Multiple vulnerabilities in the Unified Mobile Application for New-age Governance (UMANG), a government portal that aggregates hundreds of public services offered by the Union and State Governments, are leaving potentially millions of Indians’ data exposed across a variety of databases, including those from the Employees’ Provident Fund Organisation (EPFO), according to two security researchers who shared their findings with The Hindu.
The vulnerabilities, which have likely existed for years, affect several services tested on the UMANG portal, which has onboarded over 2,400 services. It stems from the architecture of the portal itself, said the researchers, Akshay C.S. and Viral Vaghela. “Almost everything is broken by design,” Mr. Vaghela said.
UMANG was launched nine years ago by Prime Minister Narendra Modi at the fifth Global Conference on Cyber Space, which took place in Delhi.
EPFO downtime
The data exposed includes Unique Account Numbers (UAN) with the EPFO, LPG cylinder booking details with at least one major oil marketing company, and Aadhaar numbers across several services where a user’s ID details are saved. The Aadhaar numbers were found across many services in plaintext, even though such storage is disallowed by the Aadhaar Act, 2016. The Aadhaar module itself within UMANG was not vulnerable.

The EPFO module is UMANG’s most-used service, recording over 40 crore transactions over the last three months — fifteen times more than Bharat Aadhaar Seeding Enabler, the next largest use case.
The Ministry of Electronics and Information Technology acknowledged the vulnerabilities in a statement to The Hindu. “Our development and security teams have carefully examined the observations and are implementing the necessary corrective and preventive measures,” the Ministry said. “The plaintext information in the concerned APIs has been appropriately encrypted.”
The Ministry added that it has “reviewed the API transaction logs for the past three months” and found that “transaction volumes” were consistent and that it continued to keep watch on activities on the UMANG portal.
Also read: PF interest to be credited by July 15 to member accounts: Minister
The Hindu is withholding the precise technical details of the vulnerabilities, as they remain active despite the above interventions. The encryption the IT Ministry referred to is “flawed and inadequate,” Mr. Akshay said, adding that a simple workaround allowed it to be cracked anyway. At The Hindu’s request, the researchers shared their findings with Karan Saini, another independent security researcher, who termed the vulnerabilities “significant”.
“Considering that rate limiting was implemented and the large number-space of EPFO UANs,” Mr. Saini said, referring to the steps taken by the site to limit the number of requests a user can make, “it is unlikely that the vulnerability could have been exploited to mirror the entire EPFO database.” Still, he added, it “could potentially have been abused by cybercriminals in possession of UAN numbers to siphon funds at scale by allowing for both changing of bank account details and initiating payouts, which is very concerning.”
“The fixes initially implemented following the disclosure appear to do nothing to secure the system and instead confuse obscurity with security, while also introducing another vulnerability in the process,” Mr. Saini said. (The Hindu is also withholding information about the additional vulnerability.)
Mr. Akshay and Mr. Vaghela reported both vulnerabilities to the IT Ministry and the Computer Emergency Response Team, India (CERT-in), which issues alerts and helps organisations across the country with fixes for vulnerabilities like these. Shortly after the pair reported the vulnerabilities, the EPFO took down its online portal for a “migration”, and some services remained unavailable this week. The researchers said they suspected this was in response to their alerts, which were also sent to the organisation. The Ministry of Labour and Employment did not respond to a request for comment.
“It is worth examining whether the fixes deployed on the UMANG portal were simultaneously deployed across the services for which UMANG acts as a proxy,” Mr. Saini said.
Government security
The vulnerabilities highlight the security posture of government websites, especially at a time when India is seeking access to Anthropic’s Mythos AI model, which has been touted as a way to secure long-standing vulnerabilities in complex codebases that have persisted for decades.
At a report launch on Monday (July 13, 2026), IT Secretary S. Krishnan said that CERT-in had launched a “war room” where it was auditing crucial code used by the government with locally hosted open-source models whose capabilities were comparable to cutting-edge frontier models. Mr. Krishnan said the government undertook a “constant exercise” in combating cyber vulnerabilities on government websites.
Access to Mythos, Mr. Krishnan said, in response to a broader question about the cybersecurity of government websites, would be an opportunity “to actually identify any of these vulnerabilities now and correct them.”
“Clearly, getting access to Mythos and similar advanced models is very high on the government’s priority list, and this is something that we have discussed with our counterparts in the U.S. and with the respective companies.”
In CERT-in’s war room, Mr. Krishnan said that the government was using models “which we believe to be about 60–70% as capable as Mythos” and was “identifying vulnerabilities and fixing them as we go” in what he described as a “dry run for whenever Mythos is available”.
55 minutes ago
5



English (US) ·