Indian LPG Brand Indane Leaks Million of User Aadhaar Data. Note that Indane is an Indian LPG Brand owned by Indian Government owned oil & Gas company Indian Oil Corporation. Right now, Indane has a total of 90 million customers. Therefore, leaking Aadhaar data of these number of customers is really a serious issue.
This leak first came out when some anonymous user gives a tip (via Twitter) to a french security researcher Elliot Anderson. The anonymous user tip him a URL endpoint of Indane website where this vulnerability is present. User who have this exact URL endpoint can easily access infos. like Customer Name, customer Address, Aadhaar Number, KYC Status etc.
These URL endpoints are actually present in Indane Local distributor page. However, One can access only those many data that is present in one Indane Local Distributor page. Moreover, to access a local Indane distributor page you need a Distributor ID. Now, Elliot explains in his medium blog post how he get access to all the Indane local distributor ID. He access this info. by a testing a python script on Indane App. In India the total number of Distributors are 9100 (as noted by Wikipedia). However, Elliot get access to a total of 11062 Local Distributor ID.
After further analysis he found that there are more than 60 million Indane users whose Aadhaar data are vulnerable to expose. Earlier we all see how State Bank of India Leaks Millions of User Account Data.