Myeasydocs is an online platform that allows people to submit documents for verification to banks, universities, law enforcement agencies, and much more. The breach we discovered was connected to an Israeli URL owned by a company that appeared to facilitate Indian students submitting documents to educational institutes in Israel and India. As a result, over 50,000 current and former students of the universities were exposed to a wide range of online frauds and attacks.
Data Breach Summary
Timeline of Discovery and Owner Reaction
Date discovered: 2nd February 2022 Date Israel CERT Contacted: 3rd February 2022 Date vendors contacted: 8th February 2022 Date of 2nd contact attempt (if relevant): Date of Response: 14th February 2022 Date of Action: 14th February 2022
Myeasydocs was using a Microsoft Azure account to store documents and data collected from files submitted via its software. However, they failed to implement any security measures on the account’s servers, leaving the contents totally exposed and easily accessible to anyone with a web browser. As the company’s Israeli website was unavailable at the time we discovered the breach, we first informed the Israeli CERT of the breach and how it affected residents of Israel. We then contacted the company’s main office to notify them of the breach and offer our assistance.
Examples of Data Exposed
Myeasydoc’s Azure storage account contained over 57,400 files, a mix of diplomas and grade certificates, each relieving huge amounts of PII and personal/academic details about the person exposed. In total, 10,000s people were exposed in the breach. The private personal user data we viewed included:
Full names Subject Majors National ID and university/college registration numbers Dates of graduation Grades Emails Phone numbers
Data Breach Impact
For Users
Had malicious or criminal hackers discovered Myeasydoc’s Azure account before it was secured, they could have used it against the people exposed in numerous ways, including:
For Myeasydocs
The company could also experience negative backlash, such as: Furthermore, the government of India has introduced its first cybersecurity policy, demanding companies declare data breaches within 6 hours of them being flagged. While the law doesn’t come into effect until later this year, if Myeasydocs’ data breach had been discovered by this time, it would be liable for government action as a result.
Advice from the Experts
Myeasydoc could have easily avoided exposing its customers’ data if it had taken some basic security measures. These include, but are not limited to: Any company can replicate the same steps, no matter its size. For a more in-depth guide on how to protect your business, check out our guide to securing your website and online data from hackers.
For Myeasydocs Users
If you’ve used Myeasydocs to verify documents and are concerned about how this breach, contact the company directly to find out what steps it’s taking to protect your data. To learn about data vulnerabilities in general, read our complete guide to online privacy.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in Myeasydocs’s data as part of a huge web mapping project undertaken to make the internet safer for all users. We search for unsecured data stores exposing private information and examine each data store for any data being leaked. Our team was able to access Myeasydoc’s Azure account because it was completely unsecured and unencrypted. As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Myeasydocs to inform them of the vulnerability and to suggest ways they could make their system secure. We have no evidence - and no way of knowing - whether Myeasydoc’s data has been accessed or leaked by anyone else - only the company can know that. We never sell, store, or expose any information we encounter during our security research.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data. Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years. This has included an enormous data breach by a Ghanaian government agency that exposed 100,000s of the country’s citizens. We also revealed that an Australian marketing company was harvesting and exposing data collected from 100,000s of people. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
Help Us Protect The Internet!
Introducing The Leak Box The Leak Box is hosted on the Dark Web and allows ethical hackers to anonymously report any data breach they find online. Alternatively, anyone can submit a breach here on vpnMentor, any time, from anywhere, without compromising your privacy. Check the Leak Box here »
