CyberX9’s security research team discovered a massive data breach at PhysicsWallah (PW) caused by the company’s shocking negligence in cybersecurity. A critical vulnerability in PhysicsWallah’s platform left millions of students and their parents’ sensitive personal data completely exposed on the open internet. This trove of data included everything from names, contact details, residential addresses, government IDs to academic records and even photos, all available to anyone due to PhysicsWallah’s weak security. Alarmingly, some of the compromised records belong to children of Indian defense personnel, including those posted at high-security military bases involved in the recent India–Pakistan war. This inexcusable lapse not only violates privacy on a colossal scale but also potentially endangers national security by exposing confidential details of military families.
Key Highlights:
The scope of personal data exposed in this breach is extensive and deeply concerning. PhysicsWallah’s platform exposed nearly every type of information it held on students and their parents/guardians. This includes, but is not limited to:
[.c-text-star][.c-text-star]- Full names of students and their parents/guardians.
[.c-text-star][.c-text-star]- Contact information such as phone numbers (mobile numbers), email addresses, and home addresses.
[.c-text-star][.c-text-star]- Contact information such as phone numbers (mobile numbers), email addresses, and postal addresses (home addresses).
[.c-text-star][.c-text-star]- Government-issued ID details, most notably, Aadhaar numbers (India’s unique 12-digit identity number) of students were visible, along with other ID details in some cases.
[.c-text-star][.c-text-star]- Parents’ professions and employment details, information about what the parents/guardians do for a living, which was collected by PhysicsWallah.
[.c-text-star][.c-text-star]- Photographs – personal photos of students (including of female students) were exposed.
[.c-text-star][.c-text-star]- Course and center details – data on which coaching courses the student is enrolled in, and at which PW center or branch (including city/location). This effectively reveals the student’s current educational plans and even their physical location during class hours.
This treasure trove of personal data was openly available to anyone who knew where to look, all due to PhysicsWallah’s weak security. The risks from such exposure are tremendous. First and foremost, the privacy of millions of families has been violated, their personal details can be misused by scamsters or cybercriminals for fraud, identity theft, phishing, and harassment. Phone numbers and emails could be spammed or targeted with social engineering attacks. Aadhaar numbers and other ID info being public is especially dangerous in the wrong hands, enabling identity fraud or financial crimes.
Worse, the exposure of data involving defense personnel’s children elevates this breach to a grave national security concern.
Overall, the data that PhysicsWallah left unprotected was not just “some usernames or emails”, it was highly sensitive, granular personal data that should never be public. The fact that it was exposed in bulk to the whole world is an unforgivable lapse. PhysicsWallah, an organization trusted by young students and parents across India, has severely compromised the privacy and security of its users. The incident underlines how one company’s poor security can translate into a nationwide vulnerability, potentially aiding hostile entities and endangering citizens
The exposure of data involving defense personnel’s children elevates this breach to a grave national security concern. Military families’ personal information is highly sensitive; adversaries or terrorist organizations could weaponize this data in multiple ways. For example, enemy intelligence agencies could scrape the data to identify and track families of Indian military officers. Knowing a defense officer’s child’s name, where they live, where they go to coaching classes, and how to contact them can facilitate espionage or coercion attempts. There’s a very real threat of hostile entities using this data to target or pressure defense personnel, either for intelligence gathering or psychological warfare. Even criminal elements (like kidnappers or extortionists) could exploit the data – for instance, by targeting children of wealthy or prominent individuals (a parent’s profession could reveal high-profile targets) or of military personnel for ransom or revenge.
It’s not an exaggeration to say that PhysicsWallah’s negligence could have armed malicious actors with a “safety bypass” into the lives of millions. The exposed information about students’ whereabouts (through their coaching center details and schedules) and family backgrounds could be used to physically locate and harm or influence them. In the context of the recent India–Pakistan hostilities, imagine the danger if Pakistan-based terrorists or other adversaries got hold of lists of children whose parents serve at critical defense installations – the consequences could be catastrophic. Such intel could be used to plan targeted attacks or to undermine the morale of our armed forces.
