The Indian Institute of Technology Roorkee has acknowledged a data exposure incident affecting the JEE Advanced 2026 results portal, after a security researcher discovered a publicly accessible cloud storage bucket containing approximately 179,600 result records and 187,300 admit card PDFs belonging to candidates of one of India's most competitive engineering entrance examinations.
What Happened
Days after IIT Roorkee, the organizing institute for JEE Advanced 2026, declared the examination results, a cybersecurity researcher operating under the handle @DarthKermy72747 disclosed on X that a cloud storage device linked to the results portal had been configured without authentication controls. The researcher's post included screenshots showing admit card documents and structured result data, with sensitive fields partially redacted to prevent further exposure. IIT Roorkee publicly confirmed the incident on June 2, 2026, thanking the researcher for responsible disclosure and stating that mitigation was underway. The institute emphasized that the storage was configured as read-only, ruling out the possibility of record tampering, but did not address how long the bucket had been publicly accessible or whether other parties had downloaded the data before remediation.
What Was Taken
The exposed storage contained roughly 179,600 candidate result records and approximately 187,300 admit card PDFs. According to the researcher, accessible data fields included candidate names, dates of birth, mobile numbers, subject-wise marks, ranks, and other personal identifiers visible on admit cards. Admit card PDFs typically also include photographs, signatures, parent or guardian names, examination center details, and registration identifiers. While the institute confirmed records could not be altered, exfiltration of the read-only data was entirely possible during the window of exposure.
Why It Matters
JEE Advanced candidates are predominantly minors or young adults between 16 and 19 years of age, making this exposure particularly sensitive. The combination of full names, dates of birth, mobile numbers, and verified academic performance data creates an ideal toolkit for targeted social engineering, admission fraud, and impersonation scams against students and their families. Indian education-themed phishing campaigns and counseling fraud have surged around results season, and a cleartext list of rank-holders with contact details accelerates those threats. This incident also mirrors a previously reported CBSE answer script exposure, signaling a recurring pattern of misconfigured cloud storage across Indian educational institutions handling examination data at national scale.
The Attack Technique
This was not an intrusion but a misconfiguration: the cloud storage bucket hosting result records and admit card PDFs was provisioned with public, unauthenticated read access. Such exposures typically result from default-permissive bucket policies, overly broad IAM rules, or short-term operational shortcuts taken during high-traffic events like results day that are never reverted. No credentials, exploits, or lateral movement were required; the assets were discoverable and downloadable by anyone with the URL pattern. The researcher's comparison to the prior CBSE incident suggests automated bucket-enumeration tooling continues to surface Indian education-sector storage at scale.
What Organizations Should Do
- Audit all cloud storage buckets (S3, GCS, Azure Blob) for public read or list permissions, and enforce default-deny policies through organization-wide service control policies.
- Deploy continuous Cloud Security Posture Management (CSPM) tooling with alerting on any bucket transitioning to public or any object ACL granting anonymous access.
- Treat examination portals, results systems, and admit card distribution as Tier-1 systems requiring formal pre-launch security reviews, including authentication enforcement on every asset path.
- Establish a published vulnerability disclosure policy and security.txt contact so researchers can report findings without resorting to public posts on social media.
- Notify affected candidates and parents directly with guidance on phishing, vishing, and admission counseling fraud likely to follow the exposure.
- Conduct a forensic review of cloud access logs to determine the duration of exposure and identify any bulk download activity that may indicate third-party harvesting.