Overview
- The vulnerability let any logged-in user retrieve others’ records by swapping a PAN value in a network request, a classic insecure direct object reference failure.
- The exposed data included names, addresses, emails, phone numbers, dates of birth, bank account details and Aadhaar numbers.
- The flaw affected both individual and corporate accounts, including records of people who had not yet filed returns this year.
- Authorities acknowledged alerts but offered limited public detail, and it remains unknown how long the issue persisted or whether data was misused.
- The e-filing portal lists over 135 million registered users with about 76 million returns filed in 2024–25, underscoring the potential scale of exposure.