Indane gas endpoint leaked 6.7 million users’ Aadhaar Card numbers

6.7 million Users’ Aadhaar numbers has been leaked by Indane gas endpoint

Research of Eliot Alderson and an anonymous Indian Security researcher has revealed that the official site of Indane gas endpoint was found leaking personal details, including usernames, addresses and crucial Aadhaar Card numbers. According to them, the evil hackers behind this manage to affect 6.7 millions of Indane gas endpoint’s customers.

What is the cause – deep analysis?

The investigation was started at the beginning of this month when the leak was first discovered by the anonymous Indian Security researcher. He has discovered the sensitive data leak that involves Aadhaar Card numbers and the Indane gas endpoint. He informed it to Eliot Alderson (one who has been investigating several Aadhaar Card leaks and often expose some of them in the last year).

On investigation, they found that this was the lack of authentication in the website that caused the leak or has been leaking sensitive details about its customers. The leak was found in the Indane’s distributor portal that allows the hackers to access critical data of over 6.7 million customers.

The French Security researcher, Eliot Alderson by using some of the server features was able to found out the number of dealers involved in the local portal. He also managed to trigger out the dealers’ ID with the help of running a python script.

“After a few minutes, I wrote this python script. By running this script, it gives us 11062 valid dealer ids. After more than 1 day, my script tested 9490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak.

Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200.”

IndianOil is denying of Aadhaar numbers hosted on their website

IndianOil deny the claims that the security researchers posted. According to them, the company is using Aadhar numbers for the LPG transfers so there should not be a issue of names and addresses revealed. Here is the company statement in their Twitter post:

“IndianOil in its software captures only the Aadhaar number which is required for LPG subsidy transfer. No other Aadhaar related details are captured by IndianOil. Therefore, leakage of Aadhaar data is not possible through us.”

In the post, the IndianOIl also deny that there is any hosted on their website. However, other researchers also confirm that the URL hyperlinked to each customer of the company displays Asdhaar numbers on the web page.