Is Your Data on the Dark Web? How to Check and What to Do About It
A practical guide to understanding the dark web, checking if your personal data has been leaked, and protecting yourself from identity theft and data breaches.
The Dark Web Is Not What Movies Tell You
Forget the Hollywood version — hooded figures typing furiously while green text cascades down black screens. The dark web is not some secret hacker wonderland. It is a segment of the internet that is not indexed by search engines and requires specialized software (primarily the Tor browser) to access. Some of it is genuinely sinister. Much of it is boring. And a surprising amount of it contains your personal information whether you like it or not.
I am not going to give you a tour of illicit marketplaces or teach you how to browse the dark web. What I am going to do is explain how your data ends up there, show you exactly how to check whether your information has been compromised, and walk you through the practical steps to protect yourself — with specific advice for the Indian context, where Aadhaar numbers and phone numbers carry particularly high risk.
If you have had an email address for more than five years and used it to sign up for various services, there is a very good chance some of your data is already floating around in leaked databases. The question is not "if" but "how bad."
How Data Ends Up on the Dark Web
Your personal data reaches dark web marketplaces through several pathways, and understanding them helps you assess your own risk level.
Data Breaches
The biggest source. When companies get hacked, their user databases get stolen and eventually end up for sale or distributed freely on dark web forums. Major breaches that affected Indian users include:
- BigBasket (2020) — 20 million user records including email, phone, addresses, and hashed passwords
- MobiKwik (2021) — 3.5 million KYC records including Aadhaar numbers, PAN cards, and selfies
- Air India (2021) — 4.5 million passenger records including passport and credit card details
- Dominos India (2021) — 180 million order details including names, phone numbers, and addresses
- JustDial (multiple incidents) — User phone numbers, names, and email addresses
These breaches exposed hundreds of millions of Indian users' data. If you have used any of these services, your information was compromised. Period.
Phishing and Social Engineering
Attackers send convincing emails or SMS messages that trick people into entering their credentials on fake websites. In India, fake "KYC verification" messages from numbers pretending to be banks are incredibly common. These harvested credentials are bundled and sold on the dark web.
Infostealer Malware
Malware that silently steals saved passwords, browser cookies, cryptocurrency wallets, and session tokens from infected devices. The stolen data is collected into "logs" and sold in bulk. A single infected laptop can expose dozens of account credentials.
Data Scraping
Automated tools that collect publicly available information — phone numbers from social media profiles, email addresses from public directories, business information from government databases. This data is aggregated and used for targeted attacks.
Insider Threats
Employees at companies who steal customer data and sell it. This is more common than most people realize, especially in organizations with poor access controls. Call center employees with access to customer databases are a particular risk.
What Your Data Sells For
Understanding the value of different data types puts the risk in perspective:
| Data Type | Approximate Price (Dark Web) | Risk Level |
|---|---|---|
| Email + password combo | Rs 80-400 ($1-5) | Medium |
| Credit card details (with CVV) | Rs 800-4,000 ($10-50) | High |
| Full identity package (name, DOB, address, PAN, Aadhaar) | Rs 4,000-16,000 ($50-200) | Very High |
| Bank account credentials | Rs 2,000-8,000 ($25-100) | Very High |
| Passport scan | Rs 1,200-4,000 ($15-50) | High |
| Medical records | Rs 800-8,000 ($10-100) | High |
| Social media account access | Rs 200-2,000 ($2.50-25) | Medium |
| Mobile phone SIM swap capability | Rs 4,000-20,000 ($50-250) | Very High |
| Corporate email credentials | Rs 8,000-40,000 ($100-500) | Critical |
The prices seem low, but volume makes it profitable. A breach of 10 million email/password combos sold at Rs 80 each generates Rs 80 crore. And the same stolen data is often sold multiple times to different buyers.
Why Medical Records Are Valuable
This surprises many people. Medical records contain everything needed for comprehensive identity theft — full name, date of birth, address, phone number, insurance details, and often Aadhaar numbers. They are also harder to change than a credit card number. You can get a new credit card in 48 hours. You cannot get a new medical history.
