The target: India’s national ID database, Aadhaar.
The take: Names, unique identity numbers, bank details and other private information for more than 1.1 billion registered Indian citizens.
The attack vector: One utility’s channel to access the Aadhaar database was without any access control in place, used a hardcoded access token, and enforced zero rate-limiting – meaning that an attacker could cycle through all possible Aadhaar numbers and obtain information every time a valid number was hit.