wordpress blog stats
Connect with us

Hi, what are you looking for?

Hacking group Lulzsec India alleges massive Aadhaar and PAN data breach

Aadhaar virtual id

A Twitter handle of anonymous hackers (who claim to be a group) by the name Lulzsec India have tweeted about a vulnerability involving 22,000 Aadhaar and PAN cards. They have refused to provide further information till the vulnerability is patched. The screenshot they have tweeted appears to show numbered folders and image documents of an Aadhaar card and the name “Kamlesh Tiwari” written by hand – which could be the scan of a signature.

The breach does not appear to be a website vulnerability, but a poorly coded server related to PAN applications, that allows malicious hackers unlimited file management access over ftp. As of now, it is not known which server this information is on and the group refuses to reveal further details till the vulnerability is fixed. (Note: MediaNama is not publishing the link to the tweet, as it contains unredacted information about the Aadhaar in the image.)

“We all live in country where cyber security made stronger only by court orders and useless statements of denial and not secure coding practices.” said Lulzsec India when approached via private messages for more information related to the breach.

Other security issues reported by Lulzsec India include vulnerabilities that allowed logging into the Rajya Sabha server and that ISRO Bhuvan Mapper was running on 7-year-old server code and was vulnerable to all the security issues that had been revealed in that time.

Some instances of website or application breaches

  • July 28, 2017 – Abhinav Srivastava, co-founder of Quarth technologies created an “Aadhaar e-KYC” app that accessed the UIDAI API without authorization.
  • September 10, 2017 – During the Kanpur Fake Aadhaar Enrollment scam, the enrollment software was found to be reverse engineered to bypass iris scan authentication for operators.
  • January 4, 2018 – The Tribune had reported access to Aadhaar data could be purchased for as little as Rs. 500 on social media.
  • January 4, 2018 – The Quint reported that data admins could create other data admin accounts at discretion – without any checks.
  •  January 9, 2018 – The UIDAI suspended the access of 5,000 officials for the UIDAI database without authorization (after the Tribune breach report, but apparently separate from both The Tribune and The Quint reports, as these were officials who had access – without authorization? – that got blocked)
  • January 12, 2018 – French security researcher “Elliot Alderson” reported vulnerabilities in the mAadhaar app

Some other large breaches of Aadhaar data

  • May 2, 2017 – CIS India reported that details of around 130-135 million Aadhaar Numbers, and around 100 million bank numbers have been leaked online by just four government schemes alone.
  • July 9, 2017 – An independent website called MagicAPK (since removed) was leaking data of 120 million Jio customers. Querying the website by phone number returned details such as name, email, circle, SIM activation date and Aadhaar number. While Jio denied the data as unauthentic, it was independently verified by many people. Initial subscribers were more affected.
  • July 20, 2017 – The government admitted that around 210 government websites had been leaking sensitive information including Aadhaar.
  • January 5, 2018 – India Today had published a sting operation that showed that details of Aadhaar card applicants could be obtained from enrollment agents for as little as Rs.2 – 5 per applicant.

Advertisement. Scroll to continue reading.
Written By

Vidyut is a commentator on socio-political issues with a keen interest in behavioral sciences, digital rights and security and manages to engage her various proficiencies to bring an unusual perspective to issues related with the intersection of tech and people.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