Selling the database of 815 million Indians is a dark web threat actor who claims to be only attempting to recoup his investment

 Selling the database of 815 million Indians is a dark web threat actor who claims to be only attempting to recoup his investment

Pwn0001, who sells private information on Indian nationals on a dark web platform, claimed that he purchased the information from another dark web forum last year rather than hacking any databases.

The administration has not yet provided an official confirmation of the leak.

The threat actor operating on the dark web, pwn0001, claims that the database they are selling sensitive information on 815 million Indians is "old" and that they purchased it from a dark web forum that has since closed down last year

On the dark web platform Breach Forums, a person going by the handle pwn0001 listed "Indian citizen Aadhaar and Passport Database" for $80,000. The listing was placed on September 10. Other information that this purportedly comprehensive database of citizens has include name, address, phone number, parents' names, and so on.

"No database was hacked by me. I paid $50,000 for it last year," pwn0001 said on Telegram to Moneycontrol. The vendor also said that the proprietor of the site, where he purchased the information, was recently arrested and the forum was shut down. These statements could not be independently verified by Moneycontrol.

The threat actor said that they purchased the database last year with the expectation that it would include a large number of Aadhaar and passport information. But that wasn't the case, pwn0001 clarified.

"The information was not what was advertised. Just 10,000 passport information and 10% of the database's contents are Aadhaar-related, he claimed. Aadhaar information were included in a small number of the data samples that pwn0001 shared on BreachForums.

Thus, at this point, all I'm trying to do is get my money back," pwn001 said, noting that he hasn't been able to sell it to anybody.

Resecurity, a cybersecurity research platform located in the US, was the first to report on this data leak. Researchers on the site claimed they have found legitimate citizen Aadhaar card IDs.

To be clear, there has been no confirmation or denial of any data breach by the Indian government. More questions on the subject have been sent by Moneycontrol to UIDAI CEO Amit Agrawal; the article will be updated upon receipt of a response.

The Digital Personal Data Protection Act was approved by Parliament and is now a law, which coincides with the reports of data breaches. The DPDP Act has provisions that impose fines of up to Rs 250 crore on platforms that divulge personal information about any individual.

The legislation hasn't been put into effect yet, however. Three groups of data fiduciaries, according to the government, may be excused from the Act's implementation: startups, MSMEs that handle citizen data, and government bodies with the lowest level of digitalization, such panchayats.

Resecurity revealed a another purported breach earlier in August, including 1.8 TB of data that was sold online under the guise of a "Indian internal law enforcement organization."

The group said that they had confirmed the inclusion of personally identifiable data from voter IDs, Aadhar IDs, and driver's license records in this as well.