Aadhaar is a 12-digit unique-identity number issued to all Indian residents based on their biometric and demographic data. It is used to authenticate and authorise transactions.
The disclosure came in a report from India's Centre for Internet and Society which was published on Monday.
The Hindu, a major Indian newspaper, said the government was drafting amendments to the Information Technology Act to beef up data protection and security.
The CIS report said in many cases information that should have been treated as confidential was published as the agencies in question did not appear to be aware that such information should not be made public.
"These are willful and intentional instances of treating Aadhaar numbers and other personally identifiable information as publicly shareable data by the custodians of the data,” the CIS report noted.
The report said that the estimates of leakage were conservative and could be much more.
"Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at," the report said.
"While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used Aadhaar for DBT could have leaked PII similarly due to lack of information security practices.
"Over 23 crore (230 million) beneficiaries have been brought under Aadhaar programme for DBT, and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number."