Personal data such as Aadhaar details and mobile phone numbers of nearly 75 crore Indians has been allegedly put up for sale online, said digital threat analysis company CloudSek in a report on Wednesday.

The company said that its digital risk protection platform discovered that a threat actor named CyboDevil had made a post on an “underground forum” promoting the sale of the comprehensive mobile network consumer database on Tuesday.

It said that a similar post was made by another threat actor named UNIT8200 on January 14 on the instant messaging platform Telegram.

The database allegedly includes the name of the mobile user, their phone numbers, residential addresses, Aadhaar details and names of their family members.

The CyboDevil and UNIT8200 are a part of the CYBOCREW group, which was founded around July 2023. The CYBOCREW group has been “linked to significant breaches, targeting Netplus Co, Zivame, Giva Co, and a Hyundai data breach affecting 2.1 million individuals”, according to the cybersecurity firm.

In its report, the firm also included screengrabs of the posts made on Telegram and the “underground forum”. It, however, did not mention if CloudSek had independently verified the dataset.

It said that the exact way in which the data was breached is not clear but added that the threat actors hinted at “exploiting vulnerabilities within government databases or telecommunication systems”.

The report said that when CYBOCREW was asked how it acquired the extensive dataset, the group “asserted obtaining the data through undisclosed asset work within law enforcement channels”.

“This opaque explanation prompts a critical examination into the legitimacy and ethical considerations surrounding the actor’s access to highly sensitive information,” the company said. “Further scrutiny is warranted to validate the veracity of the claim and assess the potential implications of such data sourcing practices.”

The report also raised alarms about the significant risks due to such leaks and said that it could be used for “sophisticated ransomware attacks or data exfiltration”.

In December, Union Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said that there have been 165 breaches of data of Indian citizens between January 2018 and October 2023.

Chandrasekhar claimed that no breach of Aadhaar data has occurred from the Central Identities Data Repository maintained by the Unique Identification Authority of India.

However, in January 2018, The Tribune claimed to have “purchased” a “service being offered by anonymous sellers over WhatsApp” for “unrestricted access” to details of the more than one billion Aadhaar holders.


Also read: Stolen fingerprints, empty bank accounts: How customers are paying for gaps in Aadhaar