Is Your Data on the Dark Web? How to Check
A practical guide to understanding the dark web, checking if your personal data has been leaked, and protecting yourself from identity theft and data breaches.
So about your data being on the dark web
Here's something I probably should've checked years ago but didn't: whether my personal data was floating around on the dark web. Turns out it was. Three different breaches, two of them from Indian services I barely remember signing up for. My email, phone number, and a hashed password from 2019 — all sitting in a leaked database that anyone with a Tor browser could download.
I'm not going to show you how to browse sketchy marketplaces or anything like that. What I am going to do is walk through how your data ends up there in the first place, how to actually check if you've been hit, and what you can realistically do about it. There's specific stuff here for the Indian context too — Aadhaar numbers and phone numbers carry way more risk here than most people realize. For a broader look at staying safe online, our cybersecurity tips guide covers the basics you should have in place already.
If you've had the same email address for more than a few years and signed up for random services with it, some of your info is almost certainly out there. It's not a question of "if" anymore. It's a question of how bad.
What the dark web actually is (and isn't)
Before we go further, let's clear up some misconceptions. The dark web isn't some secret underground world of criminal masterminds in hoodies typing furiously in dark rooms. It's just a set of websites that aren't indexed by Google or Bing and can only be accessed through special software like the Tor browser.
The internet has three layers. The surface web is what you use every day — Google, YouTube, Wikipedia, your bank's website. It's estimated to be less than 5% of all content online. The deep web is everything behind logins and paywalls — your email inbox, medical records behind a hospital portal, subscription-only databases, company intranets. It's not sinister, it's just not publicly searchable. Then there's the dark web, which is a small portion of the deep web that requires specific software to access and where operators can host sites anonymously.
The dark web has legitimate uses. Journalists in repressive countries use it. Whistleblowers need it. Privacy researchers rely on it. But it's also where stolen data gets bought, sold, and traded — and that's the part that affects you.
What most people don't realize is that dark web marketplaces operate a lot like regular e-commerce. There are sellers with ratings and reviews. There's customer support. Some vendors offer "freshness guarantees" on stolen credit card data — meaning they'll replace a card that's already been cancelled. It's disturbingly professional.
How your info actually gets there
There are a few main pipelines, and knowing them helps you figure out your own risk.
Data breaches are the big one. A company gets hacked, their user database gets stolen, and it ends up for sale or just dumped on dark web forums for free. Indian users got hit hard over the past few years — BigBasket in 2020 leaked 20 million records. MobiKwik in 2021 exposed 3.5 million KYC records, including Aadhaar numbers, PAN cards, and selfies. Air India lost 4.5 million passenger records with passport and credit card info. Dominos India had 180 million order details leak — names, phone numbers, addresses, what pizza you ordered. JustDial leaked phone numbers and emails multiple times.
If you used any of these services, your data was exposed. No maybes about it.
What a lot of people miss is that breaches often don't become public for months or even years. A company gets hacked in January, the data appears on a dark web forum in March, and the company finally admits to it in September — if they admit to it at all. During those silent months, your data's being bought, combined with data from other breaches, and used to build fuller profiles.
Phishing and social engineering is the second biggest pipeline. Those fake "KYC verification" SMS messages that look like they're from your bank? The credentials people enter on those fake sites get bundled up and sold in bulk on dark web marketplaces. I've talked to security researchers who've found databases with thousands of Indian bank credentials collected from a single phishing campaign that ran for just two weeks.
Infostealer malware works silently on infected devices, grabbing saved passwords, browser cookies, crypto wallets, and session tokens. All of it gets packaged into "logs" and sold in bulk. One infected laptop can give up dozens of account credentials without the person ever knowing. These infostealers are especially common in pirated software — that cracked version of Photoshop or that "free" activation tool for Windows could be quietly uploading everything you type to a server in Eastern Europe.
Then there's data scraping — bots that vacuum up publicly visible info from social media profiles, government directories, and business listings. And insider threats, which are more common than people think, especially in organizations with poor access controls. Call center employees sitting on customer databases are a real risk. I know someone who works in cybersecurity consulting, and he told me that in the financial services sector alone, they've caught insiders selling customer data at least twice a year for the past five years.
What your data sells for
This puts things in perspective:
| Data Type | Approximate Price (Dark Web) | Risk Level |
|---|---|---|
| Email + password combo | Rs 80-400 ($1-5) | Medium |
| Credit card details (with CVV) | Rs 800-4,000 ($10-50) | High |
| Full identity package (name, DOB, address, PAN, Aadhaar) | Rs 4,000-16,000 ($50-200) | Very High |
| Bank account credentials | Rs 2,000-8,000 ($25-100) | Very High |
| Passport scan | Rs 1,200-4,000 ($15-50) | High |
| Medical records | Rs 800-8,000 ($10-100) | High |
| Social media account access | Rs 200-2,000 ($2.50-25) | Medium |
| Mobile phone SIM swap capability | Rs 4,000-20,000 ($50-250) | Very High |
| Corporate email credentials | Rs 8,000-40,000 ($100-500) | Critical |
The prices look low per record, but volume is the whole point. A breach with 10 million email/password combos sold at Rs 80 each generates Rs 80 crore. And the same data gets sold multiple times to different buyers.
