Recently, a dark web threat actor known as pwn0001 made headlines for offering sensitive data of 815 million Indian citizens on a dark web marketplace. While this revelation has raised concerns about data security, pwn0001 claims that he didn’t hack the data but purchased it from a now-defunct dark web forum last year.
Pwn0001’s listing on Breach Forums, posted on September 10, included an offer to sell the “Indian citizen Aadhaar and Passport Database” for $80,000. This database allegedly contains personal information like phone numbers, addresses, names, parents’ names, and more.
According to pwn0001, he acquired the database for $50,000 in the previous year, emphasizing that he did not engage in hacking activities. He stated that the forum from which he obtained the data has since been shut down, and its owner has been arrested. However, these claims could not be independently verified by chennaiprint.
The threat actor expressed disappointment with the database’s contents, stating that it did not meet his initial expectations. Only a small portion of the data includes Aadhaar details, and even fewer entries contain passport information. Pwn0001 indicated that his current goal is to recover his investment, as he has not been successful in selling the data to anyone so far.
The reports of this data breach were initially disclosed by the US-based cybersecurity research platform Resecurity. Their researchers claimed to have identified valid Aadhaar card IDs linked to Indian citizens.
It’s worth noting that the Indian government has not officially confirmed or denied the occurrence of a data breach. Media has reached out to UIDAI CEO Amit Agrawal for further information, and the article will be updated when a response is received.
These reports of data breaches coincide with the passage of the Digital Personal Data Protection Act in Parliament, which has now become law. The DPDP Act introduces provisions that impose hefty fines of up to Rs 250 crore on platforms that leak personal data. However, the law has not yet been fully implemented. Certain government entities, including Panchayats, less digitized MSMEs handling citizen data, and startups, have been mentioned as potential exemptions from the Act’s implementation.
In August, Resecurity also reported another alleged breach involving 1.8 TB of data, sold online under the name “Indian internal law enforcement organization.” This dataset was said to contain personally identifiable information such as Aadhaar IDs, Voter IDs, and driving license records.