an online platform that allows people to submit documents for verification to banks, universities, law enforcement agencies, and much more.

The breach we discovered was connected to an Israeli URL owned by a company that appeared to facilitate Indian students submitting documents to educational institutes in Israel and India. As a result, over 50,000 current and former students of the universities were exposed to a wide range of online frauds and attacks.

Data Breach Summary

Company MyEasyDocs
Headquarters Chennai, India
Industry Cloud services
Size of data in gigabytes 30.5GB
Suspected no. of files Up to 57,400
No. of people exposed Up to 57,400
Date range/timeline 26th April ‘16 - 31st August ‘21
Geographical scope India and Israel
Types of data exposed Educational records; PII data
Potential impact Phishing; fraud; identity theft
Data storage format Microsoft Azure

Timeline of Discovery and Owner Reaction

  • Date discovered: 2nd February 2022
  • Date Israel CERT Contacted: 3rd February 2022
  • Date vendors contacted: 8th February 2022
  • Date of 2nd contact attempt (if relevant):
  • Date of Response: 14th February 2022
  • Date of Action: 14th February 2022

Myeasydocs was using a Microsoft Azure account to store documents and data collected from files submitted via its software. However, they failed to implement any security measures on the account’s servers, leaving the contents totally exposed and easily accessible to anyone with a web browser.

As the company’s Israeli website was unavailable at the time we discovered the breach, we first informed the Israeli CERT of the breach and how it affected residents of Israel. We then contacted the company’s main office to notify them of the breach and offer our assistance.

Examples of Data Exposed

Myeasydoc’s Azure storage account contained over 57,400 files, a mix of diplomas and grade certificates, each relieving huge amounts of PII and personal/academic details about the person exposed.

In total, 10,000s people were exposed in the breach.

The private personal user data we viewed included:

  • Full names
  • Subject Majors
  • National ID and university/college registration numbers
  • Dates of graduation
  • Grades
  • Emails
  • Phone numbers

PII data exposed by Myeasydocs

College degree exposed by Myeasydocs

degree exposed by Myeasydocs

Data Breach Impact

For Users

Had malicious or criminal hackers discovered Myeasydoc’s Azure account before it was secured, they could have used it against the people exposed in numerous ways, including:

  1. Phishing campaigns to trick people into providing additional PII data (i.e., social security numbers) or private information (i.e., bank account details), input debit or credit card details into a fake payment portal, or clicking a link embedded with malicious software that infects a user’s device, such as malware, spyware, and ransomware.
  2. Impersonating students using their diplomas and grade charts, PII data, etc. to commit fraud.
  3. Harass or dox the students online.
  4. Selling a new identity - the diplomas and PII data could be used to sell someone a new identity. Academic documents are a key ingredient to identity theft, and are often sold as part of a “new identity” package on the dark web.

For Myeasydocs

The company could also experience negative backlash, such as:

  1. Loss of business, customers, partners - universities most likely have plenty of alternative software providers to choose from.
  2. Bad publicity - cybersecurity is taken extremely seriously in Israel. Fallout may mean company loses access to an entire market.

Furthermore, the government of India has introduced its first cybersecurity policy, demanding companies declare data breaches within 6 hours of them being flagged. While the law doesn’t come into effect until later this year, if Myeasydocs’ data breach had been discovered by this time, it would be liable for government action as a result.

Advice from the Experts

Myeasydoc could have easily avoided exposing its customers’ data if it had taken some basic security measures. These include, but are not limited to:

  1. Securing its servers and data stores.
  2. Implementing proper access rules.
  3. Never leaving a system that doesn’t require authentication open to the internet.

Any company can replicate the same steps, no matter its size.

For a more in-depth guide on how to protect your business, check out our guide to securing your website and online data from hackers.

For Myeasydocs Users

If you’ve used Myeasydocs to verify documents and are concerned about how this breach, contact the company directly to find out what steps it's taking to protect your data.

To learn about data vulnerabilities in general, read our complete guide to online privacy.

How and Why We Discovered the Breach

The vpnMentor research team discovered the breach in Myeasydocs’s data as part of a huge web mapping project undertaken to make the internet safer for all users. We search for unsecured data stores exposing private information and examine each data store for any data being leaked.

Our team was able to access Myeasydoc’s Azure account because it was completely unsecured and unencrypted.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Myeasydocs to inform them of the vulnerability and to suggest ways they could make their system secure.

We have no evidence - and no way of knowing - whether Myeasydoc’s data has been accessed or leaked by anyone else - only the company can know that.

We never sell, store, or expose any information we encounter during our security research.

About Us and Previous Reports

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.

This has included an enormous data breach by a Ghanaian government agency that exposed 100,000s of the country’s citizens. We also revealed that an Australian marketing company was harvesting and exposing data collected from 100,000s of people. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

Help Us Protect The Internet!

Introducing The Leak Box
The Leak Box is hosted on the Dark Web and allows ethical hackers to anonymously report any data breach they find online. Alternatively, anyone can submit a breach here on vpnMentor, any time, from anywhere, without compromising your privacy.

Check the Leak Box here >>

About the Author

vpnMentor Research Lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data. Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback
Comment Comment must be from 5 to 2500 characters long.