The Indian Express: New Delhi: Wednesday, 26 November 2025.
The ‘stolen’ data includes owner IDs as well as users’ first and last names, phone numbers, email addresses, and passwords.
A hacker has claimed to be
circulating an expansive database relating to lakhs of users of Adda, the
community and housing society management platform used by several apartments,
villas, and gated independent houses in India as well as other countries.
Using the alias ‘Blinkers’, the hacker uploaded the personal details of over 1.86 million (18.6 lakh) Adda users to a popular hacking forum on late Sunday night, November 23, according to a report by data breach monitoring websites Leakd and HaveIBeenPwned.
The trove of personal data is 145 MB in size, when uncompressed, and has reportedly been circulated among “underground cybercrime communities”. The purportedly stolen data includes owner IDs as well as users’ first and last names, phone numbers, email addresses, and passwords (hashed with redundant MD5 hashing algorithm), as per the report.
The hacker claimed that the data breach was carried out in March 2025. The potential exposure of personally identifiable information in this manner could pose several risks to users. For instance, threat actors could leverage names and phone numbers to initiate phishing attacks. The user credentials that surface from one data breach could also be used by threat actors to attempt to log into user accounts on other platforms. This type of cyber attack is known as credential stuffing.
The Indian Express has reached out to Adda for a confirmation of the alleged breach and will update this report once a response is received.
The allegedly stolen Adda user data has surfaced days after the Digital Personal Data Protection (DPDP) Rules, 2025, were notified by the Ministry of Electronics and Information Technology (MeitY), paving the way for India to have a functional data protection law.
While certain provisions of the law such as the Right to Information (RTI) Act amendment and establishment of the Data Protection Board (DPB) of India are currently in force, other sections pertaining to safeguarding citizens are yet to come into effect.
For instance, the requirement for entities to seek informed consent from users before processing their personal data, using their personal data only for specified legitimate uses, and for entities to notify data breaches to users, will all only be operationalised after 18 months.
Though, the compliance timeline may vary for big tech companies and start-ups.
A user’s phone number and email address is classified as ‘personal data’ under the DPDP Act, 2023, which defines ‘personal data breach’ as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.”
What is ADDA.io?
Adda.io is a digital platform used by residential communities such as apartments, villas, and gated societies to manage daily operations such as visitor management, billing and collection of society dues, sharing community notices, facility booking, assets and inventory management, etc.
The Bengaluru-headquartered company was founded in 2009 by CEO San Banerjee along with CTO Venkat Kandaswamy and Aashika Sripathi. Formerly Apartment Adda, the platform was rebranded to Adda.io in 2019 with a focus on building a private social network at its core. 3Five8 Technologies, the parent company of Adda.io, has several offerings such as an accounting product called Adda Books and Adda Gatekeeper, its gate management solution.
The company has clients in over 10 countries, including India, the US, the Middle East, and Singapore. Its total client base in India exceeds 3,500 Communities with properties of several major developers like DLF, Rustomjee, Prestige, Sobha, Oberoi, Seawoods Estates, and Brigade using the company’s society management software, as per a 2024 PTI report.
Why do gate management apps raise concerns?
During the COVID-19 pandemic, society and community management applications such as MyGate, Adda GateKeeper, and NoBrokerhood surged in popularity among gated communities in India, particularly in metro cities like Delhi and Bengaluru. Though, adoption also quickly expanded to cover smaller cities such as Kochi, Nagpur and Jaipur.
These apps are primarily used to log who enters and exits apartment buildings and other gated colonies. Residents are required to register on the client-side of the application while security guards get the manager side of the app. Nowadays, gate management apps are also used to list service providers like grocery sellers and cleaning services. Some of them are known to record biometric data of domestic workers while others offer built-in chat features for members of the residential communities.
However, privacy experts and digital rights advocates have raised concerns of surveillance and data misuse in the past. While these apps “may seem quite fascinating and convenient, several pressing issues arise including problems of workplace and peer surveillance along with potential function creep for the residents and visitors alike, of the society,” the Internet Freedom Foundation (IFF) said in a 2021 blog post.
“Applications such as MyGate and Adda categorically claim to be compliant with the GDPR [European Union’s General Data Protection Regulation] and the ISO 27001 security standards and have also stated that they use strong encryption while also having purpose limitations and data minimisation built-in. However, often the challenge that emerges from using these applications is not just that of data loss or breach, but rather of workplace and peer surveillance,” the Delhi-based non-profit added.
