Major Security Flaw in Income Tax Website Could Have Exposed Sensitive Data of Millions of Taxpayers — Here’s What Happened

A significant security vulnerability in the Income Tax e-filing portal, reported by some ethical hackers, has caught the attention of the Indian government. This issue is not new and, in fact, has been around for a long time and without any protection it could have hurt millions of taxpayers with the exposure of their personal and financial data.

🔒 What Was the Flaw?

Two cybersecurity researchers, Viral and Akshay CS, discovered the vulnerability while filing their tax returns in September 2025. They found that the bug allowed any logged-in user to access the private data of other taxpayers without authorization.

The compromised information reportedly included:

• Full names
• Dates of birth
• Email addresses and phone numbers
• Bank account details
• Residential addresses
• Aadhaar and PAN numbers

Experts warned that if this data had been leaked online, it could have resulted in identity theft, financial fraud, and large-scale privacy breaches.

⚠️ What Caused the Security Breach

The flaw was identified as an IDOR (Insecure Direct Object Reference) vulnerability — a type of bug that allows unauthorized users to access data by altering parameters in web requests.

As the researchers told TechCrunch:

“This is an extremely low-hanging vulnerability, but one that could have very severe consequences.”

Essentially, the portal failed to verify whether a logged-in user was authorized to view another taxpayer’s details. In simple terms, anyone with a PAN number could have potentially viewed someone else’s private information.

🧾 How It Was Reported and Fixed

Upon discovering the issue, the researchers promptly reported the vulnerability to CERT-In (Indian Computer Emergency Response Team). The government took immediate action, and by early October 2025, officials confirmed that the flaw had been fixed.

Although the Income Tax Department did not issue a detailed public statement, it acknowledged receiving security reports regarding the issue and assured that the bug was patched swiftly.

👥 Scale of Potential Impact

The Income Tax e-filing portal currently boasts a user base of approximately 135 million registered users, with 76 million comprising the taxpayers who have already filed their returns for the financial year 2024–25. The breach was said to have hit both individual tax payers and registered entities and even those who hadn't submitted their returns yet this year.

Cyber experts have saluted the speed with which the authorities reacted, but they also suggest that the incident could have been avoided by taking the necessary steps for data protection that are more rigorous, and by continuing security audits that are of regular nature.