Patel Consulting | Trusted AdvisorsCall us: +91-98765-43210
← Back to Home/Updates

Massive Data Leak Averted: Income Tax Site Bug Could Have Exposed Millions

09 October 2025Vanshika verma
Massive Data Leak Averted: Income Tax Site Bug Could Have Exposed Millions

Massive Data Leak Averted: Income Tax Site Bug Could Have Exposed Millions

A major security problem in India’s income tax e-filing website was recently fixed, just in time to prevent a serious data leak. Before it was fixed, the bug could have let someone access private information of millions of taxpayers across the country. This included personal and financial details like names, home addresses, phone numbers, email IDs, dates of birth, bank account numbers, and Aadhaar numbers.

The problem  was discovered in September by two independent security researchers, Akshay C.S. and an individual identifying as “Viral”, while they were filing their tax returns. During their assessment, the researchers realised that it was possible for any logged-in user to view data belonging to other taxpayers.

Also Read
GST Portal is Down Again! Taxpayers Frustrated Over Hours of Wasted Work

The researchers described the flaw as “an extremely low-hanging thing, but one that has a very severe consequence.” The vulnerability, categorised as an IDOR or “insecure direct object reference”. The problem happened because the system didn’t properly check if a logged-in user was allowed to see certain information. This meant that an attacker could change a small part of the website’s data request by putting in another person’s PAN number and get access to that person’s private details.

The bug  affected both individuals and companies registered on the government’s tax portal. It even allowed access to data of users who hadn’t yet filed their return for the current financial year.

Soon after discovering the issue, the two researchers reported it to the Indian Computer Emergency Response Team (CERT-In). CERT-In confirmed they received the alert and quickly passed the information to the Income Tax Department so the problem could be fixed. A few weeks later, by early October, the researchers checked again and found that the bug had been fixed, and the vulnerability could no longer be used.

Also Read
GST Portal Updates 2025: Tighter Rules, IMS Workflow, and 3-Year Filing Limit

The Income Tax Department didn’t release a detailed public statement but did confirm that they received emails about the issue. The Ministry of Finance did not respond to questions from the media. It’s still not clear how long the bug had been there or whether anyone had taken advantage of it before it was fixed.

India’s income tax portal has over 135 million registered users, and about 76 million people filed their tax returns for the 2024–25 financial year. Because of that huge number, the damage could have been very serious if the flaw had been discovered by someone with bad intentions.

← Back to Home