The ‘stolen’ data includes owner IDs as well as users’ first and last names, phone numbers, email addresses, and passwords.
Using the alias ‘Blinkers’, the hacker uploaded the personal details of over 1.86 million (18.6 lakh) Adda users to a popular hacking forum on late Sunday night, November 23, according to a report by data breach monitoring websites Leakd and HaveIBeenPwned.
The trove of personal data is 145 MB in size, when uncompressed, and has reportedly been circulated among “underground cybercrime communities”. The purportedly stolen data includes owner IDs as well as users’ first and last names, phone numbers, email addresses, and passwords (hashed with redundant MD5 hashing algorithm), as per the report.
The hacker claimed that the data breach was carried out in March 2025. The potential exposure of personally identifiable information in this manner could pose several risks to users. For instance, threat actors could leverage names and phone numbers to initiate phishing attacks. The user credentials that surface from one data breach could also be used by threat actors to attempt to log into user accounts on other platforms. This type of cyber attack is known as credential stuffing.
The Indian Express has reached out to Adda for a confirmation of the alleged breach and will update this report once a response is received.
The allegedly stolen Adda user data has surfaced days after the Digital Personal Data Protection (DPDP) Rules, 2025, were notified by the Ministry of Electronics and Information Technology (MeitY), paving the way for India to have a functional data protection law.
While certain provisions of the law such as the Right to Information (RTI) Act amendment and establishment of the Data Protection Board (DPB) of India are currently in force, other sections pertaining to safeguarding citizens are yet to come into effect.
For instance, the requirement for entities to seek informed consent from users before processing their personal data, using their personal data only for specified legitimate uses, and for entities to notify data breaches to users, will all only be operationalised after 18 months.
Though, the compliance timeline may vary for big tech companies and start-ups.
A user’s phone number and email address is classified as ‘personal data’ under the DPDP Act, 2023, which defines ‘personal data breach’ as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.”
What is ADDA.io?
Adda.io is a digital platform used by residential communities such as apartments, villas, and gated societies to manage daily operations such as visitor management, billing and collection of society dues, sharing community notices, facility booking, assets and inventory management, etc.
The Bengaluru-headquartered company was founded in 2009 by CEO San Banerjee along with CTO Venkat Kandaswamy and Aashika Sripathi. Formerly Apartment Adda, the platform was rebranded to Adda.io in 2019 with a focus on building a private social network at its core. 3Five8 Technologies, the parent company of Adda.io, has several offerings such as an accounting product called Adda Books and Adda Gatekeeper, its gate management solution.
The company has clients in over 10 countries, including India, the US, the Middle East, and Singapore. Its total client base in India exceeds 3,500 Communities with properties of several major developers like DLF, Rustomjee, Prestige, Sobha, Oberoi, Seawoods Estates, and Brigade using the company’s society management software, as per a 2024 PTI report.
Why do gate management apps raise concerns?
During the COVID-19 pandemic, society and community management applications such as MyGate, Adda GateKeeper, and NoBrokerhood surged in popularity among gated communities in India, particularly in metro cities like Delhi and Bengaluru. Though, adoption also quickly expanded to cover smaller cities such as Kochi, Nagpur and Jaipur.
These apps are primarily used to log who enters and exits apartment buildings and other gated colonies. Residents are required to register on the client-side of the application while security guards get the manager side of the app. Nowadays, gate management apps are also used to list service providers like grocery sellers and cleaning services. Some of them are known to record biometric data of domestic workers while others offer built-in chat features for members of the residential communities.
However, privacy experts and digital rights advocates have raised concerns of surveillance and data misuse in the past. While these apps “may seem quite fascinating and convenient, several pressing issues arise including problems of workplace and peer surveillance along with potential function creep for the residents and visitors alike, of the society,” the Internet Freedom Foundation (IFF) said in a 2021 blog post.
“Applications such as MyGate and Adda categorically claim to be compliant with the GDPR [European Union’s General Data Protection Regulation] and the ISO 27001 security standards and have also stated that they use strong encryption while also having purpose limitations and data minimisation built-in. However, often the challenge that emerges from using these applications is not just that of data loss or breach, but rather of workplace and peer surveillance,” the Delhi-based non-profit added.
.JPG)
.JPG)
