Singapore Herald
Image default
Tech

Exclusive: A Rs 40 Telegram Bot That Could Put Millions Of Vehicle Owners’ Privacy At Risk

Telegram’s data privacy problem simply refuses to end and at this point, it feels less like a series of one-off incidents and more like a pattern. We at Times Now Digital recently came across a bot on the platform that, for a payment as small as Rs 40, hands over a stranger’s full name, father’s name, mobile number, home address and complete vehicle history all just by typing in a registration number. No verification, no questions asked, no proof that you are the actual owner. Just pay, type and read. We are not naming the bot here. Publishing it would only hand more people a working tool to abuse, and that defeats the entire point of this story. What we can do is walk you through exactly what we saw, why it is dangerous, and why Telegram in particular keeps ending up at the centre of these controversies.
How Times Now Digital Came Across This
It all started when my brother told me about a Telegram bot that supposedly revealed complete personal details linked to any vehicle registration number. Like most people, I assumed it was either fake or one of those bots that simply displays publicly available information from the VAHAN database. But the claim sounded serious enough to look into. Rather than relying on hearsay, we at Times Now Digital decided to test it ourselves. What began as a simple fact-check soon turned into an investigation that left us deeply concerned about the privacy of millions of vehicle owners in India.
One thing worth understanding is that vehicle-lookup services already exist. Government-approved platforms using the VAHAN database let users verify limited information such as the vehicle’s make, model, fuel type, registration year, insurance validity, Pollution Under Control (PUC) status, fitness certificate validity and the Regional Transport Office (RTO) where the vehicle is registered. In many cases, even the owner’s name is partially masked to protect privacy. These services do not reveal someone’s complete address, phone number, father’s name, chassis number or engine number. This Telegram bot did exactly that in our testing.
Since we did not want to risk anyone else’s privacy, we decided to begin with the safest possible test: our own vehicle. After we opened the bot, it greeted us with one complimentary search credit and prompted us to enter a registration number.

We entered our own vehicle number, expecting perhaps the same publicly available information most vehicle-lookup apps provide. What came back within seconds left us rattled: our full name, our father’s name, our mobile number, our present and permanent address down to the pincode, and a complete vehicle spec sheet ,chassis number, engine number, insurance provider, PUC certificate number, the works. One free search, and a total stranger with access to this bot could have had all of it.

Once the free credit ran out, the bot nudged us toward a “Buy Credits” option. We decided to dig further, and Rs 40 bought us two more searches, paid through a UPI QR code that routed through a payment aggregator and, according to the transaction receipt, settled into a personal account rather than one linked to any registered company.
We then used one of those two credits on a relative’s vehicle number, with their knowledge and consent, purely to confirm this was not a one-off fluke. The result was identical in depth: name, address, phone number, everything.

For the second credit, we tried something riskier. This time we used the registration number of a prominent public figure whose vehicle number was already publicly available through media reports and online photographs. The outcome was no different. The bot again returned detailed personal information linked to that vehicle.
By this point, one thing had become clear. This was not just about one vehicle. It raised the possibility that anyone whose registration number is visible on the road could have sensitive personal information exposed through a service like this. That, more than anything else, is what convinced us this needed to be written about.For obvious security and privacy reasons, Times Now Digital is not publishing the registration numbers used during the investigation, the identity of the public figure, or any of the personal information the bot displayed.
What The Government Actually Allows vs What This Bot Sells
India’s VAHAN database, the official government repository of vehicle registration data, is not meant to leak this kind of information at all. When you look up a registration number through legitimate government channels, you are meant to get non-sensitive, compliance-related information only: the vehicle’s make and model, its fuel type, whether the insurance and PUC certificates are valid, the registration date, and the RTO it is registered under. Even the owner’s name is supposed to arrive masked, something like “R** K**”- specifically so that a buyer checking a second-hand car can confirm the paperwork without being handed a stranger’s full identity.
What this bot returned in our testing blows past every one of those safeguards: full unmasked names, phone numbers, home addresses, even the father’s-name field that formal RTO records carry all sitting there for anyone with forty rupees and a UPI app. That does not look like a database quirk. It points to a leak one that appears to have been stitched together from multiple breached or scraped datasets and packaged as a paid convenience.
Why This Is Genuinely Dangerous
Consider who is most exposed here. A woman driving alone at night has her exact home address one number-plate photograph away from a stranger with malicious intentions. A celebrity or a politician people who already deal with obsessive fans or worse, suddenly have no anonymity left behind their car.

And it is not only about famous people or any one gender: anyone whose car gets keyed in a parking lot, anyone involved in a minor road-rage incident, anyone photographed by someone with a grudge, could now be one Telegram search away from being traced to their front door.
Why Telegram Keeps Coming Up
This is the question that has nagged at us through every one of these stories, whether it is pirated films, leaked exam papers, or now personal vehicle data. WhatsApp, Instagram and X have their own problems, of course, but they do not host the same cottage industry of paid bots trading in personal data that appears to have been obtained illegitimately, the way Telegram consistently seems to. Signal does not either. Part of it comes down to how Telegram’s channels and bots are structured: comparatively lightly moderated, easy to spin up anonymously, and largely opaque to outside scrutiny unless someone goes digging, as we did. Part of it is simply a numbers game a platform with hundreds of millions of Indian users and comparatively light moderation is going to attract exactly this kind of exploitation.

What is harder to explain away is the lack of decisive action. CERT-In advisories come and go, isolated FIRs get filed when a story like this makes headlines, but these bots resurface under new names within days. Until Telegram is held to meaningful account, and until enforcement moves faster than the bots themselves, this cycle is not going to break on its own. To my mind, the uncomfortable truth here is that this is not really a story about one bot or one leak. It is a story about how casually personal safety gets treated online in India and how a Rs 40 UPI payment is currently all that stands between a stranger and your front door. We will be watching to see whether this one draws any real response.
Times Now has reached out to Telegram’s communications team with detailed questions regarding the bot, the availability of such services on the platform and the steps being taken to curb them. We are awaiting the company’s response and will update this story if and when we receive one.
TIMES NOW | OPINION
Forty rupees. That is the price of your front door in India today. A Telegram bot sells names, addresses and phone numbers scraped from data that was never theirs to hold, and no one answers for it. Advisories come and go, bots resurface by morning. Privacy here is not protected. The government must make this stop. Every silent day is a betrayal.

Related posts

Nobel-Winning John Jumper Exits Google DeepMind, Heads To Anthropic In Surprise Move

Bruce M. Hampton

X (Twitter) Down For Users In India, Several Parts Of World: Check Latest Updates Here

Bruce M. Hampton

Samsung Galaxy Z Fold 8, Z Flip 8 Leak: Expected India Price, Specs, Launch Timeline

Bruce M. Hampton