Aadhaar Leak Row: Only 10% stolen data has user UID details, claims dark web seller

In a startling revelation, an American cybersecurity agency named Resecurity has unearthed a massive data breach that has impacted more than 81.5 crore Indian citizens.

The agency has exposed that the data, encompassing a vast number of Indian individuals, has appeared on the dark web and is purportedly available for sale by an individual using the alias ‘pwn0001.’ A recent report by MoneyControl delves into the details of this alarming breach, shedding light on its origin and the sensitive information it contains.

According to Resecurity, the compromised database, comprising data from over 81.5 crore Indians, was acquired in bulk from another source on the dark web. Shockingly, it is disclosed that this extensive data repository was procured from a now-closed dark web forum in the previous year for a sum of $50,000 (equivalent to Rs 41.64 lakh).

The compromised database was initially advertised as containing crucial information such as Aadhaar and Passport details of Indian citizens. However, the individual behind the alias ‘pwn0001’ has since clarified that only a meagre 10 per cent of the dataset actually includes Aadhaar details, and passport details are found in only a few thousand records. In a further revelation, the hacker expressed the intent to sell this database for $80,000 as an effort to recoup their investment.

To substantiate the validity of the compromised data, the cybersecurity agency Resecurity disclosed that ‘pwn0001’ presented spreadsheets to potential buyers as proof. These spreadsheets contained fragments of Aadhaar data.

In a particular instance, one of these fragments contained information related to 1,00,000 individuals residing in India. Resecurity’s HUNTER team subsequently verified some Aadhaar Card IDs using this sample data.

The timing of this data breach is noteworthy as India has recently passed the Digital Personal Data Protection Act, which imposes significant penalties on platforms responsible for leaking personal data. Under this law, fines of up to Rs 250 crore can be levied in cases of data breaches. However, it is worth noting that the law has not been implemented as of yet.

Additionally, Resecurity previously reported another alleged breach in August, involving a substantial 1.8 terabytes of data attributed to an ‘Indian internal law enforcement organization.’

This dataset purportedly contained personally identifiable information, including Aadhaar IDs, Voter IDs, and driving license records. Nevertheless, the Indian government has not officially confirmed or denied the occurrence of this data breach at this time.

(With input from agencies)