Provident Fund Data of 28 Crore Indians Leaked By Hackers, Claims Ukraine Based Researcher

The PF data was leaked earlier this month and includes UANs, names, Aadhaar, and bank account details.

Provident Fund Data of 28 Crore Indians Leaked By Hackers, Claims Ukraine Based Researcher

Photo Credit: EPFO

Details such as UANs, names, Aadhaar details, gender, and bank account details were exposed

Highlights
  • Leaked data was hosted on Microsoft’s Azure service
  • The researcher informed CERT-In about the leak
  • The data contained Aadhaar and bank details

Provident Fund (PF) data of about 28 crore Indians was found to have been leaked by hackers earlier this month. A cybersecurity researcher from Ukraine, Bob Diachenko, made the discovery on August 1 and found that details such as Universal Account Number (UANs), names, marital status, Aadhaar details, gender, and bank account details were exposed online. According to Diachenko, he found two different internet protocol (IP) addresses hosting two clusters of leaked data. Both of these IPs were hosted on Microsoft's Azure cloud storage service.

Cybersecurity researcher Bob Diachenko detailed the leak in a post on LinkedIn. On August 2, Diachenko discovered two separate IP clusters of data that contained indices called UAN. Upon reviewing the clusters, he found that the first cluster contained 280,472,941 records, whereas the second IP contained 8,390,524 records.

“After quick review of the samples (using a simple browser), I was sure that I am looking at something big and important”, Diachenko said in his post. However, he was not able to find who owned the data. Both the IP addresses were hosted on Microsoft's Azure platform and were India-based. He wasn't able to obtain other information via a reverse DNS analysis.

The Shodan and Censys search engines from Diachenko's SecurityDiscovery firm found these clusters on August 1. However, it is not clear how long the information was available online. The data could've been misused by hackers to gain access to the PF account. Data such as name, gender, Aadhaar details, could also be used to create fake identities and documents.

The researcher tagged the Indian Computer Emergency Response Team (CERT-In) in a tweet informing them about the leak. The CERT-In replied to his tweet asking him to provide a report of the hack in an email. Both IP addresses were taken down within 12 hours after his tweet. Diachenko says that since August 3, no company or agency has come forward to take responsibility for the hack

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Raksha Bandhan 2022: Best Tech Gift Ideas That Your Sibling Will Love
Share on Facebook Tweet Snapchat Share Reddit Comment
 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2022. All rights reserved.