Indane leaked Aadhaar numbers: 6,700,000 Aadhaar numbers

On February 10, I received a very interesting private message on Twitter.

There is “Aadhaar” and “leak” in the same sentence, this guy managed to get my interest. After a few messages, he sent me a url.

This page contains a lot of juicy information:
- The hyperlink associated to the “Consumer No” contains a parameter called “aadhar_no”
- The “Consumer Name”
- The “Consumer Address”
- On the bottom right we have the “Total Records”
- In the url, there is a parameter called dealerID

So due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers. But how big is this leak?

This is the dealer portal, so if we modify the value of the dealerID parameter, we can access the consumer infos of another dealer. So, to get the size of this leak…