A huge cache of data containing the full name, bank account number and nominee information of pension fund holders in India has surfaced online.
Security researcher Bob Diachenko found two separate IP addresses storing more than 288 million records — with some 280 million records available under one IP address and about 8.4 million a part of the second IP address. Both IP addresses were publicly exposing the data to the internet but were not protected by passwords, the researcher said.
The records were a part of cluster indices titled “UAN”, which apparently refers to the Universal Account Number allotted to pension fund holders by the state-owned Employees’ Provident Fund Organization (EPFO) in the country.
“From what I understood, information from the database could have been used to put together a complete profile of an Indian citizen and make them a target for a phishing or scamming attack,” Diachenko told TechCrunch.
Each record included personal information of individuals, including their marital status, gender and date of birth. There were also details mainly linked to their pension fund accounts, including the UAN, bank account number and employment status.
Apart from leaking the personally identifiable information (PII) of individuals holding pension fund accounts, the records exposed details of their nominees. These include their full name and relationship with the account holders.
Diachenko discovered the IP addresses leaking the sensitive data earlier this week. He tweeted on Wednesday a screenshot showing the data fields exposing personal information, alongside tagging India’s Computer Emergency Response Team (CERT-In). Less than a day after posting his tweet, both IP addresses in question were no longer accessible.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
[BREACH ALERT] 280M+ records in this Indian database, publicly exposed. Where to report? @IndianCERT ? pic.twitter.com/lkY55epCyy
— Bob Diachenko 🇺🇦 (@MayhemDayOne) August 2, 2022
But Diachenko said it wasn’t clear who should claim responsibility for the exposed data that surfaced online. It is also unclear whether anyone other than Diachenko found the exposed data.
TechCrunch reached out to India’s EPFO, CERT-In and the country’s IT ministry for comment, but did not hear back.
In 2018, the Central Provident Fund Commissioner reportedly notified the IT ministry that hackers were able to steal data from the Aadhaar seeding portal of the EPFO website. That incident put the information of about 27 million pension fund members at risk. However, the pension fund body later claimed on the record, but provided no evidence, that there was no data leakage from its side.