Medical records surprise a lot of people. But think about what's in there — your full name, date of birth, address, phone number, insurance details, and usually your Aadhaar number too. It's basically an identity theft starter kit. You can get a new credit card in 48 hours. You can't get a new medical history.
One thing worth understanding: data doesn't just get sold once and disappear. A stolen database might change hands five or six times over the course of a year. Each buyer uses it differently — one might try credential stuffing attacks on other sites, another might use it for targeted phishing, a third might combine it with data from other breaches to build more complete profiles. Your single leaked email and password from some random food delivery app could end up being the entry point into your banking, social media, or work accounts if you reused that password anywhere.
How to check if you've been exposed
Have I Been Pwned (haveibeenpwned.com)
This is the first place to look. Troy Hunt, a security researcher, runs it. You type in your email address and it tells you which data breaches included your info.
Check every email address you've ever used. Also check your phone number (include the country code: +91 for India). Sign up for their free notification service — they'll email you whenever your address shows up in a new breach. I've gotten three notifications over the years, and each time it gave me a head start on changing passwords before things got worse.
A tip that most people skip: check your old email addresses too. That Rediffmail or Yahoo account you made in college and haven't touched in a decade? It's probably been breached. And if you used the same password on that account as anything else, those credentials are out there. Old email addresses are especially dangerous because you might not even be able to log in anymore to secure them, but attackers certainly can try.
Google Dark Web Report
You can find this through Google One (even the free tier now). Go to myaccount.google.com → Security → Dark web report, or open the Google One app. What makes it different from HIBP is that Google actively monitors dark web forums and marketplaces, not just known public breaches. It can sometimes catch stuff that other tools miss.
Google's report also checks for your name, phone number, and address combinations — not just email. This is useful because sometimes your personal info shows up in a breach even if the email associated with it is one you don't recognize (maybe a service auto-created an account for you, or someone used your info fraudulently).
Firefox Monitor (monitor.firefox.com)
Built on top of Have I Been Pwned's database but with a cleaner interface. If you use Firefox, it's a convenient option that integrates with your Firefox account.
Your browser's password checker
Both Chrome (passwords.google.com) and Safari have built-in checks that scan your saved passwords against known breach databases. So do password managers like Bitwarden and 1Password. Open yours right now and look for any flagged passwords. If anything's marked, change it — start with financial accounts.
When I first ran Chrome's password check, it flagged 47 compromised passwords. Forty-seven. Most were from accounts I'd forgotten about, but a few were still active — including one that had the same password as my primary email. That was a cold-sweat moment.
Credit report monitoring
In India, check your credit report from CIBIL (cibil.com), Experian, Equifax, or CRIF High Mark. You're entitled to one free report per year from each bureau. What you're looking for: credit inquiries you didn't start, accounts you don't recognize, address changes you didn't make, or sudden score drops that don't make sense.
Stagger your free reports throughout the year — check CIBIL in January, Experian in April, Equifax in July, and CRIF in October. That way you've got quarterly coverage without paying for it.
What to do after finding a breach
Don't panic, but move fast. Here's the priority order:
First 15 minutes — change compromised passwords. Start with the breached account, then immediately change the password on any other account where you used the same one. Yeah, I know — you shouldn't be reusing passwords. We'll fix that in the long-term steps.
Next 30 minutes — enable two-factor authentication. Starting with email (that's the skeleton key to everything else — password resets land there), then banking and financial apps (UPI, Paytm, PhonePe, Zerodha), social media, and cloud storage. Use an authenticator app — Google Authenticator, Authy, or Microsoft Authenticator — not SMS. SIM swap attacks are way too common in India for SMS-based 2FA to be reliable.
Next hour — check for unauthorized access. Review recent login activity on your Google account (myaccount.google.com → Security → Recent security activity). Check connected apps and revoke anything unfamiliar. Look through your email's sent folder for messages you didn't write. Check your UPI transaction history. Look at the "recent sessions" or "logged in devices" list on every account that offers it — Facebook, Instagram, Twitter, Amazon, Flipkart. If there's a device you don't recognize, terminate the session immediately.
If financial data was exposed — call your bank's fraud helpline immediately. Ask for a new card or account number. Turn on transaction alerts for every single transaction. File a written complaint with the bank's grievance cell. If you see unauthorized transactions, note the exact amounts, dates, and merchant names. Don't delete or modify any evidence.
File an official complaint. In India: cybercrime.gov.in (National Cyber Crime Reporting Portal), or call 1930 (Cyber Crime Helpline, toll-free). Your local police station can also file an FIR under the IT Act. Save everything — screenshots, emails, transaction records. You'll need them if you dispute fraudulent charges later.
