Security Researcher informs public exposure of 250M+ Indian UAN database records of EPFO
Volodymyr “Bob” Diachenko of SecurityDiscover recently discovered major public data exposure through his organization’s systems. On 2nd August 2022, the security researcher found 2 distinct IP addresses with password-less Elasticsearch clusters that contained indices called UAN.
UAN (Universal Account Number) is an important part of the Indian government registry. The Employees’ Fund Organization (EPFO) allots the UAN number.
The two IPs had a record flow of around 280,472,941 records and the second IP contained 8,390,524 records.
The data contained information that ranged from personal details, blank seeding status, employment details to bank account details, income details and status, aadhar details and UAN details.
Bob Diachenko told Thetechoutlook that this exposure may have happened because of human error or misconfiguration. He further told Thetechoutlook that since they were able to see the details someone else might have also.
Although the security researcher couldn’t be clear about who the data belonged, he figured out that the IPs were hosted by Azure. Additionally he also informed that the servers were Indian based. However, he couldn’t obtain any additional information after reverse DNS analysis. The search engines, Shodan and Censys picked up this information on 1st August. The researcher thus said that it is unknown since when and for how long the data was exposed.
The security researcher took to Twitter and tweeted about this exposure with a screenshot of the exposed data structure. He also tried to inquire whom he should report to through his tweet. Additionally he also tagged @IndianCERT asking the same.
[BREACH ALERT] 280M+ records in this Indian database, publicly exposed. Where to report? @IndianCERT ? pic.twitter.com/lkY55epCyy
— Bob Diachenko (@MayhemDayOne) August 2, 2022
The researcher also said that the IPs were taken down within 12 hours of his Tweet. As of 3rd August 2022, no agency has put forward any claim for the data, nor there has been any update from the government.