Kindly understand this article seems to come out of investigative journalism where the author seemed to have gotten hold of the patch presumably by paying 2500 and then did in-person research to create the article. Once published, other newsrooms usually do their own pieces if they find it relevant. Since this article has just been published (only 2 hours ago at the time of writing this comment), I wouldn't refute the article just on the basis of this criteria. I would usually wait for 1-2 days before using the above criterion to evaluate the article.
You've actually reworded what I have already said. Since there is no official statement from UIDAI or multiple private news sources reporting the same incidence; this article/blog is not worth believing yet.
On the contrary. This was _investigated_ by a reporter(s) from the mentioned source and published. Other news publications need to verify it independently before publishing it themselves.
And on the "official statements" part, it's kind of naive to expect that they (UIDAI) would put out any statement given that in the past they have
- Not acknowledged security issues or made any efforts to do their own investigation in spite of the numerous reports
- Turned hostile towards entities who have exposed or reported weaknesses instead of rewarding them and plugging the loopholes
