CoWIN platform data leaked on dark web: It’s ‘not true’ says ethical hacker

Hours after a report surfaced claiming that an Iranian hacker has access to the sensitive data from the CoWIN platform and wants to sell it on the dark web, an ethical hacker has said that the claims doesn’t seem to be genuine. The hacker reportedly said he/ she wants to sell the admin access (username and password) of the CoWIN platform, along with sensitive data of healthcare workers present on the platform on the dark web.
“A threat actor on a Darknet forum claiming to sell database and admin access of CoWIN and Covid-19 doesn’t seem to be a genuine claim,” Sunny Nehra, ethical hacker and malware analyst, told TOI. Nehra, who is the founder of computer security service Secure Your Hacks, also shared his observations on the basis of the data provided by the purported Iranian hacker.
What COWIN hacking report claims
Reports mention that a hacker shared a screenshot of access to the CoWIN platform – the web portal for Covid-19 vaccination registration. The platform is owned and operated by the Ministry of Health and Family Welfare and also displays booking slots of COVID-19 vaccine available. The screenshot appears to include personal data such as mobile numbers of many health workers involved in the vaccination drive.
In a separate screenshot, information about the vaccination centre was shared. The hacker reportedly claimed he also controls the admin page of the CoWIN platform.
Citing its own investigation, the report further says that the name of the Iranin hacker is Nazila Blackhat and he/ she is a member of Iran’s APT group Shield Iran Security Team. The hacker has reportedly shared a Telegram username on dark web for future communication.

Why the CoWIN hacking claim is wrong as per the ethical hacker
Nehra says that the screenshots shared by the purported hacker shows that he/ she has access to sensitive data of 5,000 users. “Why does the hacker has the data of only 5,000 users if he has admin access of the CoWIN platform?” Nehra asks.
The cybersecurity expert also pointed out that the Covid-19 screenshot seems to be of some “(old) broken page” of Andhra Covid-19 website saying that all the information provided by the hackers in that demo section of CoWIN is of users of Hukkeri, Gokak in Karnataka and nearby regions.
“And he has data of vaccinators and site managers (which seem less than 5,000) of some neighbouring places. The other possibility is that data shown in the screenshot is from a zonal account of CoWIN site,” Nehra said.
“So the screenshot seems to be of some local database or local breach instead of the main CoWIN website,” he added.
While talking about the hacker, Nehra says that the threat actor isn’t an old player and has “less reputation.” He even says he “had words with the threat actor,” and found that he/ she impersonates another well known hacker and that he is “some newbie.”