A major data breach has reportedly exposed the personal information of more than 18.6 lakh users of Adda.io, one of India’s largest community and housing society management platforms. The breach came to light after a hacker using the alias “Blinkers” uploaded a dataset containing sensitive user details to a well-known cybercrime forum late on November 23, 2025.
Adda.io is widely used by apartment associations, gated communities, and villa complexes across India and overseas for facility management, billing, security gate operations, and resident communication.
Massive Dataset Circulated on Underground Forums
According to breach-monitoring platforms Leakd and HaveIBeenPwned, the leaked database—145 MB when uncompressed—contains:
Owner IDs
First and last names
Phone numbers
Email addresses
Passwords hashed using outdated MD5, a weak and easily compromised algorithm
The hacker claims the data was exfiltrated in March 2025 and has since been shared within underground cybercrime markets.
Security researchers warn that the exposed information could be weaponized for phishing, targeted social-engineering attacks, and credential-stuffing, where attackers try stolen passwords across different platforms.
Breach Surfaces Days After DPDP Rules 2025 Notification
The breach comes at a sensitive time, following the government’s recent notification of the Digital Personal Data Protection (DPDP) Rules 2025, which will bring several new obligations for organizations handling personal data.
However, many critical provisions—including mandatory breach notifications, informed consent, and purpose-limited processing—will only come into force after an 18-month transition period. The timeline may vary between large tech companies and startups.
Under the DPDP Act, phone numbers and email addresses are classified as personal data, and unauthorized disclosure falls under the definition of a personal data breach. If confirmed, Adda.io may eventually face scrutiny under the upcoming compliance regime.
What Is Adda.io?
Founded in 2009, Adda.io (formerly Apartment Adda) is run by 3Five8 Technologies, headquartered in Bengaluru. The platform provides:
Security gate management (Adda Gatekeeper)
Visitor monitoring
Billing and payment collection
Facility booking
Asset and inventory management
Resident communication tools
The company claims clients across 10+ countries and more than 3,500 communities in India, including properties by major developers such as DLF, Oberoi, Rustomjee, Sobha, Prestige, and Brigade.
Gate-Management Apps Have Faced Privacy Concerns Before
Apps like Adda Gatekeeper, MyGate, and NoBrokerhood saw rapid adoption during the pandemic as housing societies shifted to digital visitor logs and remote approval systems. However, digital-rights groups have repeatedly flagged concerns around:
Excessive data collection
Surveillance of domestic workers
Function creep in gated communities
Long-term storage of entry/exit logs
Patchy transparency around biometric and identity data
The Internet Freedom Foundation (IFF) earlier warned that such apps, despite claiming GDPR and ISO 27001 compliance, introduce privacy risks beyond just data breaches—especially workplace surveillance and behavioural tracking.
Adda Yet to Confirm Breach
The Indian Express reached out to Adda.io for confirmation, though no official statement has been issued at the time of publication. If validated, the breach may become one of the largest publicly known exposures involving a residential-community management platform in India.
With sensitive resident data circulating in cybercrime networks, security experts are urging users to update passwords, avoid password reuse across platforms, and be vigilant against phishing attempts that may exploit leaked personal information.
