Daily Tech News, Interviews, Reviews and Updates

Security Researcher informs public exposure of 250M+ Indian UAN database records of EPFO

Volodymyr “Bob” Diachenko of SecurityDiscover recently discovered major public data exposure through his organization’s systems. On 2nd August 2022, the security researcher found 2 distinct IP addresses with password-less Elasticsearch clusters that contained indices called UAN. 

UAN (Universal Account Number) is an important part of the Indian government registry. The Employees’ Fund Organization (EPFO) allots the UAN number. 

The two IPs had a record flow of around 280,472,941 records and the second IP contained 8,390,524 records. 

The data contained information that ranged from personal details, blank seeding status, employment details to bank account details, income details and status, aadhar details and UAN details.

Bob Diachenko told Thetechoutlook that this exposure may have happened because of human error or misconfiguration. He further told Thetechoutlook that since they were able to see the details someone else might have also.

Although the security researcher couldn’t be clear about who the data belonged, he figured out that the IPs were hosted by Azure. Additionally he also informed that the servers were Indian based. However, he couldn’t obtain any additional information after reverse DNS analysis. The search engines, Shodan and Censys picked up this information on 1st August. The researcher thus said that it is unknown since when and for how long the data was exposed. 

The security researcher took to Twitter and tweeted about this exposure with a screenshot of the exposed data structure. He also tried to inquire whom he should report to through his tweet. Additionally he also tagged @IndianCERT asking the same. 

The researcher also said that the IPs were taken down within 12 hours of his Tweet. As of 3rd August 2022, no agency has put forward any claim for the data, nor there has been any update from the government. 

 



Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More
You might also like

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More