How to Check If Your Data Has Been Leaked
1. Have I Been Pwned (haveibeenpwned.com)
The most well-known and comprehensive breach checking service, run by security researcher Troy Hunt. Enter your email address and it tells you which data breaches included your information.
What to do: Go to haveibeenpwned.com, enter every email address you have used for online accounts. Also check your phone number (include country code: +91 for India).
What it shows: Which breaches included your data, what types of data were exposed (email, password hash, phone number, physical address, etc.), and when the breach occurred.
Sign up for notifications. HIBP offers a free notification service that emails you whenever your email address appears in a new breach. I have been using this for years and received three notifications — each time giving me a head start on changing passwords before the breach became widely known.
2. Firefox Monitor (monitor.firefox.com)
Built on top of the Have I Been Pwned database but with a nicer interface and integration with Firefox accounts. If you use Firefox, this is a convenient option.
3. Google Dark Web Report
Available through Google One (even on the free tier now), this service monitors the dark web for your personal information — name, email, phone number, date of birth, and address. It provides a report of any matches found.
How to access: Go to myaccount.google.com → Security → Dark web report, or open the Google One app.
What makes it different: Google actively monitors dark web forums and marketplaces, not just known breaches. It can find your information in places that Have I Been Pwned does not cover.
4. Checking Your Passwords
Google Chrome's built-in password checker (passwords.google.com) scans your saved passwords against known breach databases and flags compromised ones. So does Safari's password audit and third-party password managers like 1Password and Bitwarden.
Do this now: Open your browser's password manager and look for breach warnings. If any passwords are flagged, change them immediately — starting with financial accounts.
5. Credit Report Monitoring
In India, check your credit report from CIBIL (cibil.com), Experian, Equifax, or CRIF High Mark. You are entitled to one free credit report per year from each bureau. Look for:
- Credit inquiries you did not initiate
- Accounts you do not recognize
- Address changes you did not make
- Sudden score drops without explanation
Immediate Steps After Discovering a Breach
If you find your data in a breach, do not panic — but act quickly. Here is a prioritized action plan:
Step 1: Change Compromised Passwords (First 15 Minutes)
Start with the breached account, then immediately change the password on any other account that uses the same password. Yes, I know you should not be reusing passwords. We will fix that in the long-term steps.
Step 2: Enable Two-Factor Authentication (Next 30 Minutes)
Enable 2FA on every account that supports it, starting with:
- Email accounts — your email is the skeleton key to every other account (password resets go there)
- Banking and financial apps — UPI, Paytm, PhonePe, Zerodha, etc.
- Social media — Instagram, Twitter, LinkedIn, Facebook
- Cloud storage — Google Drive, iCloud, Dropbox
Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) rather than SMS-based 2FA. SMS can be intercepted through SIM swap attacks, which are alarmingly common in India.
Step 3: Check for Unauthorized Access (Next Hour)
- Review recent login activity on your Google account (myaccount.google.com → Security → Recent security activity)
- Check connected apps and revoke access for anything you do not recognize
- Review your email's sent folder for messages you did not send
- Check your UPI transaction history for unauthorized payments
Step 4: Notify Your Bank (If Financial Data Was Exposed)
If credit card numbers, bank account details, or UPI credentials were in the breach:
- Call your bank's fraud helpline immediately
- Request a new card/account number
- Set up transaction alerts (SMS and email) for every transaction
- File a complaint with the bank's grievance cell in writing
Step 5: File an Official Complaint
In India, report cybercrime at:
- cybercrime.gov.in — National Cyber Crime Reporting Portal
- 1930 — Cyber Crime Helpline (toll-free)
- Your local police station can file an FIR under the IT Act
Keep records of everything — screenshots, emails, transaction records. These are essential if you need to dispute fraudulent transactions later.
Long-Term Protection Strategies
Use Unique Passwords for Every Account
I cannot stress this enough. A single reused password means one breach compromises every account using that password. Use a password manager — Bitwarden (free, open-source), 1Password, or even the built-in browser password manager.
