Teen uncovers alleged JEE Advanced data exposure affecting lakhs

A 16-year-old cybersecurity researcher has alleged a major data exposure linked to the JEE Advanced 2026 result infrastructure, raising concerns about the security of sensitive information belonging to lakhs of engineering aspirants across India.

The researcher, who goes by the online handle "DarthKermy", claimed to have discovered a cloud storage misconfiguration that allegedly made a large volume of candidate data publicly accessible without any authentication.

In a disclosure shared on social media, the teenager said nearly 179,600 result records and around 187,300 admit-card PDFs could be accessed online. The exposed data reportedly included candidates' names, dates of birth, mobile numbers and other personal information.

The researcher said the incident appeared to be the result of a cloud storage configuration error rather than a cyberattack, password breach or unauthorized system intrusion.

While no conventional hacking was involved, cybersecurity experts caution that such exposures can still carry serious consequences. Publicly accessible personal information can be exploited for phishing attempts, identity theft, targeted scams and other forms of misuse.

The disclosure quickly drew attention online, prompting concern among students, parents and cybersecurity professionals. Given that JEE Advanced is the gateway to the Indian Institutes of Technology (IITs) and attracts lakhs of candidates every year, the alleged scale of the exposure has intensified scrutiny of data protection practices surrounding major examinations.

Responding publicly, IIT Roorkee, the organizing institute for JEE Advanced 2026, acknowledged the issue and said corrective action was being taken.

"Thank you @DarthKermy72747 for pointing out the configuration issue in the cloud storage device," the institute said in its response.

The statement indicated that the exposed files were accessible only in read-only mode, meaning they could be viewed but not altered. However, experts note that unauthorized access to personal data can pose significant privacy and security risks even when records cannot be modified.

Several key questions remain unanswered. IIT Roorkee has not disclosed how long the information was exposed, whether any unauthorized parties accessed the data, or whether affected candidates will be formally informed. As a result, the full extent of the impact remains unclear.

The incident is expected to renew debate over how examination authorities collect, store and safeguard the personal information of millions of students. As India's education ecosystem becomes increasingly digital, institutions face growing pressure to strengthen cybersecurity measures alongside conducting examinations efficiently.

For many observers, the episode underscores how a single configuration error, rather than a sophisticated cyberattack, can potentially expose sensitive information on a massive scale. Even as IIT Roorkee works to address the issue, the disclosure has reignited broader concerns about privacy, accountability and data security standards across India's education sector.