Shocking news for EPFO members! Serious security flaw in UMANG portal. Are your PF funds at risk?
- byPranay Jain
- 16 Jul, 2026
There's some serious worrying news for millions of employed people in the country. Serious security flaws have been found in the Umang portal, which integrates hundreds of central and state government services, putting employees' hard-earned money and personal data at risk. Following the revelations by two security researchers, the Employees' Provident Fund Organisation (EPFO) has shut down some services on its online portal, citing migration.
The EPFO module is the most used service on the Umang app, recording over 400 million transactions in the last three months. This technical flaw has raised serious questions about the security and privacy of ordinary employees who have chosen a fully digital option for their pension and PF.
Researchers Akshay C.S. and Viral Vaghela explained that the flaws likely existed for several years and impacted many of the services tested on the Umang portal, which currently offers over 2,400 services. They said the root of the problem lies in the portal's infrastructure. According to Vaghela, the flaw is actually in its design. The exposed data includes the EPFO's Universal Account Number (UNA), LPG cylinder booking details from at least one major oil marketing company, and Aadhaar numbers stored on several services that store user identity information. On many services, Aadhaar numbers were found in plaintext without any security coding, which is prohibited under the Aadhaar Act, 2016.
Ministry acknowledges vulnerabilities
The Ministry of Electronics and Information Technology has acknowledged these security vulnerabilities. According to the ministry, API transaction logs from the last three months have been reviewed. The report claims that despite the government's measures, these vulnerabilities still exist. They can still be avoided using a simple workaround. Akshay and Vaghela reported both vulnerabilities to the Ministry of Information Technology and the Computer Emergency Response Team, India, which issues advisories and workarounds to organizations across the country regarding such security vulnerabilities.
According to the report, if a cyber-fraudster already has your UNA number, they can exploit this vulnerability. They can hack the portal, change your bank account number, and transfer (payout) your PF amount to their own account.
Still hiding information
The initial security measures taken by the government after the flaw was discovered failed to secure the system. Instead of fixing the problem, they simply tried to hide it, which instead of strengthening the security, created a new technical flaw.
PC: Navarashtra





