Data Of 68 Lakh People Was Exposed In The Lastest Aadhaar Breach

Dhir Acharya - Feb 20, 2019

Aadhaar has been more than just a security system. However, does it mean that criminals couldn’t break the system and steal user data?

3.2 Billion Email And Password Pairs Have Been Leaked, Here's How To Check If You Are Affected
Delhi Police Can Hack Your Smartphone To Extract Data Even If It's Locked
Hackers Found An Unpatchable Weakness In A Security Feature That Has Protected Apple Users For Years

Aadhaar, since it was created, has been more than just a security system. However, does it mean that criminals couldn’t break the system and steal user data?

Obviously, Aadhaar can be abused, proven by a recent leak happening to one major LGP providers. In particular, Indane, a state-owned gas firm, left some of its database exposed including information about distributors and dealers. If this can make you feel a bit relieved, it is likely that only usernames and passwords are accessible. The data was then indexed by Google, giving anyone the necessary know-how for bypassing the login altogether.

The leak went public after Baptiste Robert, a cybersecurity researcher, posted in Medium about how an anonymous white hat hacker gave him a hint. Anyway, UIDAI (Unique Identification Authority of India) responded to reports of system leaks, saying that it’s false while police complaints also surfaced. Going by the handle ElliotAlderson on Twitter, Robert has figured out various breaches on Aadhaar before.

According to Robert, he investigated the bug, from that built his own script to steal data from the company’s database and the Indane Android app, and eventually recovered information of 11062 LPG dealers. After testing, he could confirm that the exposed details of 5,826,116 customers were valid. Robert estimated the data, which resulted in a conclusion that a total of 6,791,200 LPG customers of Indane suffered from this breach, got their Aadhaar numbers, names, and full addresses leaked online.

The tip came to Robert on February, he said, and by February 15, he had confirmed enough data to inform Indane about the data breach. After four days of getting no response from the company, Robert publicized the breach on the Internet.

Last year, Indane was also involved in a data breach in which it was discovered to leak data from another endpoint directly connected to the official Aadhaar database.

What to consider here is whether coming data breaches can lead to changes in the flimsy security of Aadhaar system and will the authorities do something about this instead of ignoring the problem.