Personal details of nearly half a million Delhi citizens leaked online, claims security researcher

MongoDB database instance was left unsecured and accessible online without so much as a password to protect it

A security researcher has shared screenshots of a database that leaking the personal details of around 458,388 Indian citizens online.

Bob Diachenko, who identified the unsecured server, says the MongoDB database instance was left unattended for public access and was accessible online without requiring any password.

"A 4.1GB-sized database had been indexed by Shodan and was left unattended for public access. The database was named "GNCTD" which also stands for Government of National Capital Territory of Delhi," Diachenko wrote in a blog post.

According to Diachenko, the database contained information about voter ID numbers and Aadhaar identity numbers of around half a million people.

The collections and records contained in the leaked database included: (1) EB Registers; (2) EB Users (14,861); (3) Households (102,863); (4) Individuals (458,388); (5) Registered Users (399); and (6) Users (2,983).

After analysing the content in detail, Diachenko concluded that the database was most likely related to a company named "Transerve".

The "Registered Users" collection in the database included email IDs, hashed passwords and usernames for administrator access.

The most detailed information was contained in "Individuals" collection, which provided details of health conditions, education, Aadhaar numbers, and voter ID numbers of 458,388 individuals.

"Households" collection provided information about names, house number, ration card number, informal name and other details.

Diachenko says evidence suggests that the database is connected to GNCTD, although he can't say that for sure.

Diachenko informed "Transerve" company about the unsecured database, but didn't receive any response from them.

After he sent an email to the Computer Emergency Response Team (CERT) in India, the database was secured and taken offline.

CERT is run by the Indian Ministry of Electronics and Information Technology. It was set up to address cyber security threats like phishing, hacking, and data protection in India.

The news about the unsecured database comes about a week after a French researcher Elliot Alderson claimed that a data leak by Indian Oil Corporation may have revealed the personal details of about 6.5 million Aadhaar users in India.

According to Alderson, data of millions of users was accessible through a single legitimate user ID and password.

Alderson revealed that running a custom-built python script enabled him to scrape the database, giving him thousands of valid ids of distributors and dealers of an LPG brand owned by the Indian Oil Corporation.

He also added that The Unique Identification Authority of India (UIDAI) has not approached him so far, despite having exposed several data leaks in the past.