A 16-year-old cybersecurity researcher has alleged a major data exposure linked to the JEE Advanced 2026 result infrastructure, raising concerns over the security of sensitive student information associated with one of India’s most competitive entrance examinations.
The researcher, known online as “DarthKermy”, claimed to have discovered a cloud storage misconfiguration that allegedly left a large volume of JEE Advanced candidate data publicly accessible without requiring authentication. The same researcher had previously highlighted alleged vulnerabilities in the National Testing Agency (NTA) portal ahead of the NEET-UG re-test.
JEE Advanced 2026 candidate/result infrastructure (https://t.co/6mBpjkxH01) had a public cloud storage misconfiguration exposing bulk candidate data without auth.
This exposed ~179.6k result records and ~187.3k admit-card PDFs, including candidate names, DOBs and mobile numbers. pic.twitter.com/NUk4HGwqQP
— Rylen Anil (@DarthKermi72747) June 2, 2026
IIT Roorkee later issued a clarification thanking the X user. The university assured that the issue was “being plugged on priority”.
Nearly 1.8 lakh result records allegedly exposed
According to details shared on X (formerly Twitter), nearly 1.79 lakh result records and around 1.87 lakh admit card PDFs were allegedly exposed online. The data reportedly included candidates’ names, dates of birth, mobile numbers and other personal information.
The researcher said the issue appeared to be the result of a cloud storage configuration error rather than a cyberattack, password breach or unauthorised system intrusion.
The disclosure quickly drew attention from students, parents and cybersecurity professionals. Given that JEE Advanced is the gateway to the Indian Institutes of Technology (IITs) and is taken by lakhs of engineering aspirants each year, the scale of the alleged exposure has intensified concerns about data protection practices in the examination system.
IIT Roorkee responds to the disclosure
Responding to the claims, IIT Roorkee, the organising institute for JEE Advanced 2026, acknowledged the issue and said corrective action was being taken. “Thank you @DarthKermy72747 for pointing out the configuration issue in the *cloud storage device*. The same is being plugged on priority. The data stored was read-only and so there was no possibility of any alteration. We applaud your responsible and ethical behaviour,” IIT Roorkee said in a public response on X.
Thank you @DarthKermy72747 for pointing out the configuration issue in the *cloud storage device*. The same is being plugged on priority. The data stored was read-only and so there was no possibility of any alteration. We applaud your responsible and ethical behaviour.
— IIT Roorkee (@iitroorkee) June 2, 2026
The institute indicated that the exposed files were available with read-only permissions, suggesting that the data could be viewed but not altered. However, cybersecurity experts note that unauthorised access to personal information can still create significant privacy and security concerns even if records cannot be modified.
Several questions remain unanswered. IIT Roorkee has not yet disclosed how long the data was exposed, whether any unauthorised parties accessed the information, or whether affected candidates will be formally informed about the incident.
Fresh focus on examination data security
The episode is expected to renew scrutiny of how examination authorities collect, store and protect the personal information of students. As India’s education system becomes increasingly digital, experts say institutions must strengthen safeguards to ensure sensitive candidate data remains secure.