So here's the story about a big Fuck up by a TRAI chief in India

He posted an open challenge on twitter:
"Here's my 12 digit Aadhar card (social security no for Indians) number. Show me if you can do any harm to me. "

And Twitter obliged, a French hacker aliased @fs0c131y (Elliot Alderson) took the challenge and he started posting his phone number, email, and other personal stuff on twitter.

Still the official thinks he's safe and no harm has been done to him! He openly says, "Even if you get my bank account no what can you do?"

Sounds like no harm has befallen him yet.

Of course, not much of a test as no professional criminal hacker is likely to target him to post on Twitter how he did it.

More a social experiment than a technical demonstration.

Well, in theory no harm has been done.

As long as he uses a different strong non-personal password on each site he should be safe for the most part.

The only real treat here is identity fraud

I heard he has a pornhub account.

@HoloDreamer
Everyone does.
I bet auth servers of PH*b are way busy than Google's

Actually this same gimmick was done by one security company (which maintains IRS numbers related stuff)CEO, who put his IRS number in a advertisement, and told its secured.
After a day or so, there were so many case of his identity theft
Edit : company name is equifax

@undef
I don't know y we need the this number,
See it's a one more addition to already existing numbers like PAN etc..
Even after having aadhar I need voting ID etc..
This baseless number, providing easy way to others to steal our data

But I have personally worked with aadhar authentication, trust me servers are highly secured, but the APIs that are used are not, these APIs only fetch data, and these are easily exploited.
Like I used an api, u can take data easily, because I think it was through some file, which was locally present.
(Iam not a hacker, have very basic knowledge on security) I itself feel, proper professional can do it.

@Nawap really? I also watch porn occasionally but I never go to the extent of creating accounts in porn sites.

Even if I had to make one on such sites, I'd be using a mail id just for that, not a personal one.

@HoloDreamer
Exactly not personal one,
Trust there are tons ppl who have paid account!
And I think the app requires a sign in!
And what abt the one who uploads, u need a sign in for them atleast

@undef
Wow u have explained better to others!
Exactly tell Elliot to crack CIDR server and get our biometrics.
Nice article,
But these AUA's are actually regulated, they are actually made to sign contract, where they tell thier responsible for the breach.
These hackers exploit these APIs only and tell the hacked Aadhar