English
Specials
    Go Ad-Free
    My Alerts
    Moneycontrol
    Moneycontrol PRO
    HomeTechnologySecurity flaw in Income Tax website exposed bank, Aadhaar details of Indian taxpayers

    Security flaw in Income Tax website exposed bank, Aadhaar details of Indian taxpayers

    A major bug in India’s Income Tax portal exposed taxpayers’ bank, Aadhaar, and personal details before it was fixed by the government.

    MC Tech Desk
    October 08, 2025 / 10:16 IST
    Income tax

    India’s income tax e-filing portal used by more than 135 million people had a major security flaw that exposed taxpayers’ private information, including bank details and Aadhaar numbers, according to a TechCrunch report. The government has since fixed the issue, but not before sensitive data of countless users was potentially left vulnerable.

    The flaw, discovered in September by two security researchers, Akshay CS and “Viral,” made it alarmingly easy for anyone logged into the tax portal to access another person’s financial records. All it took was swapping out one PAN (Permanent Account Number) for another in a simple network request. Using everyday tools like Postman or even browser developer tools, anyone could view another taxpayer’s name, address, date of birth, phone number, bank account details, and Aadhaar number — all without authorization.

    “This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers told TechCrunch.

    Essentially, the system failed to verify who was allowed to access what data a basic security check known as “access control.” Because of this oversight, the portal left both individuals’ and companies’ sensitive data exposed. The vulnerability was confirmed by TechCrunch and later verified to have been fixed on October 2, after which the report was made public.

    India’s Computer Emergency Response Team (CERT-In) and the Income Tax Department were alerted immediately after the flaw was found. While CERT-In acknowledged the issue and said a fix was in progress, it did not specify how long the vulnerability existed or whether any data had been misused.

    Related stories

    The e-filing portal handles massive volumes of sensitive information with over 76 million people filing returns in FY 2024–25 alone raising serious questions about how securely taxpayer data is managed. Although the bug is now fixed, experts say it’s a wake-up call for government systems that store critical citizen data.

    Even one overlooked line of code, as this case shows, can open the door to massive privacy risks especially when millions of Indians rely on digital platforms to fulfill mandatory financial duties.

    Invite your friends and family to sign up for MC Tech 3, our daily newsletter that breaks down the biggest tech and startup stories of the day

    MC Tech Desk Read the latest and trending tech news—stay updated on AI, gadgets, cybersecurity, software updates, smartphones, blockchain, space tech, and the future of innovation.
    first published: Oct 8, 2025 10:15 am

    Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!

    Subscribe to Tech Newsletters

    • On Saturdays

      Find the best of Al News in one place, specially curated for you every weekend.

    • Daily-Weekdays

      Stay on top of the latest tech trends and biggest startup news.

    Advisory Alert: It has come to our attention that certain individuals are representing themselves as affiliates of Moneycontrol and soliciting funds on the false promise of assured returns on their investments. We wish to reiterate that Moneycontrol does not solicit funds from investors and neither does it promise any assured returns. In case you are approached by anyone making such claims, please write to us at grievanceofficer@nw18.com or call on 02268882347