Security

PII Belonging to Indian Citizens, Including their Aadhaar IDs, Offered for Sale on the Dark Web

Hundreds of millions of PII records belonging to Indian residents, including Aadhaar cards, are being offered for sale on the Dark Web.

PII Belonging to Indian Citizens, Including their Aadhaar IDs, Offered for Sale on the Dark Web

In early October, Resecurity’s HUNTER (HUMINT) unit identified hundreds of millions of personally identifiable information (PII) records belonging to Indian residents, including Aadhaar cards, being offered for sale on the Dark Web. An Aadhaar is a unique, 12-digit individual identification number “issued by the Unique Identification Authority of India on behalf of the Government of India,” according to the UIDAI website. 

With roughly 1.4 billion Aadhaars issued by the UIDAI since this ID service launched in 2009, this system represents one of the largest biometric ID programs on the planet, according to a report published by think tank Brookings Institution. Resecurity’s discovery follows the publication of a report by credit-rating agency Moody’s last month questioning the reliability of the Aadhaar system’s biometric authentication controls. The Moody’s report also warned that there are security and privacy vulnerabilities in Aadhaar’s centralized system.

On September 25, the Indian government’s Press Information Bureau published a statement refuting the Moody’s report. The PIB’s rebuttal said Moody’s failed to “cite either primary or secondary data or research in support of the opinions presented in it.” The PIB also said that “no breach has been reported from Aadhaar database” to date. The HUNTER unit’s Dark Web sleuthing yielded findings that suggest otherwise, although the ultimate source of the leaks discussed in this report remains unclear.

Powered by the core biometric markers of 10 fingerprints and two iris scans, Aadhaars function as digital IDs. Aadhaars facilitate electronic payments, online Know Your Customer (e-KYC) verification, and compatibility with various Indian financial platforms. The Election Commission of India has also moved to link its voter registration database with the Aadhaar system. As of February 2023, 60% of India’s eligible voters, or 945 million people, had linked their Aadhaar card to their voter IDs, according to local media reports.

Resecurity’s HUNTER investigators identified two threat actors brokering access to Indian PII and Aadhaar records on Breach Forums, a leading cybercriminal hub. In October, Resecurity flagged a thread posted by a threat actor using the online handle ‘pwn0001,’ claiming they were in possession of a database containing 815 million Indian citizen Aadhaar and passport records. Concurrently, the actor shared spreadsheets containing four large leak samples with fragments of Aadhaar data as a proof. One of the leaked samples contains 100,000 records of PII related to Indian residents.

In August, another threat actor going by the alias ‘Lucius’ posted a thread on Breach Forums promoting a 1.8 terabyte data leak impacting an unnamed “India internal law enforcement organization.” This data set contained an even more extensive array of PII data than pwn0001‘s.

According to Resecurity, one of the main sources of this data – breached 3d parties attacked by cybercriminals to steal PII. Typically, such data is collected by financial institutions, lending companies and mobile carriers, which makes them a target for cyber attacks.

Resecurity’s discovery coincides with a global threat landscape that has seen India emerge as a top-five geography for cyberattacks, according to a recent vendor survey. This survey found that India ranked fourth globally in online banking malware detection and top-five globally in all malware detections in the first half of 2023.

The leak of PII data containing Aadhaar (and other details) of Indian citizens on the Dark Web creates a significant risk of digital identity theft. Threat actors leverage stolen identity information to commit online banking theft, tax refund frauds, and other cyber-enabled financial crimes. Resecurity observed a spike in incidents involving Aadhaar IDs and their leakage on underground cybercriminal forums by threat actors looking to harm Indian nationals and residents. To mitigate this risk, Resecurity acquired the published data set on Dark Web and notified victims of the leaked identities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Aadhaar)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Windows and Qualcomm bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows and Qualcomm bugs to its Known…

3 hours ago

Three new Ivanti CSA zero-day actively exploited in attacks

Software company Ivanti released security patches for three new CSA zero-day vulnerabilities actively exploited in…

13 hours ago

Ukrainian national pleads guilty in U.S. court for operating the Raccoon Infostealer

Ukrainian national pleads guilty in U.S. court for operating the Raccoon Infostealer, used to steal…

16 hours ago

Qualcomm fixed a zero-day exploited limited, targeted attacks

Qualcomm warns of 20 flaws in its products, including a potential zero-day vulnerability, in the…

21 hours ago

MoneyGram discloses data breach following September cyberattack

MoneyGram disclosed a data breach following a cyberattack in September, during which threat actors stole…

1 day ago

American Water shut down some of its systems following a cyberattack

American Water, the largest publicly traded water and wastewater utility company in the US, shut…

1 day ago

This website uses cookies.