IITs deny JEE Advanced data breach; CBSE files plaint over cyber attacks

New Delhi: The IITs on Friday strongly rejected claims circulating on social media regarding a "data breach and privacy violation" involving the Joint Seat Allocation Authority (JoSAA) portal for JEE Advanced, terming them "misleading and factually incorrect". Meanwhile, the CBSE lodged a complaint with the Delhi Police regarding "coordinated cyber-attacks" on its Post-Result Services Portal, currently hosting answer-sheet re-evaluation and verification request submissions.

On JEE Advanced, IIT Roorkee - while acknowledging that an ethical hacker, Rylen Anil, had identified a "misconfiguration" in a cloud storage system that arose during a technical exercise on June 2 - underlined that the issue was immediately rectified with access to the data restricted. "The affected storage was read-only, meaning no data could be edited or deleted. An analysis of cloud access logs confirmed that no bulk download occurred (read-only access accounted for less than 0.05% of the data). No sensitive information was compromised or mass-extracted. This incident had no impact on examination outcomes, including marks, ranks and candidates' categories," IIT Roorkee, the coordinating institute for JEE Advanced this year, said in a statement on X.

According to IIT Roorkee, some technical interventions were carried out on June 2 to assist candidates experiencing difficulties in accessing admit card data, resulting in a "minimal, temporary misconfiguration in a cloud storage component".


IIT Roorkee emphasised that attempts to "misrepresent this technical event" and undermine public trust in the examination system are deeply concerning and should be discouraged. Most IITs also shared IIT Roorkee's statement, assuring that the JEE Advanced portal is secure.

Meanwhile, CBSE, reeling under repeated controversies over its On-Screen Marking (OSM) mechanism, lodged a complaint with the Delhi Police regarding "coordinated cyber attacks" on its Post-Result Services Portal. The board said on X that all attacks were successfully mitigated through 24x7 monitoring, with "no data breach or compromise of systems". The CBSE portal went live on June 2 at 4:30 am and, within two minutes, recorded approximately 1.5 million access requests. In addition, over 100,000 unauthorised access attempts were detected and blocked, government sources said, pointing to a DDoS-type pattern evident in the traffic profile of the coordinated high-volume requests.

The attacks were successfully mitigated through a multi-layered security architecture deployed after cybersecurity teams from IIT Kanpur and IIT Madras conducted full technical audits to address vulnerabilities and take corrective measures related to scanning and platform deficiencies.

As of June 4, 2026, a total of 70,433 successful applications had been received through the CBSE post-result grievance redressal process, including 7,314 applications for Verification of Marks and 63,119 applications for re-evaluation.