Security researchers have identified multiple vulnerabilities in the government’s UMANG platform that allegedly exposed users’ personal information across several integrated public services, including EPFO and LPG services, according to a report by The Hindu. The Ministry of Electronics and Information Technology (MeitY) has acknowledged the findings and says it is implementing fixes.

Researchers Akshay C.S. and Viral Vaghela said the flaws stemmed from the portal’s underlying architecture rather than a single service. According to the researchers, the vulnerabilities exposed EPFO Universal Account Numbers (UANs), LPG cylinder booking details, and Aadhaar numbers that several linked services stored in plaintext. However, they said the Aadhaar module itself did not contain the vulnerability.

The government says fixes are underway: MeitY told The Hindu, “Our development and security teams have carefully examined the observations and are implementing the necessary corrective and preventive measures.” The ministry added, “The plaintext information in the concerned APIs has been appropriately encrypted.” It also said it reviewed API transaction logs for the past three months and found transaction volumes to be consistent, while continuing to monitor the platform.

The researchers, however, said the fixes were insufficient. “Almost everything is broken by design,” Viral Vaghela said. Akshay C.S. also claimed that a simple workaround could bypass the new encryption.

Independent review raises concerns: Independent security researcher Karan Saini, who reviewed the findings at The Hindu’s request, said the vulnerabilities were “significant”. While he said rate limiting and the large pool of EPFO account numbers made large-scale copying of the database unlikely, he warned the flaws “could potentially have been abused by cybercriminals in possession of UAN numbers to siphon funds at scale by allowing for both changing of bank account details and initiating payouts, which is very concerning.”

The researchers said they reported the vulnerabilities to MeitY and CERT-In. Soon after, EPFO took its portal offline for a migration. The Ministry of Labour and Employment declined to comment, and authorities have not confirmed any official link between the migration and the researchers’ disclosure.

Part of a wider pattern: The incident adds to a long record of personal data exposure in India. In July 2026, MediaNama reported that websites were selling more than 1,000 databases containing students’ personal information, including a CUET-UG database that claimed to contain over 15.56 lakh records. In 2023, a hacker listed a database claiming to contain the Aadhaar, passport and other personal details of 815 million Indians for sale, although researchers did not independently verify the full dataset. Earlier reports since 2017 have documented government websites publishing Aadhaar numbers, bank details, caste,…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 14, 2026