A password manager generates random, unique passwords for every account and remembers them for you. You only need to memorize one master password. My Bitwarden vault has 340+ unique passwords. There is zero chance I could remember even 10 of them.
Good master password examples:
- "mango-bicycle-umbrella-keyboard-77" (passphrase style)
- "Mumbai$Train$at$7:45AM" (sentence style)
Bad master passwords:
- "Password123" (obvious)
- "anurag1990" (personal information)
- "qwerty!@#" (keyboard pattern)
Use Email Aliases
Services like SimpleLogin, AnonAddy, or Apple's Hide My Email let you create unique email aliases for every service. If a service gets breached, only that alias is exposed — your real email stays clean, and you can simply disable the alias.
Example setup:
- Real email: [email protected] (used for nothing except critical personal contacts)
- Amazon: [email protected]
- Zomato: [email protected]
- Netflix: [email protected]
When a breach happens, you can immediately see which service leaked your data based on which alias was compromised.
Credit Monitoring
Set up free credit monitoring with CIBIL (they offer email alerts for credit inquiries). This alerts you if someone tries to open a credit account in your name.
Freeze Your Credit (If Available)
In some countries, you can freeze your credit to prevent anyone from opening new accounts. India does not have an identical mechanism, but you can:
- Place a fraud alert on your CIBIL profile
- Opt out of pre-approved credit offers
- Request that banks add extra verification steps for new account opening
The Indian Context: Aadhaar and Phone Number Exposure
Aadhaar Number Leaks
Aadhaar numbers are uniquely dangerous because they are linked to biometric data and serve as identity verification for banking, SIM cards, and government services. Unlike a credit card, you cannot get a new Aadhaar number.
If your Aadhaar number has been leaked:
- Lock your Aadhaar biometrics on the UIDAI website (myaadhaar.uidai.gov.in). This prevents biometric authentication until you unlock it.
- Generate a Virtual ID (VID) — a temporary 16-digit number linked to your Aadhaar that you can use instead of your actual number. Generate a new VID every few months.
- Check Aadhaar authentication history — the UIDAI portal shows every time your Aadhaar was used for authentication. Review this for unauthorized usage.
- Never share your Aadhaar number unnecessarily. Gyms, shops, and random services do not need your Aadhaar. The VID works for legitimate purposes.
Phone Number Exposure
In India, phone numbers are identity. They are linked to bank accounts via UPI, Aadhaar via mandatory linking, social media accounts, and email recovery. A compromised phone number opens the door to SIM swap attacks.
Protect against SIM swap fraud:
- Add a SIM lock PIN with your telecom provider (Jio, Airtel, Vi all support this)
- Do not share your phone number publicly on social media profiles
- Use a separate number for financial accounts if possible (a second SIM dedicated to banking)
- Be suspicious of calls from people claiming to be telecom employees asking for OTPs or personal details
UPI Fraud Prevention
UPI fraud is the most common financial cybercrime in India. Common attack patterns:
- Fake "money request" QR codes — scanning a QR code should send you money, never the other way around. If someone asks you to scan a QR to "receive" money, it is a scam.
- Screen sharing apps — fraudsters ask you to install TeamViewer or AnyDesk to "help" with an issue, then watch you enter your UPI PIN.
- Fake customer service numbers — searching for bank or app customer service on Google sometimes returns scam phone numbers placed by fraudsters.
