IRCTC Heist: Aadhaar Mandate for Tatkal Locks Out Users; Accounts Go Up For Sale

The battle for Tatkal bookings isn’t just about cracking your knuckles and hitting the ‘Login’ button right on time, but also ensuring that your IRCTC account is still yours. 

Confused?

So are many other users posting their concerns on social media about being booted out of their IRCTC accounts after the Railway Ministry’s official notification made Aadhaar mandatory for Tatkal bookings effective 1 July 2025. The step is billed as a move to “improve transparency” and “reach genuine end users”, thereby eliminating touts. But within days, cybercriminals turned this new measure into a new vulnerability. 

Community posting website Reddit had posts titled “ID hacked”, “Please help!”, “What do I do?” highlighted how profiles were updated without the account holders’ knowledge.

Soon enough, Aadhaar-linked IRCTC IDs were also being sold on Telegram channels and WhatsApp groups for Rs 300-400 each. 

Based on expert analysis and The Quint’s ‘Scamguard’ initiative’s ongoing investigation, we decode how cybercriminals are hijacking accounts:

• Credential Stuffing: Hackers use compromised credentials (email IDs/usernames, and passwords) and bots to automate the process of continuously logging into accounts. Such attacks are often successful since users tend to reuse the same username and/or passwords for different accounts. Additionally, the lack of strong password rules and the absence of two-factor authentication (2FA) make the system more susceptible to leaks.

• Autofill Software: Telegram channels selling Adhaar-verified IDs were also seen attaching a link to a software called ‘Ocean’ and an unnamed extension, which helps autofill login details, passengers’ information, payment fields, and even bypass security measures like CAPTCHAs. The updates to the software are regularly announced on the channel. One of the channels has a website selling verified IDs in bulk and other “booking tools”. They also offer tutorials uploaded to YouTube, providing a step-by-step process for buying IDs.

• Exploiting APIs: Cyberattackers also look for weak spots when it comes to IRCTC’s integration with other services such as banks, insurance providers and Aadhaar. In 2018, for instance, a security vulnerability was discovered concerning the IRCTC website and mobile app that were connected to a third-party travel insurance provider. According to an Economic Times report, the passenger's details were automatically transmitted to the travel insurers. Subimal Bhattacharjee, a cybersecurity specialist, says, “They (hackers) may have targeted the transition period when users were forced to re-verify accounts with Aadhaar.” 

• Data Harvesting and Scraping: Once hackers break into multiple accounts, they extract profile details, such as Aadhaar numbers and payment information, identifying which profiles are verified. Once the collection is made, they refuel the underground market for the Aadhaar-verified IDs.

• Phishing Attempt: Hackers may use “social engineering techniques to steal credentials”, adds Bhattacharjee. Fake IRCTC login pages can trick users into sharing their usernames and passwords. This particular tactic also supplements their technical exploits, thus adding to the pool of compromised accounts. 

Cyber lawyer Prashant Mali calls for the enforcement of a strong two-factor authentication along with implementing “zero-trust audits across third-party vendors” and notifying affected users. “Aadhaar is not just another ID - it’s linked to one’s digital identity, financial services, and now even their travel history. Regulatory bodies such as CERT-In and UIDAI should investigate under the IT Act, 2000, and the Digital Personal Data Protection Act, 2023,” he adds.  

“It is a big worry if you cannot access your account and are also unable to restore it,” says Subimal Bhattacharjee, who also emphasised the ministry following “best practices”. 

IRCTC’s AI-driven anti-bot system has already helped reduce automated bot traffic, which makes up 50 percent of all login attempts. It is essential for the ministry to invest in such tools and monitor traffic so it can detect and stop suspicious increases in logins.  

The IRCTC hacks not only expose technical flaws but also reveal broader vulnerabilities in India’s digital infrastructure. Systems designed to verify and shield users turn into channels for data theft. As every essential service is being linked to a digital identity, questions arise about the protection of citizens’ data. In this race toward a digital economy, has India prioritised expansion over security? And what will help secure the public’s trust in these digital ambitions?