CoWIN Data Breach: Government Responds, Says no Direct Breach of CoWIN App or Database

According to the government, CoWIN data access is available at three levels — the vaccine recipient, an authorised vaccinator, and third-party apps.

CoWIN Data Breach: Government Responds, Says no Direct Breach of CoWIN App or Database

Photo Credit: Reuters

The government has clarified there are no public APIs offering access to data without an OTP

  • The government has denied any breach of CoWIN databases
  • CoWIN data can be accessed at three levels, as per the government
  • CERT-In shared its findings after the alleged data breach surfaced online

The government on Monday responded to reports of an alleged data breach of the CoWIN database, stating that the data appeared to have been sourced from a different database containing information stolen in the past. The response follows reports that an automated bot on Telegram was surfacing personal details of people who had registered with the CoWIN platform to receive COVID vaccinations during the pandemic. The government has also claimed that it did not appear that the CoWIN app or database had been directly breached.

Hours after reports of the alleged data breach, Minister of State for Electronics and Technology Rajeev Chandrasekhar stated on Twitter that the Indian Computer Emergency Response Team (CERT-In) had responded and reviewed the reports of breaches that surfaced on social media on Monday. The minister stated a Telegram bot was sharing CoWIN app details when a phone number was entered. The bot was reportedly taken down shortly after it was discovered and covered by news outlets on Monday.

According to Chandrasekhar, the bot was accessing data from a threat actor database. The information available in this database appears to have been sourced from data stolen in the past from an older breach. However, the minister did not share additional details of the previous breach, including whether it was another government entity, whether it was detected before Monday. and whether it was disclosed by CERT-In.

In his tweet, Chandrasekhar also stated that it did not appear that either the CoWIN app or database were directly breached. The minister has not revealed details of how the CoWIN details of users who registered with the platform were available when both the CoWIN app and website were not directly affected by a data breach. 

Meanwhile, the government issued a press release stating that CoWIN data access was available at three levels — the vaccine recipient, the authorised vaccinator, and third-party applications that had API-based (application programming interface) access that only works via user one-time password (OTP) authentication. The government states that the platform logs each attempt by an authorised vaccinator to access the CoWIN system.

The government also states that data from the CoWIN platform could not be shared to an automated bot without an OTP sent to the vaccine recipient as there was no public API with such a level of access. Similarly, the system did not record a recipient's address and only recorded the year of birth for vaccination, unlike the posts shared on social media that show the bot responded with the vaccine recipient's date of birth.  

CoWIN's development team also confirmed that some APIs were shared with third parties like the Indian Council for Medical Research (ICMR) and requests were only accepted by a trusted API whitelisted by the CoWIN application — which suggests there was at least one API that could access data without an OTP. CERT-In has been asked by the Union Health Ministry to investigate the issue and submit a report on its findings, according to the government.

Apple unveiled its first mixed reality headset, the Apple Vision Pro, at its annual developer conference, along with new Mac models and upcoming software updates. We discuss all the most important announcements made by the company at WWDC 2023 on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: CoWIN, Data Breach, India, Cert In
David Delima
As a writer on technology with Gadgets 360, David Delima is interested in open-source technology, cybersecurity, consumer privacy, and loves to read and write about how the Internet works. David can be contacted via email at, on Twitter at @DxDavey, and Mastodon at More
Samsung Galaxy S23 FE Bags Battery Certification in South Korea, Could Launch Soon: Report
DeFi Protocol Sturdy Finance Loses Around $775,000 in ETH in Hack Attack
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News


Follow Us


© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »