Security Flaw in India’s Income Tax Portal: How a Bug Exposed Millions of Taxpayers’ Sensitive Data

The Indian government’s Income Tax e-filing portal recently suffered a major security lapse, making it possible for logged-in users to view not only their own but anyone’s confidential tax and identity information.
First uncovered in September 2025 by security researchers Akshay CS and “Viral,” the bug allowed access to names, addresses, dates of birth, email, phone, Aadhaar numbers, PAN, and even bank details of taxpayers—simply by swapping linked PAN numbers in network requests. This direct access flaw, known as Insecure Direct Object Reference (IDOR), is common but extremely dangerous as it circumvents user-level permissions and backend checks.

What Data Was at Risk?

• Full names, email IDs, home addresses, date of birth
• Phone numbers and registered PAN (tax identification numbers)
• Aadhaar numbers, a government-issued unique identity
• Linked bank account details, vital for refunds and digital validation

Beyond affecting individual taxpayers, data of Indian businesses filed through the portal was also potentially at risk.

How Was the Bug Exploited?

• The vulnerability could be triggered from any account logged into the e-filing portal using simple web tools or browser debugging, with knowledge of a target’s PAN.
• Lack of strict server-side access checks meant users could fetch unauthorized profiles just by editing request data.

How Was It Fixed?

• The flaw was reported to CERT-In (India’s Computer Emergency Response Team), which coordinated with the Income Tax Department to patch the exposure.
• According to TechCrunch, the bug has now been closed and cannot be exploited further. Authorities did not disclose the total number affected, but with more than 135 million registered portal users, it is potentially the largest exposure of taxpayer data in Indian history.

Why It Matters (and What’s Next)

• Such data can be used for phishing, scams, identity theft, or even targeted financial fraud. Large-scale tax or Aadhaar data breaches have far-reaching consequences.
• The incident highlights the urgent need for rigorous penetration testing and secure development practices in all public-facing government digital platforms.
• Following the Digital Personal Data Protection Act of 2023, Indian agencies face greater legal and reputational risk for such exposures—and must now update cyber audit practices, as emphasized in the latest CERT-In and MeitY advisories.

Key Takeaways for Users

• Change your portal password regularly and be wary of unsolicited emails or messages referencing your tax data.
• Avoid sharing your PAN or Aadhaar details except via official, encrypted channels.
• Push for digital literacy and data privacy awareness—phishing attempts are likely to grow sharper, as warned by CERT-In leadership.

Sources: TechCrunch, DevDiscourse, CERT-In, Economic Times, NDTV, Times of India