28 Crore Indian Provident Fund Users Data Leaked by Hackers, Claims Cybersecurity Researcher

The PF data of 28 crore Indians which was hacked earlier this year included sensitive details, such as the UAN, Aadhar, bank account details, etc.

cybersecurity pf Provident Fund data hack

Provident Fund (PF) data of about 28 crore Indians was reportedly hacked earlier this month. A Ukrainian cybersecurity researcher revealed that the PF data of 28 crore Indians was hacked on August 1. The leaked PF data included the Universal Account Number (UAN), names, Aadhaar details, gender, marital status and bank account details of the victims.

Cybersecurity researcher Bob Diachenko, who revealed details about the hack, took to LinkedIn to share more details about the hack. The researcher revealed that he found two separate IPs that contained indices called UAN. For the uninitiated, UAN, or the Universal Account Number, is allotted by the Employees’ Fund Organisation (EPFO) that acts as an umbrella for multiple members allotted to an individual by different establishments. Multiple member IDs allotted to an individual can be found under a single UAN for a user. Diachenko shared some key details about the findings.

PF Data of 28 Crore Indians Hacked

The PF data of 28 crore Indians which was hacked earlier this year included sensitive details, such as the UAN, Aadhar, bank account details, etc. Diachenko discovered two separate IPs on August 2, which contained indices called UAN. One of the two clusters contained 2,80,472,941 records, whereas the second contained 8,390,524 records.

The two IPs were hosted on Microsoft’s Azure cloud and were India-based. While Diachenko revealed the details of the hack, he could not trail it back to the source who hacked the important data even via a reverse DNS analysis.

“Given the scale and obvious sensitivity of data, I decided to tweet about it, without giving any details as of source and associated info. Within 12 hours after my tweet both IPs were taken down and now unavailable,” the researcher stated. Diachenko has not heard back from any agency or company claiming to take responsibility for the hack.

Diachenko also tagged the Indian Computer Emergency Response Team (CERT-In) in his tweet. The country’s nodal agency asked Diachenko to share the report via email.

Thanks for reading till the end of this article. For more such informative and exclusive tech content, like our Facebook page


Venkatesh is our in-house leakster. He has earned honorary mentions on some of the biggest tech publications like GSMArena PCMag, NDTV, and more. When not busy playing Football and digging substantial information on un-released devices, Venkatesh likes to take his bike for a ride and dabble into nature photography.