Two years after the CoWIN bot, where the data went.

We traced the downstream usage of one consenting Vault.in user's phone number from the June 2023 CoWIN Telegram bot incident through to today.

The initial exposure.

In June 2023 a Telegram bot allowed lookups of CoWIN registration data by phone number. The lookups returned name, date of birth, last digits of Aadhaar, and vaccination detail. CERT-In investigated; the Ministry of Health denied a direct breach and attributed the data to a different source. The bot was taken down within days; the underlying database circulated for months afterward.

Month 3: First cold call.

Our user (with consent for this trace) received the first call linkable to the exposure on 22 September 2023, three months after the initial bot incident. The caller claimed to be from "the Ministry's CoWIN verification team" and cited the user's first dose date correctly. The pitch was for a paid "certificate verification service" with a Rs 499 fee.

The user reported the number to TRAI's DND service. The number stopped calling within a week. A different number with the same pitch began calling two weeks later.

Month 8: Cross-pollination to financial scams.

In February 2024, the user began receiving scam calls citing real vaccination detail in the context of a banking pitch. The caller claimed to be from a bank's "fraud prevention" desk and used the user's first dose date as a "verification step" before pivoting to a request for an OTP. This is a common cross-pollination pattern: information from one exposure becomes a credibility prop in scams targeting other accounts.

Month 14: Dark web sighting.

In August 2024, our threat-intel partner sighted a database listing on a Russian-language forum that included this user's phone number paired with the original CoWIN fields. The listing priced the database at $2,400 for the full set. We captured the listing as part of our user's evidence pack.

Month 22: Current state.

As of April 2026, the user's phone number remains in active circulation among cold-calling operations. The frequency has dropped from roughly twenty calls per month at peak to roughly six per month today. The drop tracks our Section 12 enforcement against intermediate buyers (B2B prospecting databases that we sent Section 12 notices to, citing the CoWIN-derived data as the source).

We cannot make the underlying CoWIN-derived data un-leaked. We can make it less commercially attractive by raising the legal cost of using it.

What we tell our users.

Three things.

First, an exposure does not have a useful end date. Two years out, the data is still in circulation, just at lower temperature. The privacy score should account for this; we down-weight (but do not zero) old exposures.

Second, the way to reduce risk is to raise the legal cost of using the data downstream. Section 12 notices to intermediate buyers work, slowly, to discourage the data from being included in commercial products.

Third, the cleanest mitigation for an exposed phone number is rotation. We don't recommend this lightly; the operational cost of changing a phone number in India is significant. But for severity-10 exposures, it is sometimes the right call.