Aadhaar numbers leaked in the millions, says security researcher

Aadhaar Booth

A French researcher has claimed that he found a security lapse that allegedly exposed millions of Aadhaar numbers of dealers and distributors associated with Indane, an LPG brand owned by the Indian Oil Corporation (IOC).

Baptiste Robert, who goes by the online handle Elliot Alderson and has exposed Aadhaar leaks in the past, wrote in a blog post on Medium late Monday that the Aadhaar data of nearly 6.7 million dealers and distributors of Indane, accessible only with a valid username and password, was left exposed.

“Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers,” said Alderson. “I wrote the python script. By running this script, it gives us 11062 valid dealer ids. After more than 1 day, my script tested 9,490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak.”

Using a custom-built script to scrape the database, Alderson found customer data for nearly 11,000 dealers, including names and addresses of customers, before his IP was blocked by Indane. The French researchers found 5.8 million Indane customer records before his script was blocked.

Related news: Google says sorry, takes the blame for Aadhaar helpline row

“Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1,572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200,” Alderson added.

Indane and the Unique Identification Authority of India (UIDAI) were yet to comment on this data leak.