A researcher in France has claimed of a security lapse that has exposed millions of Aadhaar numbers of dealers as well as distributors linked with Indane, an LPG brand that is developed and owned by the Indian Oil Corporation (IOC).
Baptiste Robert, who goes by the name Elliot Alderson online, has exposed Aadhaar leaks in the past, mentioned in a post on Medium that the Aadhaar information of almost 6.7 million dealers and distributors of Indane gas agency, accessible with a valid username and password, was left exposed.
Alderson said, "Because of a lack of authentication in the local dealers’ website, Indane is leaking the names, addresses and Aadhaar numbers of its customers".
With the use of a custom-built script to scrape the database, the researcher found customer data of around 11,000 dealers, which included names and addresses of consumers, before his IP was blocked by the company.
Anderson told, “I wrote the python script. By operating this script, it gives 11062 valid dealer ids. After more than one day, my script tested 9,490 dealers and also found that overall 5,826,116 Indane consumers are affected by this leak".
The French researcher was able to discover 5.8 million Indane customer data before his script was blocked.
Alderson said, “Unfortunately, Indane perhaps blocked my IP, so I didn't test the remaining 1,572 dealers. By doing some basic mathematics we can calculate the final number of affected consumers to around 6, 791, 200”.
Alderson further told that he made the leak public on Tuesday after getting no reply from Indane.
TechCrunch told it had verified a sample of the leaked Aadhaar numbers on the UIDAI portal and found them to be a match.
It must be noted that Indane serves nearly 140 million households in the country. In 2018, Karan Saini, another security researcher found an endpoint on a system operated by Indane that would allow anyone download the Aadhaar details, according to ZDNet. The endpoint was made offline after the leakage was unveiled and UIDAI later in a statement said that there had been no data violation.
