Provident fund data of 28 crore Indian citizens leaked by hackers, claims researcher

Leaked data included UAN, names, Aadhaar details, bank account details, marital status and other sensitive information.

Highlights
  • A cybersecurity researcher identified the data leakage of 28 crore Indian PF users by hackers on August 1st.
  • Exposed data includes sensitive user details that could have been used by hackers to create fake identities, documents and have access to respective PF accounts.
  • However, the source of the hacker has not yet been identified and no agency or company has claimed the responsibility of the leak so far.

Bob Diachenko, a Ukraine-based cybersecurity researcher, has revealed that sensitive information of 28 crore Provident Fund account holders in India has been leaked by hackers. The leak contains personal information like Universal Account Number (UAN), names, Aadhaar details, bank account details, marital status, gender, DOB, etc. No agency or company has claimed the responsibility of this data leak so far.

Show Full Article

The researcher has brought the matter into notice of the Indian Computer Emergency Response Team (CERT-In). The agency replied to the tweet by asking Diachenko to share the report of the incident to the agency via email.

PF Account data leaked

In a LinkedIn post, Diachenko explained how on August 2nd, two search engines from his SecurityDiscovery firm identified two separate IPs containing indices called “Universal Account Number” or UAN. UAN is a unique 12-digit number allotted by the Employees’ Fund Organisation to a Provident Fund holder. The first IP contained 280,472,941 records and the second IP had 8,390,524 records.

Indian CERT tweet

Diachenko ran a review of these samples and realised that it was “something big and important.” Diachenko said considering the scale and sensitivity of the matter, he decided to take the revelation to Twitter and LinkedIn. Within 12 hours of his tweet, both the IPs became unavailable as they were taken down. He also revealed that these two IPs were based in India and operated on Microsoft’s Azure cloud and even after a reverse DNS analysis the source of the hackers could not be traced.

Even though the hacking was identified earlier this month, the exact date of its leak can still not determined, according to Diachenko. Thus, for how long this information was available online before the system could identify them is a mystery for now. It is important to note that this information can be used to create fake identities, documents and have access to respective PF accounts.