As revealed by French security researcher Elliot Alderson (Baptiste Robert), an Indane Gas endpoint leaked Aadhaar numbers together with names and addresses, affecting at about 6.8 million Indians. The tip came from another person on February 10 who remains anonymous as the Indian authorities aren’t very fond of security tipsters, the issue was reported to Indane on February 15 by Alderson, and as no answer was received, it has just been disclosed to the public. The problem was located in Indane’s “local dealers” portal that was misconfigured to allow access without using any login credentials, even getting indexed in Google.
The problem concerned part of the website, but that part corresponds to customer data of 11000 dealers of Indane gas, taking the number of the affected people to 6.7 million. The leaking of Aadhaar numbers together with the associated names is very serious, as Aadhaar is something like an empowered social security number for Indian citizens. It is a 12-digit number issued by UIDAI (Unique Identification Authority of India), and it is used as an identity verification tool in many cases, from bank loan requests to healthcare provision. Stealing this number is the equivalent of identity theft, as a vile person could pose as the victim for personal benefits. Aadhaar enrollment is optional, but due to the many advantages and convenience that comes with it, more than 90% of India’s population has an Aadhaar number.
It’s time to publish the details of the biggest #DataLeak I had to deal with. @IndianOilcl leaked #Aadhaar numbers: 6,700,000 Aadhaar numbers https://t.co/QJaDZlOBcR
— Baptiste Robert (@fs0c131y) February 19, 2019
Initially, the researcher wasn’t sure about the extent of the affected citizens' number, as Indane actually serves more than 90 million families in their network. To figure out the scope of the damage, he developed a Python script that scraped all records of the dealers portal and tested each dealer ID to see if it’s secure or open to access. The end result of the script parsing gave out 6791200 customers or about 7.5% of Indane’s client base. Indane has issued nothing relevant on their website or official Twitter handle, showing no spirit of sharing this dire news with the people who were affected. The same trodden was followed by UIDAI who could at least notify the 6.8 million citizens to reset their Aadhaar and stay protected against identity theft actors.
Are you an Indane customer worried about your Aadhaar being leaked out? Share your thoughts and concerns in the comments section below, and don’t forget to help us spread the word about this incident by liking and sharing this post on our socials, on Facebook and Twitter.