Two cybersecurity researchers have reported security flaws in India’s UMANG platform, a flagship e-governance portal that aggregates hundreds of central, state and local government services into a single digital interface. The researchers say the issues arise from the underlying architecture of the portal, and could potentially expose sensitive citizen data, including Aadhaar-linked information and EPFO Universal Account Numbers (UANs), across multiple services.
UMANG, developed by the Ministry of Electronics and Information Technology (MeitY) and the National e-Governance Division (NeGD), is positioned as a secure, scalable platform supporting Aadhaar-based and other authentication mechanisms while storing profile data in encrypted form. It is designed to offer citizens access to a wide set of e-government services through mobile apps, web, SMS and IVR channels, and is central to India’s “mobile‑first” governance strategy. Recent rule changes have also tied EPFO services more closely to UMANG, making Aadhaar-based face authentication mandatory for UAN generation and activation via the app, further increasing the portal’s importance for working professionals.
The newly reported vulnerabilities suggest that despite this security positioning, certain design flaws may allow exposure of EPFO UANs, Aadhaar‑linked details and other service data if exploited. One account notes that the portal has been used crores of times in recent months for hundreds of government services, emphasizing the potential scale of impact if the flaws are not addressed. Another report warns that data associated with LPG bookings and other services accessed through UMANG could also be at risk.
Officials maintain public communication channels for UMANG, highlighting encrypted data exchange, secure API-based integrations and assurances that the platform does not store personal data beyond what is needed for service access. However, media coverage and researcher commentary indicate that the risks are linked to how UMANG integrates and exposes data across its many services rather than a single misconfigured application.
Government agencies and UMANG’s operators have not yet provided detailed technical disclosures in the public domain about remediation steps, but users are being advised in some reports to rely only on official UMANG apps and websites and to remain vigilant against phishing or suspicious login attempts. As scrutiny of India’s digital public infrastructure intensifies, the UMANG case is likely to be watched closely by regulators, security professionals and citizens who depend on the platform for everyday access to Aadhaar, EPFO and other critical government services.
Read Article: Karnataka Announces India’s First Government-Driven AI University, Plans Dedicated AI Hub

