That Aadhaar-Linked Covid Data Leak: Why You — Not Just 'Someone' — Are at Risk

That Aadhaar-Linked Covid Data Leak: Why You — Not Just 'Someone' — Are at Risk

If you ever took a Covid test and shared your Aadhaar, that 815-million-record dump includes your identity — not 'others'.

In October 2023, a threat actor listed what they claimed was 815 million records of Indian citizens on a dark-web forum. The data included names, phone numbers, Aadhaar numbers, and addresses — sourced, researchers later determined, from Covid-19 test records submitted through the Indian Council of Medical Research. If you ever took a Covid test between 2020 and 2023, there is a meaningful probability that your Aadhaar is in that database right now.

Why This Is About You Specifically

There is a psychological trick that makes data breaches feel abstract. We hear '815 million records' and our brains process it the way they process national debt figures — as a number too large to be personal. It is not. That dataset is not a statistic. It is a directory. Your name, your Aadhaar number, your phone number, and the address you gave at the testing centre are likely entries in it, sitting next to the entries for your parents, your spouse, and your colleagues.

The question is not whether your data was in that breach. The question is what someone can do with it — and the answer is more than most people realise.

Your Aadhaar number is not a password. It was never meant to be kept secret. But combined with your phone number and address, it becomes a skeleton key to your financial identity.

What Attackers Can Actually Do With Your Aadhaar

The most immediate risk is SIM cloning. An attacker who has your Aadhaar number, phone number, and address has enough to walk into a telecom service centre and request a duplicate SIM — claiming their phone was lost. Once they have your SIM, they have your OTPs. Once they have your OTPs, they have your bank account, your UPI wallet, your email, and every service that uses your phone number for verification.

The second risk is synthetic identity fraud. Attackers combine your real Aadhaar with a fabricated name and photograph to apply for loans, credit cards, or government scheme benefits. You discover the fraud months later when recovery agents begin calling about a loan you never took.

The third risk is targeted phishing. Someone who knows your name, phone number, and the fact that you took a Covid test in a specific city can send you a message that references all three pieces of information. It reads as legitimate. Most people click.

The Compounding Problem: Aadhaar Is Everywhere

The reason this breach is more dangerous than most is that Aadhaar is not a niche identifier. Over the past decade, it has been linked to bank accounts, mobile connections, income tax filings, insurance policies, school admissions, and government benefit programmes. In trying to create a universal digital identity, India created a universal attack surface.

When one piece of that identity is exposed — and 815 million records is not 'one piece,' it is virtually the entire adult population — the consequences spread across every system it was linked to.

What You Can Do Today

  • Check your Aadhaar authentication history. The UIDAI website allows you to view every time your Aadhaar was used for authentication. If you see services you do not recognise, report it to UIDAI immediately.
  • Lock your Aadhaar biometrics. UIDAI allows you to lock your biometric data so it cannot be used for authentication without your explicit unlock. If you are not actively using biometric Aadhaar services, lock it now at myaadhaar.uidai.gov.in.
  • Set a SIM lock with your telecom provider. All major Indian telecom operators allow you to set a PIN or request that no duplicate SIM be issued without in-person verification. Call your provider today and ask them to add this restriction.
  • Treat your phone number as a bank account. Your mobile number is the master key to your digital life. Do not share it on forms that do not require it. Do not use it as a login for entertainment or delivery apps.
  • Register a complaint if you receive suspicious contact. If someone calls or messages you with personal details you did not share with them, file a complaint at cybercrime.gov.in. The more reports the system has, the better the response.

Worth trying: Every service connected to your Aadhaar relies on a phone number or a password for access. Byteseal's fingerprint-based hardware key removes the password from that chain — even if your phone number is compromised, accounts protected by Byteseal require physical biometric presence to access. byteseal.in

815 million records. That is not a breach of 'the system.' It is a breach of the people who built and trusted that system. The system will be patched eventually. Your identity needs protecting now.

Back to blog