So that was a wild leak. Looking at raw dump shows massive number of impacted ASNs and prefixes. 
I have put all prefix/ASNs impacted globally here (warning heavy page with 20,000+ rows). 

1600+ Indian prefixes were impacted from 46 Indian ASNs which are: 

10199   | TATA-AS Tata Communications Ltd, IN
131215  | SANCHARONLINE-IN 116 MADHAV DARSHAN, IN
132116  | ANINETWORK-IN Ani Network Pvt Ltd, IN
132215  | POWERGRID-IN Power Grid Corporation of India Limited, IN
132573  | SAINGN-AS-IN SAI NGN Network Services, IN
133278  | ENETSOLS-AS-IN Dehradun Enet Solutions Private Ltd, IN
134293  | KUTCHTELELINK-AS-IN Kutch Telelink Private Limited, IN
134540  | TTML-AS-AP Tata Teleservices (Maharashtra) Ltd, IN
134913  | JETWAYBROADBANDINDIA-AS JETWAY BROADBAND INDIA PVT LTD, IN
134927  | VIL-AS-AP Vodafone Idea Ltd, IN
135133  | PDPL-AS-AP PI DATA CENTERS PRIVATE LIMITED, IN
135772  | POWERNETCOMM-AS Powernet Communications Pvt.ltd., IN
136334  | VNPL-AS Vortex Netsol Private Limited, IN
136946  | WEEBO-AS-AP Weebo networks Pvt Ltd, IN
137130  | ITDPNB-AS Punjab National Bank, IN
17488   | HATHWAY-NET-AP Hathway IP Over Cable Internet, IN
17625   | BLAZENET-IN-AP BlazeNet_s Network, IN
17762   | HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd, IN
17903   | COGNIZANT-IN-AP Cognizant Technology Solutions India Pvt Ltd, IN
17917   | QTLTELECOM-AS-AP Quadrant Televentures Limited, IN
203020  | HOSTROYALE, IN
23772   | ORTELNET-AS M/s Ortel Communications Ltd, IN
24554   | FIVE-NET-AS-IN Fivenetwork Solution India Pvt Ltd Internet, IN
38266   | VODAFONE-IN Vodafone India Ltd., IN
45117   | INPL-IN-AP Ishan_s Network, IN
45194   | SIPL-AS Syscon Infoway Pvt. Ltd., IN
45271   | ICLNET-AS-AP Idea Cellular Limited, IN
45415   | VASAICABLEPVTLTD-AS-IN Vasai Cable Pvt. Ltd., IN
45528   | TIKONAIN-AS Tikona Infinet Ltd., IN
45582   | VAINAVIINDUSTRIESLTD-IN VAINAVI INDUSTIES LTD, INTERNET SERVICE PROVIDER, INDIA, IN
45648   | BELLTELE-AS-IN Bell Teleservices India Pvt Ltd., ISP having own OFC network in Bangalore, India., IN
45769   | DVOIS-IN D-Vois Broadband Pvt Ltd, IN
45775   | WISHNET-AS-AP WISH NET PRIVATE LIMITED, IN
45820   | TTSL-MEISISP Tata Teleservices ISP AS, IN
45916   | GTPL-AS-AP Gujarat Telelink Pvt Ltd, IN
45942   | SIKKANET-AS-AP Sikka Broadband Pvt. Ltd., IN
46071   | PIONEER-CDN-AS-IN Pioneer Elabs Ltd., IN
4755    | TATACOMM-AS TATA Communications formerly VSNL is Leading ISP, IN
55441   | TTSLMEIS-AS-AP TTSL-ISP DIVISION, IN
55448   | GLOBALLOGIC-IN GlobalLogic India Ltd., IN
55644   | VIL-AS-AP Vodafone Idea Ltd, IN
55836   | RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN
55847   | NKN-EDGE-NW NKN EDGE Network, IN
59179   | MINS-AS MINS Technologies Private Limited, IN
9498    | BBIL-AP BHARTI Airtel Ltd., IN
9583    | SIFY-AS-IN Sify Limited, IN


Quite a bad day on routing security for India. :(
 

On Sat, Apr 17, 2021 at 12:54 AM Anurag Bhatia <me@anuragbhatia.com> wrote:
Turns out they did not leak just this one. It was hijack impacting over 30,000 prefixes. 

https://twitter.com/DougMadory/status/1383138595112955909?s=20




On Fri, Apr 16, 2021 at 11:40 PM Anurag Bhatia <me@anuragbhatia.com> wrote:
Hello, 


Anyone here from Vodafone India (and/or their upstream Airtel AS9498). 
Seems like Vodafone AS55410 (likely accidentally) hijacked a Brazilian pool 24.152.117.0/24


It was visible on RIPE RIS rrc05.ripe.net at VIX, Vienna. 

Raw MRT dump show this: 

anurag@devops01:~/tmp$ bgpscanner -e '24.152.117.0/24' latest-bview.gz  | awk -F '|' '{OFS="|"; print $2,$3}'
24.152.117.0/24|35369 2914 3356 28598 263362 263362 263362 263362 270497
24.152.117.0/24|48362 3356 28598 263362 263362 263362 263362 270497
24.152.117.0/24|47147 2914 3356 28598 263362 263362 263362 263362 270497
24.152.117.0/24|47692 33891 6461 9498 55410 55410 55410
24.152.117.0/24|51184 47692 33891 6461 9498 55410 55410 55410
24.152.117.0/24|59890 3356 28598 263362 263362 263362 263362 270497
24.152.117.0/24|8218 6461 3356 28598 263362 263362 263362 263362 270497
24.152.117.0/24|6720 1853 6939 28598 263362 263362 263362 263362 270497
24.152.117.0/24|13237 2914 174 28598 263362 263362 263362 263362 270497
anurag@devops01:~/tmp$



So besides Vodafone AS55410 hijacking it, seems like Airtel AS9498 carried it to AS6461 i.e upto default free zone. If not an hijack, then they should get the IRR route object updated (which right now shows AS270497 in origin). 


Details about the pool:
inetnum:     24.152.116.0/22
aut-num:     AS270497
abuse-c:     RUMCU12
owner:       RUTE MARIA DA CUNHA
ownerid:     13.974.251/0001-19
responsible: RUTE MARIA DA CUNHA
country:     BR
owner-c:     RUMCU12
tech-c:      RUMCU12
created:     20200312
changed:     20200312

nic-hdl-br:  RUMCU12
person:      RUTE MARIA DA CUNHA
e-mail:      rute@hrnet.slz.br
country:     BR
created:     20200307
changed:     20210220



IRR Check: 
anurag@devops01:~$ whois -h whois.radb.net 24.152.117.0/24
route:      24.152.117.0/24
descr:      CLARO S.A. Customer
origin:     AS270497
remarks:    Proxy Object
notify:     irradmin@embratel.net.br
mnt-by:     MAINT-AS4230
changed:    irradmin@embratel.net.br 20201204
source:     RADB
anurag@devops01:~$



Thanks. 

--
Anurag Bhatia


--
Anurag Bhatia


--
Anurag Bhatia