Amid concerns circulating on social media over an alleged data breach involving JEE (Advanced) candidates, the Indian Institute of Technology (IIT) Roorkee has clarified that no sensitive information was compromised and that claims suggesting a large-scale leak are misleading.
The institute issued a detailed statement on X, stating that reports of a privacy violation affecting lakhs of aspirants do not accurately reflect the facts of the incident. IIT Roorkee said the situation stemmed from a temporary technical misconfiguration that was promptly identified and fixed.
The clarification comes days after a Dubai-based student and ethical hacker reported a vulnerability related to the JEE (Advanced) online system, triggering widespread discussion on social media.
Temporary technical issue, not a data breach: IIT Roorkee
In its statement, IIT Roorkee explained that on June 2, technical interventions were carried out on an expedited basis to help candidates facing difficulties in accessing admit card data and to ensure the smooth functioning of the registration process.
During this exercise, a minimal and temporary misconfiguration occurred in a cloud storage component. The issue was identified by ethical hacker Rylen Anil, who informed the institute that he could access the concerned database.
The institute said the vulnerability was immediately rectified and access was restricted as soon as it was reported.
IIT Roorkee further clarified that the affected cloud storage was configured as read-only, meaning that no information could be modified, deleted, or tampered with.
'No mass extraction of data took place'
According to the institute, an analysis of cloud access logs showed that there was no bulk download of candidate data. It stated that the access was limited to less than 0.05 per cent of the data stored in the affected system.
The institute stressed that no sensitive information was compromised or mass-extracted and that the incident had no impact on examination outcomes, including candidates' marks, ranks, or category details.
IIT Roorkee also expressed concern over what it described as attempts to misrepresent the incident and undermine public confidence in the examination system.
"The information circulating on social media is misleading and does not accurately reflect what happened," the institute said, adding that it remains committed to maintaining the integrity, security, and transparency of both the JEE (Advanced) examination and the JoSAA counselling process.
Ethical hacker also urges against misinformation
Rylen Anil, who first reported the vulnerability, also addressed the controversy through a post on X. He said he had observed claims suggesting that the data of all JEE candidates had been leaked, but noted that he had not seen evidence supporting such assertions.
Anil stated that while a vulnerability did exist, there was no indication of a large-scale data leak. He added that the issue was promptly reported and swiftly fixed by IIT officials.
The ethical hacker further clarified that he downloaded only a small number of files to verify the vulnerability and deleted them afterward. He urged people not to use the incident to spread unverified claims or misinformation.
