PII Belonging to Indian Citizens, Including their Aadhaar IDs, Offered for Sale on the Dark Web

Hundreds of millions of PII records belonging to Indian residents, including Aadhaar cards, are being offered for sale on the Dark Web.

PII Belonging to Indian Citizens, Including their Aadhaar IDs, Offered for Sale on the Dark Web

In early October, Resecurity’s HUNTER (HUMINT) unit identified hundreds of millions of personally identifiable information (PII) records belonging to Indian residents, including Aadhaar cards, being offered for sale on the Dark Web. An Aadhaar is a unique, 12-digit individual identification number “issued by the Unique Identification Authority of India on behalf of the Government of India,” according to the UIDAI website. 

With roughly 1.4 billion Aadhaars issued by the UIDAI since this ID service launched in 2009, this system represents one of the largest biometric ID programs on the planet, according to a report published by think tank Brookings Institution. Resecurity’s discovery follows the publication of a report by credit-rating agency Moody’s last month questioning the reliability of the Aadhaar system’s biometric authentication controls. The Moody’s report also warned that there are security and privacy vulnerabilities in Aadhaar’s centralized system.

On September 25, the Indian government’s Press Information Bureau published a statement refuting the Moody’s report. The PIB’s rebuttal said Moody’s failed to “cite either primary or secondary data or research in support of the opinions presented in it.” The PIB also said that “no breach has been reported from Aadhaar database” to date. The HUNTER unit’s Dark Web sleuthing yielded findings that suggest otherwise, although the ultimate source of the leaks discussed in this report remains unclear.

Powered by the core biometric markers of 10 fingerprints and two iris scans, Aadhaars function as digital IDs. Aadhaars facilitate electronic payments, online Know Your Customer (e-KYC) verification, and compatibility with various Indian financial platforms. The Election Commission of India has also moved to link its voter registration database with the Aadhaar system. As of February 2023, 60% of India’s eligible voters, or 945 million people, had linked their Aadhaar card to their voter IDs, according to local media reports.

Resecurity’s HUNTER investigators identified two threat actors brokering access to Indian PII and Aadhaar records on Breach Forums, a leading cybercriminal hub. In October, Resecurity flagged a thread posted by a threat actor using the online handle ‘pwn0001,’ claiming they were in possession of a database containing 815 million Indian citizen Aadhaar and passport records. Concurrently, the actor shared spreadsheets containing four large leak samples with fragments of Aadhaar data as a proof. One of the leaked samples contains 100,000 records of PII related to Indian residents.

In August, another threat actor going by the alias ‘Lucius’ posted a thread on Breach Forums promoting a 1.8 terabyte data leak impacting an unnamed “India internal law enforcement organization.” This data set contained an even more extensive array of PII data than pwn0001‘s.

According to Resecurity, one of the main sources of this data – breached 3d parties attacked by cybercriminals to steal PII. Typically, such data is collected by financial institutions, lending companies and mobile carriers, which makes them a target for cyber attacks.

Resecurity’s discovery coincides with a global threat landscape that has seen India emerge as a top-five geography for cyberattacks, according to a recent vendor survey. This survey found that India ranked fourth globally in online banking malware detection and top-five globally in all malware detections in the first half of 2023.

The leak of PII data containing Aadhaar (and other details) of Indian citizens on the Dark Web creates a significant risk of digital identity theft. Threat actors leverage stolen identity information to commit online banking theft, tax refund frauds, and other cyber-enabled financial crimes. Resecurity observed a spike in incidents involving Aadhaar IDs and their leakage on underground cybercriminal forums by threat actors looking to harm Indian nationals and residents. To mitigate this risk, Resecurity acquired the published data set on Dark Web and notified victims of the leaked identities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Aadhaar)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Law enforcement operation dismantled phishing-as-a-service platform LabHost

An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…

20 mins ago

Previously unknown Kapeka backdoor linked to Russian Sandworm APT

Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…

5 hours ago

Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available

Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…

8 hours ago

Linux variant of Cerber ransomware targets Atlassian servers

Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…

21 hours ago

Ivanti fixed two critical flaws in its Avalanche MDM

Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…

1 day ago

Researchers released exploit code for actively exploited Palo Alto PAN-OS bug

Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks'…

1 day ago

This website uses cookies.