The scope and severity of this data exposure are staggering. PhysicsWallah exposed deeply personal, sensitive, and confidential details of millions of Indian students and their families, it wasn't just some random expose of non-sensitive marketing data.
These vulnerability could've or might've easily be used by malicious attackers to steal millions of customers and Indian defense personnels exposed sensitive data and maliciously use it, resulting in things like identity theft, extortion, threats, national security threats, along with being able to get data of millions of customers. There are immeasurable number of ways in which the level of data being exposed by PhysicsWallah can be used by malicious attackers to permanently harm the lives of millions of PhysicsWallah customers and Indian national security.
The data exposed extremely sensitive personal details, a goldmine of information that could fuel countless malicious attacks targeting millions of Indians. While the potential misuse cases for such sensitive data are virtually limitless, here are a few examples to give people a sense of the risks involved.
[.c-h1]⠀1.⠀[.c-h1] Identity theft: Using Aadhaar and personal details to open fraudulent bank accounts or conduct scams.
[.c-h1]⠀2.⠀[.c-h1] Phishing and scams: Targeting parents and students with convincing fake calls, emails, or SMS.
“Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other forms of communication.” — SearchSecurity
[.c-h1]⠀3.⠀[.c-h1] Harassment and blackmail: Especially when attackers have access to photos or family details.
[.c-h1]⠀4.⠀[.c-h1] Extortion or kidnapping risks: Knowing where a student attends class and their family’s profile enables physical targeting.
[.c-h1]⠀5.⠀[.c-h1] Reputation attacks or doxxing: Publishing or misusing private data online.
Even more troubling, the breach included children of Indian defense personnel, some stationed at sensitive military posts. This creates:
[.c-h1]⠀1.⠀[.c-h1] National security risks: Enemy intelligence services could harvest and exploit family data of military officers.
[.c-h1]⠀2.⠀[.c-h1] Terrorism or coercion threats: Bad actors could threaten defense families to extract information or influence military operations.
[.c-h1]⠀3.⠀[.c-h1] Psyops or morale attacks: Using families as leverage to demoralize or disrupt armed forces units.
Simply put, PhysicsWallah’s negligence has placed millions of innocent people at severe risk, both digitally and physically.
For years, governments have been imposing hefty fines on companies for exposing and leaking customer data worldwide. Under the GDPR law of the European Union, even when a company clearly didn’t take reasonable security steps to secure sensitive data, the companies got hefty fines.
Some prominent past incidents of such fines:
[.c-row-flex][.c-box-pink]“In July 2019, Equifax settled a lawsuit stemming from its 2017 data breach, which exposed the personal information of 147 million people. Under the settlement with the FTC, CFPB and state attorneys general, Equifax has agreed to spend up to $425 million to help people affected by the data breach.” — Source[.c-box-pink][.c-text-column][.c-text-column][.c-row-flex]
Under GDPR law, famously British Airways and Marriott have all received fines over €10,000,000 for GDPR violations where they exposed customer data and were fined for insufficient technical and organisational measures to ensure information security. You can see other fines made under GDPR privacy law for cyber security negligence here.
[.c-h1]⠀1.⠀[.c-h1] Extreme negligence of user privacy (and even national security):
All signs indicate that PhysicsWallah’s data expose was entirely preventable and stemmed from gross negligence. The exposed users of PhysicsWallah included highly sensitive personal information. Shockingly, this trove wasn’t limited to students of minor ages; it encompassed minors and children of Indian defense personnel as well. PhysicsWallah had recently after our report "proudly" partnered with organizations like the CRPF Family Welfare Association to enroll the wards of martyrs and serving officers in its courses. By failing to secure this data, the company not only violated user privacy but also potentially compromised national security, exposing identifiable information of military families, and now further targeting a much wider Indian military user base with such a horrible state of security of the sensitive data of it's students.
In short, PhysicsWallah demonstrated a complete disregard for the sensitivity of the Indian children data it held, betraying the trust of families who believed a popular ed-tech platform would safeguard their children’s sensitive personal details. How would a company like this safeguard children's futures when they can't even safeguard their sensitive personal data?!
