What is new?
This time a record number of 6.7 Million records were leaked through an LPG company. Not necessarily that they did it, but their complacency on their cyber security infrastructure made them vulnerable to data theft. Take note that Aadhar data were leaked through this company. It makes sense that if you cannot hack the Aadhaar central database itself, then just go for vulnerable sources.
Which company leaked it?
Surprisingly it is a state owned company in India. The company Indane apparently is leaking the data. This is not the first instance where the Aadhaar information was leaked. Aadhaar is a unique number assigned to each citizen as part of India’s biometric identity programme maintained by the government’s Unique Identification Authority of India (UIDAI).
Who noticed the leak?
An Indian researcher together with a French security researcher named Robert who goes by the code name “Elliot Alderson” on Twitter.
Where did the leak originate?
It is within Indane’s online dealer portal where it lacks authentication therefore it could allow anyone to view the records of thousands of customers associated with their respective dealers.
What is the severity?
Robert analyzed the issue and came up with a finding that millions of data of Indian citizens can be accessed once they know every dealer’s username, which he later found that it is possible when in conjunction with another vulnerability of Indene’s mobile app.
Where do these leaks go?
Highly possible that it will go straight to the internet both Clearnet and Darkweb within underground hacking forums. These data are hot especially for cybercriminals who engage in fraud and identity theft. These data can be sold for a good amount due to its relevance in possible socially engineered attacks. With our Darkweb monitoring activities it was also previously discovered that the trade of Aadhaar leaked data and other leak data thrives in forums and market places in the darkweb.