Building a Personal Security Routine
Security is not a one-time setup. It is a habit. Here is a monthly routine that takes about 30 minutes:
Monthly Security Checklist
- Check Have I Been Pwned for new breaches
- Review Google/Apple account security activity
- Check CIBIL credit report for unauthorized inquiries (quarterly)
- Review and remove unused app permissions on your phone
- Update any flagged passwords in your password manager
- Check Aadhaar authentication history
- Review bank/UPI transaction history for unfamiliar charges
- Update software on phone and laptop (security patches)
- Clear browser cookies and review saved passwords
Annual Security Tasks
- Rotate your most critical passwords (email, banking, password manager)
- Review and close accounts you no longer use (use JustDelete.me for instructions)
- Generate a new Aadhaar VID
- Review insurance and credit card benefits for identity theft protection
- Export and back up your password manager vault
Tools and Services Worth Using
Free Tools
| Tool | What It Does |
|---|---|
| Have I Been Pwned | Breach checking and notifications |
| Bitwarden | Password manager (free tier is excellent) |
| Google Dark Web Report | Dark web monitoring |
| UIDAI myAadhaar | Aadhaar lock and authentication history |
| CIBIL | Free annual credit report |
| Firefox Monitor | Breach checking with Firefox integration |
Paid Services (Worth Considering)
| Service | Price | What It Adds |
|---|---|---|
| 1Password | Rs 250/month | Premium password manager with Watchtower breach monitoring |
| SimpleLogin Premium | Rs 250/month | Unlimited email aliases |
| Bitdefender Premium | Rs 3,000/year | Antivirus + dark web monitoring + VPN |
| CIBIL Premium | Rs 550/month | Real-time credit monitoring and alerts |
I personally use Bitwarden (free) for passwords, SimpleLogin (paid) for email aliases, and CIBIL's free annual report. The total cost is about Rs 250/month, which feels like reasonable insurance against the catastrophic hassle of identity theft.
What to Do If Someone Uses Your Identity
If you discover that someone has opened accounts, taken loans, or committed fraud using your identity:
- File an FIR at your local police station. Bring all evidence — unauthorized transactions, breach notifications, account statements.
- Report to CERT-In (Indian Computer Emergency Response Team) at cert-in.org.in for cybercrime specifically.
- Report to RBI if banking fraud is involved — the Banking Ombudsman can investigate unauthorized transactions.
- Dispute with credit bureaus — file a dispute with CIBIL, Experian, and Equifax to flag fraudulent accounts on your credit report.
- Consult a lawyer — for significant financial fraud, legal action against both the fraudsters and negligent service providers may be necessary.
The process is frustrating and slow. Indian cybercrime infrastructure is improving but still underfunded. Document everything meticulously and follow up persistently.
The Honest Truth About Data Privacy in 2026
Here is what I wish someone had told me years ago: perfect privacy is impossible if you use the internet. Your data has already been collected by hundreds of companies, some of whom will inevitably be breached. The Digital Personal Data Protection Act (DPDPA) in India has made progress on regulation, but enforcement is still catching up.
What you can control is the blast radius of a breach. Unique passwords mean one breach does not cascade. Email aliases mean your real email stays clean. 2FA means a stolen password alone is not enough. Aadhaar biometric lock means your identity cannot be misused even if the number leaks. Credit monitoring means you catch fraud early.
None of this is glamorous. Password managers and email aliases are not exciting. But the alternative — spending weeks untangling identity fraud, arguing with banks about unauthorized transactions, and living with the anxiety of compromised personal data — is far worse.
Take 30 minutes today. Check Have I Been Pwned, set up a password manager, and lock your Aadhaar biometrics. That half hour of effort could save you months of pain later. I promise you, future you will be grateful.
Advertisement
Advertisement
Ad Space
Anurag Sharma
Founder & Editor
Tech enthusiast and founder of Tech Tips India. Passionate about making technology accessible to everyone across India.
Comments (0)
Leave a Comment
Related Articles
Privacy-Focused Alternatives to Every App You Use Daily
A practical guide to replacing common apps with privacy-respecting alternatives, covering messaging, email, search, storage, photos, and more with Indian user considerations.
Phishing Scams Targeting Indians in 2026: How to Spot and Stop Them
A detailed guide to identifying and avoiding phishing scams prevalent in India, with real examples, URL analysis techniques, and steps to protect your family.
10 Essential Cybersecurity Tips Every Indian Internet User Should Know
Protect yourself online with these practical cybersecurity tips. From strong passwords to VPNs, stay safe in the digital world.