Details of Vodafone Idea (Vi) users may have been accessed by threat actors after an alleged leak of its directory services portal’s user ID and password on the dark web, according to cybersecurity researcher and ethical hacker Sunny Nehra.

The database portal comprises information of all active and older inactive subscribers of the telecom operator, including current and permanent addresses, date of birth, PAN and Aadhaar card details, Nehra said. As of January 2022, Vi had over 24.72 crore active subscribers.

Nehra, Admin, Hacks and Security, found a set of 12-15 user IDs and passwords of various portals of Vi, available for sale on private dark net forums. On testing one of them, he found that it to belonged to the subscriber database portal and was probably meant for special access to the Delhi police.

BusinessLine reached out to Vi with queries on Saturday and the company denied any such breach in their portals and apps by Monday.

“Vi has a very tight IT security framework and we regularly conduct checks and audits to identify any potential areas of vulnerabilities to further strengthen our security architecture. We have not found any such breach. Our data remains fully safe and secure,” a Vodafone Idea spokesperson told BusinessLine.

Weak password

However, Nehra claimed that the portal has been down since Sunday night.

“To check the account, they will have to make the portal up again anyway. I assume they noticed something unusual on the portal and made it down at night. My mail will clarify things,” he said.

“Vodafone Idea had allocated a very generic and weak password for the site which had critical details of its subscribers. It is very common for hackers to try out that password. While these user IDs and passwords will be removed from the dark net forum once it’s sold, the threat remains that someone is going to have access to the portal and data of all the subscribers of the company. I was able to find details of at least three IPS officers and two important bureaucrats I knew who are using Vi numbers,” Nehra added.

He also notified the Indian Computer Emergency Response Team (CERT-In) and Mathan Babu Kasilingam, Chief Information Security Officer (CISO), Vi, in separate emails.

“Vi’s CISO has taken a note of my email. He said he is analysing the systems on priority and checking what went wrong,” Nehra said.