Aadhar—the 12-digit identity that ties together everything from SIMs to subsidies—has surfaced again in a massive data leak. But this time, the issue isn’t a single hack. It’s an amalgamation of cascading breaches happening over years, through weak third-party portals, misconfigurations, corrupt officials, and public exposure. This article dives into who leaked it, how it happened, and what you must do now.
1. The Billion-Person Dark Web Dump (“pwn0001”)
In October 2023, cybersecurity firm Resecurity uncovered that a threat actor using the alias “pwn0001” advertised the personal data—Aadhaar and passport info—of 815 million Indians (81.5 crore) for just $80,000 (zeebiz.com).
- The dataset included names, phone numbers, addresses, Aadhaar & passport numbers—verified via UIDAI’s “Verify Aadhaar” portal (livemint.com).
- Resecurity confirmed this stemmed from third-party systems, likely used for KYC, SIM issuance, healthcare, or government services—not the Aadhaar database itself .
Reddit users weighed in too:
“On October 9th… pwn0001 posted… access to 815 million Indian citizen Aadhaar & Passport records.” (reddit.com)
2. Government-Portals Gone Rogue
It’s not just underground hackers. Multiple government websites over the years have accidentally exposed Aadhaar numbers and bank info:
- In 2017, four public portals—rural development and welfare schemes—leaked information of 130–135 million people, including Aadhaar and bank details (cis-india.org).
- UIDAI later acknowledged over 200 government websites had inadvertently made Aadhaar details public (en.wikipedia.org).
These weren’t dramatic breaches—they were sloppy misconfigurations, yet they had massive reach.
3. Biometric & Ration-Scheme Frauds
On the ground, data misuse happens often:
- In Uttar Pradesh, officials manipulated Aadhaar-linked biometric authentication to divert rations from genuine beneficiaries. Some Aadhaar numbers were used 100+ times by fraudsters (reddit.com, reddit.com).
This shows how insider collusion—not just hackers—can turn Aadhaar data into an enabler of large-scale fraud.
Why These Breaches Keep Happening
Cause
Explanation
Third-party vulnerabilities
KYC vendors, portals, SIM issuance platforms hold Aadhaar info but often lack proper security (securityaffairs.com).
Misconfigured public portals
Govt sites with lax access controls overcompensate integration but leak data broadly .
Corruption and fraud
Data misuse by officials—like ration scams—is rampant in some regions .
Limited UIDAI oversight
UIDAI can’t control how 3rd parties store and secure data once shared. Errors accumulate .
The Consequences
- Identity theft: Aadhaar + demographic data = powerful credential for opening fake accounts or fraud.
- Social engineering attacks: Scammers gain trust using accurate personal data .
- Permanent exposure: Unlike passwords, biometric and demographic data can’t be changed.
- National security risk: Mass profiling via linked Aadhaar data has surveillance implications .
What You Can Do Today
- Check your Aadhaar usage history at UIDAI’s portal—see who’s authenticating your Aadhaar (blog.adsquantumvision.com).
- Enable alerts: Register your email/phone for usage notifications.
- Lock your biometrics when not in use—available via mAadhaar app.
- Be cautious of unsolicited calls/messages asking for OTP or personal details.
- Ask for accountability: Whether it’s your telecom provider or government portal, demand transparency and secure storage.
What Must Change
- Enforce audits and penalties for third parties handling Aadhaar data.
- Adopt “data minimization”: Sites should collect only what they need, and never store the Aadhaar itself.
- Mandatory breach disclosure: Users must be informed whenever their data is exposed.
- Technical protections: End-to-end encryption, secure key vaults, hardened endpoints.
- Policy reform: Stronger enforcement under the Digital Personal Data Protection Act and IT rules.
Final Word
Your Aadhaar isn’t being stolen from the UIDAI directly—it’s leaking everywhere else. From government portals to KYC vendors to exploitative officials, the real vulnerabilities lie in the systems built around Aadhaar. Until policy, enforcement, and public oversight catch up, Indian residents will remain exposed. Stay informed, stay secure—and demand action.