[.c-h1]⠀2.⠀[.c-h1] Empty security promises vs. actual practices:
PhysicsWallah’s public statements about security now ring hollow in light of these events. The company’s own privacy policy claims that “all information is stored on secure servers protected by passwords/PINs” and that PhysicsWallah “adheres to strict security guidelines” . In reality, anyone would've had little to no trouble obtaining millions of records just by browning to PhysicsWallah's vulnerable URLs in any normal web browser, proving that those “strict guidelines” were either woefully inadequate or false and misleading claims.
After our research team at CyberX9 discovered the critical vulnerability exposing the sensitive personal data of millions of PhysicsWallah students (and their parents/guardians), we immediately moved to responsibly report the findings to PhysicsWallah’s leadership.
On 22 April 2025, we sent a detailed, high-priority email directly to PhysicsWallah co-founders Alakh Pandey and Prateek Maheshwari, explaining the massive security issues we had uncovered. Our message included a full vulnerability report describing the vulnerability, it's impact, why urgent fixes were needed, and we also suggested immediate fix to the vulnerability. We also attached an executive summary written in plain language, to ensure that even non-technical leaders at PW could understand the seriousness.
Despite the urgent nature of our message, PhysicsWallah’s leadership did not respond for over two days. We followed up with reminders, but still received no confirmation that they had even started working on a fix or by when they will fix the vulnerability. When their team finally reached out, it was only to ask for the report again, even though we had already shared it with them on the first day. Worse, their replies sidestepped our direct questions about whether the vulnerability had been fixed or till when they plan to fix.
This foot-dragging was extremely frustrating, given that every hour the vulnerability remained open meant that millions of students’ and parents’ sensitive data, including the children of Indian defense personnel, was at increased risk of being exploited.
We kept up the pressure, sending multiple reminders and pushing for updates. It was only by 1 May 2025, a full nine days after our initial disclosure, that PhysicsWallah finally confirmed they had fixed the vulnerability.
Delay to fix the vulnerability
What could’ve taken a maximum of one hour, took more than 9 days for PhysicsWallah to secure their systems to stop the exposure of sensitive and confidential data of millions of people including Indian defense personnels.
However, recognizing the national security dimension of the exposed data (given the defense connections), CyberX9 did not stop there. On 31 May 2025, we escalated the matter to Indian government authorities, including CERT-In (Indian Computer Emergency Response Team) and NCIIPC (National Critical Information Infrastructure Protection Centre). We shared details of the expose. Both agencies acknowledged receipt, and CERT-In specifically thanked us for the responsible disclosure.
PhysicsWallah’s delayed response and lack of urgency reflect a deeply concerning disregard for cybersecurity, user privacy, and national security, a failing that deserves serious scrutiny and accountability.
We strongly recommend companies not to take cyber security as an optional thing but as one of the most important things to do. All companies should get regular security testing of their applications done by experienced and skilled cyber security service providers to avoid such security vulnerabilities. Especially organizations, which handles massive amounts of sensitive and confidential data of millions of people including defense personnels, should have continuous security testing of their applications done by skilled cyber security service providers.
Note: If PhysicsWallah now tries to falsely deny or downplay any of our findings, despite previously acknowledging them, we will publish our complete correspondence with the company, along with additional evidence, to further substantiate every point.
Press: for any questions relating to this finding, feel free to contact us at press@cyberx9.com
Vodafone Idea — India's top telecom company — exposed sensitive and confidential call records and other personal data of ~ 301 million (30.1 crore) customers including all postpaid customers for the last ~2 years to the whole internet
Policybazaar, a major Indian insurance aggregator funded by a Chinese, exposed sensitive and confidential personal, health, and financial data of around 56.4 million of its customers including defense personnels and potentially compromises national security
Punjab National Bank — India's top public bank — kept severely compromising the security of funds, personal and financial information of over 180 million (all) of it’s customers for ~7 months
Once again, India's top securities depository — CDSL — exposed sensitive data of ~43.9 million investors to the whole internet
India's top securities depository — CDSL — exposed sensitive data of ~43.9 million investors to the whole internet
Subscribe to our newsletter to get our upcoming findings in your inbox!
[.c-button-modal]Subscribe now![.c-button-modal]
We won't spam you but only send content you'll like and you can unsubscribe anytime.
.svg)
