Security researchers Akshay C.S. and Viral Vaghela have reported vulnerabilities in the UMANG portal that could have exposed Aadhaar-linked data, EPFO UAN details, and other sensitive information across multiple government services. UMANG, built by MeitY, aggregates thousands of central and state government services into a single citizen-facing app.
What went wrong — and where
Notably, the Aadhaar module within UMANG did not itself contain the vulnerability. The exposure instead came from downstream services: researchers found Aadhaar numbers visible in plain text across many linked services, despite such storage being prohibited under the Aadhaar Act of 2016. This is the core lesson in Aadhaar's vulnerability pattern — the central Aadhaar authentication system can be well-designed, while the surrounding ecosystem of apps and services that store or relay Aadhaar numbers becomes the weak link.
The affected services reportedly included EPFO Universal Account Numbers, LPG cylinder booking details, and Aadhaar numbers stored in plaintext by several linked services. The EPFO module carries particular weight here — it is UMANG's most-used service, logging over 400 million transactions in the last three months, fifteen times the volume of the next-highest service. Researchers warned the flaw could let attackers holding UAN numbers go further than data exposure: potentially modifying linked bank account details and initiating fund transfers at scale.
The government's response
MeitY acknowledged the findings and said it has reviewed them, encrypted the affected APIs, and is implementing corrective measures while monitoring the platform. Researchers, however, pushed back on the fix's adequacy — they said the encryption method remained flawed and inadequate, with a simple workaround still able to bypass it. Separately, EPFO's online portal went offline for a "migration" shortly after disclosure, which researchers suspect was linked to their alerts, though this hasn't been confirmed.
Why this keeps happening
This incident isn't isolated — it's part of a recurring pattern. In July 2026, over 1,000 databases containing student data were reportedly being sold, including a CUET-UG database claiming more than 15.56 lakh records. In 2023, a hacker listed a database claiming to hold Aadhaar, passport, and personal details of 815 million Indians, though researchers couldn't independently verify the full dataset. Government websites have documented histories of publishing Aadhaar numbers and other personal data dating back to 2017, and CERT-In warned in June 2025 of 16 billion login credentials surfacing online from various sources.
The structural vulnerability
Aadhaar's design centralizes identity verification, but its vulnerability rarely lies in the biometric core — it lies in the thousands of third-party integrations (banks, telecoms, government portals, apps like UMANG) that store, cache, or relay the 12-digit number, often without the encryption or access controls the Aadhaar Act mandates. Each integration point is a potential plaintext leak waiting to surface. Until enforcement of storage rules — not just authentication security — becomes systemic across every linked service, incidents like this will keep recurring under different names.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.




