A hacker under the alias ‘Blinkers’ leaked a database containing 1.86 million (18.6 lakh) Adda.io user records on a hacking forum on November 23, 2025, claiming the breach occurred in March 2025. The exposed data (145 MB uncompressed) includes owner IDs, full names, phone numbers, email addresses, and MD5-hashed passwords, now circulating in underground cybercrime communities. The breach poses risks like phishing attacks, credential stuffing, and identity theft, as threat actors exploit the PII (Personally Identifiable Information) for fraudulent activities. The incident surfaced shortly after India’s Digital Personal Data Protection (DPDP) Rules, 2025 were notified, though key provisions (e.g., mandatory breach notifications) are not yet enforceable. Adda.io, a community and housing society management platform used by 3,500+ Indian communities and global clients, manages sensitive operations like visitor logs, billing, and facility bookings. The breach undermines user trust and highlights vulnerabilities in platforms handling residential and biometric data amid growing concerns over surveillance and data misuse by such apps.
ADDA.io cybersecurity rating report: https://www.rankiteo.com/company/addasoftware
"id": "ADD3230332112425",
"linkid": "addasoftware",
"type": "Breach",
"date": "3/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,860,000',
'industry': 'PropTech / Community Management SaaS',
'location': {'headquarters': 'Bengaluru, India',
'operations': ['India',
'USA',
'Middle East',
'Singapore',
'10+ countries']},
'name': 'Adda.io (3Five8 Technologies)',
'size': {'clients': '3,500+ communities in India',
'users_affected': '1,860,000 (18.6 lakh)'},
'type': 'Private Company'}],
'data_breach': {'data_encryption': 'Weak (MD5 hashing, considered redundant)',
'data_exfiltration': True,
'file_types_exposed': ['Database dump (likely CSV/JSON)'],
'number_of_records_exposed': '1,860,000',
'personally_identifiable_information': ['Full Names',
'Phone Numbers',
'Email Addresses',
'Owner IDs',
'Passwords '
'(MD5-hashed)'],
'sensitivity_of_data': 'High (PII + weak password hashes)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Authentication Credentials']},
'date_publicly_disclosed': '2025-11-24',
'description': "A hacker using the alias 'Blinkers' claimed to have leaked a "
'database containing personal details of over 1.86 million '
'(18.6 lakh) users of Adda.io, a community and housing society '
'management platform. The leaked data (145 MB uncompressed) '
'includes owner IDs, first/last names, phone numbers, email '
'addresses, and MD5-hashed passwords. The breach was allegedly '
'carried out in March 2025, with the data circulated on '
'underground cybercrime forums on November 23, 2025. The '
'incident poses risks of phishing, credential stuffing, and '
'identity theft.',
'impact': {'brand_reputation_impact': 'High (Potential loss of trust due to '
'exposure of PII and weak hashing)',
'data_compromised': True,
'identity_theft_risk': 'High (Exposed PII enables '
'phishing/credential stuffing)',
'legal_liabilities': 'Potential (Non-compliance with DPDP Act '
'2023, though enforcement timeline unclear)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['User PII',
'Authentication '
'Credentials']},
'investigation_status': 'Unconfirmed (Adda.io has not responded to media '
'inquiries)',
'motivation': ['Financial Gain (Data Sale)',
'Reputation (Hacker Forum Clout)'],
'post_incident_analysis': {'root_causes': ['Inadequate password hashing (MD5)',
'Potential lack of intrusion '
'detection/monitoring',
'Possible misconfiguration in '
'database security']},
'recommendations': ['Replace MD5 hashing with bcrypt/Argon2 for password '
'storage',
'Implement multi-factor authentication (MFA) for user '
'accounts',
'Conduct third-party security audits to validate GDPR/ISO '
'27001 compliance',
'Proactively notify affected users despite DPDP '
'enforcement timeline',
'Monitor dark web for further data leaks or credential '
'stuffing attempts'],
'references': [{'date_accessed': '2025-11-24', 'source': 'The Indian Express'},
{'date_accessed': '2025-11-23',
'source': 'Leakd (Data Breach Monitoring)'},
{'date_accessed': '2025-11-23', 'source': 'HaveIBeenPwned'},
{'source': 'Internet Freedom Foundation (IFF) Blog (2021)'},
{'source': 'PTI Report (2024)'}],
'regulatory_compliance': {'regulations_violated': [{'name': 'Digital Personal '
'Data Protection '
'(DPDP) Act, 2023 '
'(India)',
'relevant_sections': ['Unauthorised '
'processing',
'Confidentiality '
'breach'],
'status': 'Potential '
'Violation '
'(Breach '
'notification '
'and consent '
'provisions not '
'yet enforced '
'as of Nov '
'2025)'},
{'name': 'General Data '
'Protection '
'Regulation '
'(GDPR) (EU)',
'relevant_sections': ['Article '
'32 '
'(Security '
'of '
'Processing)',
'Article '
'33 '
'(Breach '
'Notification)'],
'status': 'Claimed '
'Compliance '
'(Company '
'states GDPR '
'compliance, '
'but breach '
'contradicts)'},
{'name': 'ISO 27001',
'status': 'Claimed '
'Compliance '
'(Company '
'states '
'adherence, but '
'breach '
'suggests '
'gaps)'}]},
'response': {'communication_strategy': 'Media outreach by *The Indian '
'Express* for confirmation; no '
'official statement yet'},
'threat_actor': {'alias': 'Blinkers', 'type': 'Individual Hacker'},
'title': 'Data Breach at Adda.io Exposing 1.86 Million User Records',
'type': 'Data Breach'}