French cyber security researcher Baptiste Robert, who goes by the name Elliot Alderson online, has exposed an Aadhaar leak on gas company Indane’s website.
In a post on Medium, Alderson broke down how the part of Indane’s website meant for dealers and distributors was exposing an estimated 6.7 million Aadhaar numbers through this leak. The leak was brought to his attention through a private message on Twitter.
Indane’s portal for dealers and distributors can only be accessed by a valid username and password. According to TechCrunch, since this part of the site is indexed on Google, it could be accessed by anybody without having to log in.
Alderson used a custom-built script and found the customer details for 11,000 dealers. The data retrieved included customer names, addresses and Aadhaar numbers.
Alderson says he was able to access 5.8 million customer records before his script was blocked by Indane. He estimates that around 6.79 million customers have been affected by this leak.
Alderson added he made the leak public on Tuesday after receiving no response from Indane.
TechCrunch said it verified a sample of the leaked Aadhaar numbers on the UIDAI website and found them to be a match.
According to its website, Indane serves 140 million households. Last year, security researcher Karan Saini found an endpoint on a system run by Indane that would let anyone download Aadhaar details, ZDNet reported. The endpoint was pulled offline after the leak was made public and UIDAI issued a statement saying there had been no data breach.