The details of more than 100m Indians ’ Aadhaar ID cards have leaked Attack.Databreach from four government portals , according to a report from the Centre for Internet and Society ( CIS ) . Based on the numbers available on the websites looked at , [ the ] estimated number of Aadhaar numbers leaked Attack.Databreach through these four portals could be around 130-135 million If you ’ re not familiar with the Aadhaar numbers , we ’ ve previously reported on the history of and concerns surrounding this biometric ID card . Now a fundamental part of Indian society , anyone that has not signed up faces being denied access to many government and private-sector services and schemes . As the government presses on with intertwining the card into everyday life , concerns about the security of the vast amounts of personal data being stored and the potential for its misuse by cyber-criminals continue to mount . The disclosures came as part of a report entitled Information Security Practices of Aadhaar ( or lack thereof ) : A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information , which focuses on just four of India ’ s numerous government portals : But it ’ s not just the ID numbers that the report is worried about ; it also claims that the leaks Attack.Databreach contain “ personally identifiable information of beneficiaries or subjects of the leaked databases ” , putting the estimated number of bank accounts leaked Attack.Databreach at around 100m . The Unique Identification Authority of India ( UIDAI ) , which issues the Aadhaar numbers , claims that there have been no leaks Attack.Databreach , according to The Times of India . The paper also quotes one official as saying something rather different While Aadhaar numbers are available , the biometric information is not … The leaked databases do not pose a real threat … because the Aadhaar number can not be misused without biometrics . And another that another official as saying that the “ Aadhaar number is not confidential just as bank account number which is mentioned in cheque books and shared with lot of people ” . It seems that , despite the official line , Aadhaar numbers are getting out Attack.Databreach into the public domain . The question has to be whether the personally identifiable information that is being published alongside them is enough for fraudsters to steal Attack.Databreach someone ’ s identity . I haven ’ t yet seen any reports of fraud being committed on the back of a stolen Aadhaar number . Only time will tell . While this new , controversial ID system beds itself in , the world will be watching closely to see where the cracks in security are , how fraudsters take advantage and how the government reacts to plug Vulnerability-related.PatchVulnerability any holes . We ’ ll certainly be keeping a close eye on developments .

Having had more than a week to digest Cloudbleed ’ s causes and impact , Cloudflare CEO Matthew Prince assessed the damage yesterday in a lengthy post-mortem as relatively low . Prince said Vulnerability-related.DiscoverVulnerability there is no evidence the vulnerability , which leaked customer data from memory , was exploited Vulnerability-related.DiscoverVulnerability by attackers . The bug , however , was triggered more than 1.2 million times from 6,500 sites that met the criteria under which it could be exploited Vulnerability-related.DiscoverVulnerability . In the meantime , Cloudflare continues to work with Google and other search engine providers to scrub cached sites that could contain any leaked data from memory . “ We ’ ve successfully removed more than 80,000 unique cached pages . That underestimates the total number because we ’ ve requested search engines purge and recrawl entire sites in some instances , ” Prince said . Prince said leaks Attack.Databreach have included internal Cloudflare headers and customer cookies , but no evidence of passwords , encryption keys , payment card data or health records among the leaks Attack.Databreach . The vulnerability was privately disclosed Vulnerability-related.DiscoverVulnerability Feb 17 by Google Project Zero researcher Tavis Ormandy , who reported that he did see crypto keys , passwords , POST data and HTTPS requests for other Cloudflare-hosted sites among data from other requests . Ormandy initially said in a tweet that Cloudflare was leaking Attack.Databreach customer HTTPS sessions for Uber , FitBit , OKCupid and others , all of which said the impact of Cloudbleed on their data was minimal . “ While the bug was very bad and had the potential to be much worse , ” Prince said . Prince explained that the bug was triggered only when a webpage moving through the Cloudflare network contained HTML ending with an un-terminated attribute , and if a number of Cloudflare features were turned on . Those features hand in hand with a Cloudflare stream parser used to scan and modify content in real time such as rewriting HTTP links to HTTPS—a feature called Automatic HTTPS Rewrites—or hiding email addresses on a page from spammers—a feature called Email Address Obfuscation . The need to end with an un-terminated attribute was key . “ When a page for a particular customer is being parsed it is stored in memory on one of the servers that is a part of our infrastructure . Contents of the other customers ’ requests are also in adjacent portions of memory on Cloudflare ’ s servers , ” Prince said . “ The bug caused the parser , when it encountered un-terminated attribute at the end of a page , to not stop when it reached the end of the portion of memory for the particular page being parsed . Instead , the parser continued to read from adjacent memory , which contained data from other customers ’ requests . The contents of that adjacent memory were then dumped Attack.Databreach onto the page with the flawed HTML ” . Anyone accessing one of those pages would see the memory dump , looking a lot like random text , below , Prince said . An attacker would need to pound one of those sites with numerous requests to trigger the bug and then record the results , getting a mix of useless data and sensitive information , Prince said . “ The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notified Vulnerability-related.DiscoverVulnerability by Google ’ s Project Zero team and were able to patch Vulnerability-related.PatchVulnerability it , ” Prince said . “ For the last 12 days we ’ ve been reviewing our logs to see if there ’ s any evidence to indicate that a hacker was exploiting Vulnerability-related.DiscoverVulnerability the bug before it was patched Vulnerability-related.PatchVulnerability . We ’ ve found nothing so far to indicate that was the case ” . Prince said Cloudflare customers who find any leaked cached data can send a link to the caches to parserbug @ cloudflare [ . ] com . Over 2,000 WordPress sites are infected as part of a keylogger campaign that leverages an old malicious script .