Teen flags JEE Advanced data exposure of over 3 lakh records, IIT Roorkee responds
A 16-year-old cybersecurity researcher alleged that a cloud storage misconfiguration linked to JEE Advanced 2026 made result records and admit-card PDFs publicly accessible. IIT Roorkee said corrective action was underway, but the disclosure has renewed concerns over student data security.
A 16-year-old cybersecurity researcher has alleged a major data exposure linked to the JEE Advanced 2026 result infrastructure, raising fresh concerns over the security of sensitive student information associated with one of India's most competitive entrance examinations.
The researcher, who operates under the online handle "DarthKermy", had earlier drawn attention for exposing alleged vulnerabilities in the National Testing Agency (NTA) portal just days before the NEET-UG re-test.
In a new disclosure shared on social media, he claimed to have uncovered a critical cloud storage misconfiguration connected to JEE Advanced 2026 that allegedly left a massive trove of candidate data publicly accessible without authentication.
According to the disclosure, nearly 179,600 result records and around 187,300 admit-card PDFs could be accessed online. The exposed information reportedly included candidates' names, dates of birth, mobile phone numbers and other personal details.
The researcher suggested that the exposure stemmed from a cloud storage configuration error rather than a sophisticated cyberattack, password compromise or system intrusion.
Despite the absence of a traditional hack, cybersecurity experts warn that such exposures can be equally concerning. Publicly accessible personal information can potentially be harvested for identity theft, phishing campaigns, targeted scams and other forms of misuse.
The revelation quickly gained traction online, triggering concern among students, parents and cybersecurity professionals. Given that JEE Advanced serves as the gateway to the Indian Institutes of Technology (IITs) and attracts lakhs of aspirants every year, the scale of the alleged exposure has amplified concerns about data protection practices within India's examination ecosystem.
Responding publicly to the disclosure, IIT Roorkee, the organising institute for JEE Advanced 2026, acknowledged the issue and confirmed that corrective measures were being implemented.
"Thank you @DarthKermy72747 for pointing out the configuration issue in the cloud storage device," IIT Roorkee said in its response.
The institute's statement suggests that while the exposed data may have been accessible for viewing, it could not be modified because of read-only permissions. However, cybersecurity experts note that unauthorised access to personal information can still pose significant privacy and security risks, even when data cannot be altered.
Several critical questions remain unanswered. IIT Roorkee has not publicly disclosed how long the data remained exposed, whether any unauthorised parties accessed the information, or whether affected candidates will be formally notified. The extent of any potential impact therefore remains unclear.
The episode is likely to renew scrutiny of how examination authorities collect, store and secure the personal information of lakhs of students. As India's education ecosystem becomes increasingly digital, institutions face growing pressure not only to conduct examinations smoothly but also to ensure that the vast amounts of candidate data entrusted to them remain adequately protected.
For many observers, the incident serves as a stark reminder that a single configuration mistake, not a sophisticated cyberattack, can potentially expose sensitive information belonging to thousands of students. Even as IIT Roorkee moves to address the issue, the disclosure has reignited broader questions about data security, accountability and privacy standards across India's education sector.
A 16-year-old cybersecurity researcher has alleged a major data exposure linked to the JEE Advanced 2026 result infrastructure, raising fresh concerns over the security of sensitive student information associated with one of India's most competitive entrance examinations.
The researcher, who operates under the online handle "DarthKermy", had earlier drawn attention for exposing alleged vulnerabilities in the National Testing Agency (NTA) portal just days before the NEET-UG re-test.
In a new disclosure shared on social media, he claimed to have uncovered a critical cloud storage misconfiguration connected to JEE Advanced 2026 that allegedly left a massive trove of candidate data publicly accessible without authentication.
According to the disclosure, nearly 179,600 result records and around 187,300 admit-card PDFs could be accessed online. The exposed information reportedly included candidates' names, dates of birth, mobile phone numbers and other personal details.
The researcher suggested that the exposure stemmed from a cloud storage configuration error rather than a sophisticated cyberattack, password compromise or system intrusion.
Despite the absence of a traditional hack, cybersecurity experts warn that such exposures can be equally concerning. Publicly accessible personal information can potentially be harvested for identity theft, phishing campaigns, targeted scams and other forms of misuse.
The revelation quickly gained traction online, triggering concern among students, parents and cybersecurity professionals. Given that JEE Advanced serves as the gateway to the Indian Institutes of Technology (IITs) and attracts lakhs of aspirants every year, the scale of the alleged exposure has amplified concerns about data protection practices within India's examination ecosystem.
Responding publicly to the disclosure, IIT Roorkee, the organising institute for JEE Advanced 2026, acknowledged the issue and confirmed that corrective measures were being implemented.
"Thank you @DarthKermy72747 for pointing out the configuration issue in the cloud storage device," IIT Roorkee said in its response.
The institute's statement suggests that while the exposed data may have been accessible for viewing, it could not be modified because of read-only permissions. However, cybersecurity experts note that unauthorised access to personal information can still pose significant privacy and security risks, even when data cannot be altered.
Several critical questions remain unanswered. IIT Roorkee has not publicly disclosed how long the data remained exposed, whether any unauthorised parties accessed the information, or whether affected candidates will be formally notified. The extent of any potential impact therefore remains unclear.
The episode is likely to renew scrutiny of how examination authorities collect, store and secure the personal information of lakhs of students. As India's education ecosystem becomes increasingly digital, institutions face growing pressure not only to conduct examinations smoothly but also to ensure that the vast amounts of candidate data entrusted to them remain adequately protected.
For many observers, the incident serves as a stark reminder that a single configuration mistake, not a sophisticated cyberattack, can potentially expose sensitive information belonging to thousands of students. Even as IIT Roorkee moves to address the issue, the disclosure has reignited broader questions about data security, accountability and privacy standards across India's education sector.
