16-Year-Old Cybersecurity Researcher Exposes JEE Advanced 2026 Data Breach — 1.79 Lakh Student Records and Admit Cards Were Publicly Accessible

A 16-year-old cybersecurity researcher has exposed a major data security vulnerability on the JEE Advanced 2026 results website that left approximately 1.79 lakh student result records and 1.87 lakh admit card PDFs publicly accessible without any authentication. The discovery by Rylen Anil, who goes by the handle @DarthKermy72747 on social media platform X, prompted a swift acknowledgement from IIT Roorkee, the organising institute for JEE Advanced 2026, and raised serious questions about how India’s most prestigious engineering entrance examination manages sensitive candidate data.

What Was Exposed

According to Rylen Anil’s disclosure, the JEE Advanced 2026 candidate result infrastructure hosted at cdata.jeeadv.ac.in had a public cloud storage misconfiguration that exposed bulk candidate data without requiring any login credentials or authentication. The exposed data included approximately 179,600 result records containing candidate names, dates of birth, mobile numbers, and examination scores, as well as around 187,300 admit card PDFs that contained additional personal information including photographs, addresses, and examination centre details.

The vulnerability was classified as a cloud storage misconfiguration — a common but serious security lapse where storage buckets or containers are inadvertently left with public access permissions rather than being restricted to authorised users. Such misconfigurations have been responsible for numerous data breaches globally, including incidents involving government databases, healthcare records, and corporate customer data.

The data was read-only, meaning it could not be altered by unauthorised users, but the exposure still represented a significant privacy breach. Personal information like dates of birth and mobile numbers, combined with names and photographs from admit cards, could potentially be used for identity theft, targeted phishing attacks, or social engineering scams targeting JEE candidates and their families.

IIT Roorkee’s Response

IIT Roorkee responded publicly to Rylen Anil’s disclosure on its official X handle, acknowledging the issue and committing to corrective action. “Thank you @DarthKermy72747 for pointing out the configuration issue in the cloud storage device. The same is being plugged on priority,” the institute wrote. “The data stored was read-only and so there was no possibility of any alteration. We applaud your responsible and ethical behaviour.”

The response was notable for its tone — rather than being defensive or dismissive, IIT Roorkee praised the teenager’s responsible disclosure, which follows accepted cybersecurity ethics of privately alerting organisations about vulnerabilities before making them public. This approach, known as responsible disclosure or coordinated vulnerability disclosure, gives organisations time to fix issues before they can be exploited by malicious actors.

However, cybersecurity experts pointed out that while IIT Roorkee’s response was commendable, the existence of such a basic misconfiguration raises concerns about the security practices employed during the development and deployment of the JEE Advanced results infrastructure. Cloud storage misconfiguration is consistently ranked among the top causes of data breaches globally, and standard security practices — including automated configuration audits and access control reviews — should have caught this vulnerability before the system went live.

A Pattern of Security Lapses in India’s Education Systems

This incident is not the first time India’s education and examination systems have faced security scrutiny. Earlier, ethical hackers had exposed vulnerabilities in the CBSE’s online marking portal, revealing gaps that could potentially compromise the integrity of board examination results. The National Testing Agency, which oversees JEE Advanced along with NEET and other national examinations, has also faced repeated scrutiny over its security practices following allegations of paper leaks and data manipulation.

The JEE Advanced data breach comes shortly after JEE Advanced 2026 results were declared, with Shubham Kumar topping the country. The timing suggests that the misconfiguration may have been introduced when the results infrastructure was set up or updated for the publication of results — a critical period when security reviews should have been most rigorous.

Legal and Privacy Implications

Under India’s Digital Personal Data Protection Act, 2023 (DPDPA), organisations that collect and process personal data are classified as “data fiduciaries” and are required to implement “reasonable security safeguards” to protect such data. While the DPDPA’s enforcement mechanisms are still being finalised through rules yet to be notified, the exposure of personal data belonging to nearly two lakh students could potentially attract scrutiny from the Data Protection Board once it is fully operational.

Legal experts note that the definition of “reasonable security safeguards” under the DPDPA is expected to include basic measures such as access control, encryption, and regular security audits — measures that, if properly implemented, would have prevented the cloud storage misconfiguration that Rylen Anil discovered.

For the affected students, the immediate risk is relatively limited given that the data was read-only and appears to have been discovered by a responsible researcher rather than a malicious actor. However, cybersecurity professionals recommend that JEE Advanced 2026 candidates remain vigilant against phishing attempts and unsolicited communications that reference their examination details, and that they monitor their mobile numbers for unusual activity.

The Teenage Researcher Behind the Discovery

Rylen Anil’s discovery highlights the growing role of young cybersecurity enthusiasts in identifying vulnerabilities that institutional security teams miss. At 16, Anil represents a generation of digital natives who have grown up with technology and developed sophisticated technical skills at an early age. His responsible approach to disclosure — alerting the organisation before publicising the vulnerability — demonstrates a maturity in cybersecurity ethics that many professionals develop only after years of experience.

The incident has also renewed calls for India to establish a formal vulnerability disclosure policy for government and educational institutions, similar to programmes like the US government’s Vulnerability Disclosure Policy and the European Union’s coordinated vulnerability disclosure framework. Such policies provide clear channels for researchers to report vulnerabilities without fear of legal repercussions and ensure that discovered issues are addressed systematically.

• Author
• Recent Posts

Ankit Thakur

Ankit Thakur is an Editor at Daily Tips overseeing sports and entertainment coverage. A lifelong sports enthusiast with years of journalism experience, he covers cricket, kabaddi, football, esports, and gaming. He also manages the publication's entertainment vertical, bringing insider knowledge and passionate storytelling to every piece.

Latest posts by Ankit Thakur (see all)

• 16-Year-Old Cybersecurity Researcher Exposes JEE Advanced 2026 Data Breach — 1.79 Lakh Student Records and Admit Cards Were Publicly Accessible - June 3, 2026
• 16-Year-Old Cybersecurity Researcher Exposes JEE Advanced 2026 Data Breach — 1.79 Lakh Student Records and Admit Cards Were Publicly Accessible - June 3, 2026
• Southwest Monsoon to Hit Kerala Around June 4 as IMD Confirms Onset — What It Means for India’s Agricultural Season - June 3, 2026

Ankit Thakur

Ankit Thakur is an Editor at Daily Tips overseeing sports and entertainment coverage. A lifelong sports enthusiast with years of journalism experience, he covers cricket, kabaddi, football, esports, and gaming. He also manages the publication's entertainment vertical, bringing insider knowledge and passionate storytelling to every piece.

View all posts by Ankit Thakur →