New Delhi: Filing taxes online is stressful enough, but imagine finding out the government’s own portal left your private information wide open. That is exactly what happened recently when security researchers found a glaring hole in India’s income tax e-filing system. For weeks, anyone logged in could quietly peek at another person’s personal and financial records just by changing a number in the network request.
The flaw has since been fixed, but the discovery shows how fragile our digital systems can be. With more than 135 million people registered on the portal, even a small mistake can turn into a national privacy scare.
What the bug exposed
The researchers, Akshay CS and “Viral,” found the problem while filing their own taxes in September. They told TechCrunch, which first reported the story, that swapping out one Permanent Account Number (PAN) for another in the request revealed the complete details of any taxpayer.
Here’s what was at risk:
- Full name
- Date of birth
- Address
- Phone number
- Bank account information
- Aadhaar number
This was not just individuals. Even companies registered on the e-filing site had their details exposed. All it took was tools like Postman, Burp Suite, or even the browser’s developer console. In cybersecurity lingo, this is called an IDOR, short for insecure direct object reference. Or in plain words, a very basic check that should have been there, was missing.
“This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers said.
How many users are affected
The Income Tax Department’s portal is massive. Public data shows:
| Category | Number of users |
|---|---|
| Registered users | 135 million+ |
| Returns filed in FY 2024–25 | 76 million+ |
Now, it is unclear how long this vulnerability existed or if attackers actually took advantage of it. CERT-In, India’s cyber emergency response team, confirmed the flaw and said the department was working on it, but did not give a timeline. The Ministry of Finance kept quiet too.
Why it matters
For most of us, the PAN is the key to everything from opening a bank account to paying school fees. When paired with Aadhaar, it is practically a golden ticket to identity theft. Exposing both on a government site is like leaving your front door open and hoping no thief walks in.
I have friends who still avoid UPI because they worry about fraud. Imagine their faces if I told them that their Aadhaar and bank details were sitting exposed on an official portal. It is the kind of news that makes you want to dig out old paper forms.
The quick fix, but slow answers
By October 2, the bug had been fixed. TechCrunch held back its story until then, responsibly waiting so that no malicious actors could exploit the flaw after it was public. But many questions remain unanswered. How long was the hole there. Did anyone besides the researchers stumble on it. Will there be an audit to ensure no data was stolen.
The Income Tax Department acknowledged receiving questions from TechCrunch but gave no answers. That silence does not inspire confidence when millions trust the portal with their financial lives.