A French researcher has claimed that he found a major security lapse that allegedly exposed millions of Aadhaar numbers of dealers and distributors associated with Indane, an LPG brand owned by the Indian Oil Corporation
Baptiste Robert, who goes by the online handle Elliot Alderson and has exposed Aadhaar leaks in the past, wrote in a blog post on Medium late Monday that the Aadhaar data of nearly 6.7 million dealers and distributors of Indane, accessible only with a accessible only with a valid username and password, was left exposed.
“Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers,” said Alderson. Using a custom-built script to scrape the database, Alderson found customer data for nearly 11,000 dealers, including names and addresses of customers, before his IP was blocked by Indane.
“I wrote the python script. By running this script, it gives us 11062 valid dealer ids. After more than 1 day, my script tested 9,490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak,” he wrote.
The French researchers found 5.8 million Indane customer records before his script was blocked.
“Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1,572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200,” Alderson added.
Indane and the Unique Identification Authority of India (UIDAI) were yet to comment on this data leak.