Long-term protection that actually works
Unique passwords for every single account
I can't overstate this. One reused password means one breach cascades across everything. Get a password manager — Bitwarden is free and open-source, or use 1Password, or honestly even the built-in browser one if that's what you'll actually stick with. The point is to generate random passwords for everything and let the manager remember them. My Bitwarden vault has 340+ passwords in it. There's no way I could remember even 10.
Good master password examples:
- "mango-bicycle-umbrella-keyboard-77" (passphrase style)
- "Mumbai$Train$at$7:45AM" (sentence style)
Bad master passwords:
- "Password123" (obvious)
- "anurag1990" (personal information)
- "qwerty!@#" (keyboard pattern)
The transition takes time, and that's fine. You don't need to update all 340 passwords in one sitting. Start with the critical ones — email, banking, anything financial. Then work through the rest over a few weeks, changing passwords whenever you naturally log in to a service. Within a month or two, you'll have everything covered.
Email aliases
Services like SimpleLogin, AnonAddy, or Apple's Hide My Email let you generate a unique email address for every service you sign up for. If a service gets breached, only that alias is exposed — your real email stays clean, and you can just disable the compromised alias.
Example setup:
- Real email: anurag@gmail.com (used for nothing except critical personal contacts)
- Amazon: amazon.1x7k@simplelogin.co
- Zomato: zomato.8m2n@simplelogin.co
- Netflix: netflix.4j9p@simplelogin.co
When something leaks, you can immediately tell which service was the source based on which alias got compromised. Pretty clever, honestly. I've actually caught two services selling my email to marketing lists this way — the alias I gave them started receiving spam from companies I'd never heard of. That told me exactly who sold my data.
Credit monitoring
Set up free credit monitoring through CIBIL — they offer email alerts for credit inquiries. If someone tries to open an account in your name, you'll know about it. India doesn't have a formal credit freeze mechanism like some other countries, but you can place a fraud alert on your CIBIL profile, opt out of pre-approved credit offers, and ask your bank to add extra verification steps for new accounts.
Device security basics
This stuff sounds obvious, but I keep running into people who skip it. Keep your phone and laptop operating systems updated — those updates contain security patches for known exploits. Don't install apps from outside official stores unless you genuinely know what you're doing. Be careful with browser extensions — some of them have access to every page you visit, including banking sites. Review your installed extensions every few months and remove anything you don't actively use. And for the love of everything, don't use public WiFi for banking. If you absolutely have to, use a VPN.
The Aadhaar and phone number problem
This is where things get specifically tricky for Indians.
Aadhaar numbers are uniquely dangerous because they're linked to biometric data and serve as identity verification for banking, SIM cards, and government services. Unlike a credit card, you can't just get a new Aadhaar number.
If yours has been leaked, here's what to do:
- Lock your biometrics through myaadhaar.uidai.gov.in or the mAadhaar app. This prevents anyone from using biometric authentication against your Aadhaar until you unlock it.
- Generate a Virtual ID (VID) — it's a temporary 16-digit number linked to your Aadhaar that you can use instead of the actual number. Generate a new one every few months.
- Check your authentication history on the UIDAI portal to see every time your Aadhaar was used. Look for anything you didn't authorize.
- Stop sharing your Aadhaar unnecessarily. Your gym doesn't need it. Random shops don't need it. The VID works for legitimate purposes. Hotels asking for Aadhaar at check-in? Use the VID. That startup asking for Aadhaar as "identity proof" during onboarding? Push back and ask if they'll accept a VID or an alternative document.
I had a friend who found three unauthorized Aadhaar authentications on his history — all from a mobile carrier he'd never used. Someone had tried to get a SIM card in his name. Because he'd locked his biometrics, the authentication failed each time. Without that lock, they would've gotten the SIM, and from there, they could've intercepted his OTPs and accessed his bank accounts.
Phone numbers in India are basically identity documents at this point — they're tied to bank accounts via UPI, Aadhaar, social media, and email recovery. A compromised number opens the door to SIM swap attacks.
To protect yourself: add a SIM lock PIN with your telecom provider (Jio, Airtel, Vi all support this), don't put your number on public social media profiles, consider using a separate number for financial accounts, and treat any call from someone claiming to be a telecom employee with heavy suspicion.
UPI fraud remains the most common financial cybercrime in India. The scams are always some variation of: fake "collect" requests disguised as refunds (remember — you never need to enter your PIN to receive money), screen sharing apps where someone watches you type your PIN, and fake customer service numbers that show up in Google search results.
Building a security routine
Security isn't a thing you set up once and forget about. It's a habit, like brushing your teeth. Boring but necessary.
Here's a monthly routine that takes maybe 30 minutes:
- Check Have I Been Pwned for new breaches
- Review your Google or Apple account security activity
- Look at your CIBIL credit report for anything weird (quarterly is fine)
- Go through your phone and remove app permissions you don't need anymore
- Update any flagged passwords in your password manager
- Check your Aadhaar authentication history
- Glance through bank and UPI transaction history for anything unfamiliar
- Install pending software updates on your phone and laptop
- Clear browser cookies and review saved passwords
Once a year, do the bigger stuff: rotate your most critical passwords, close accounts you don't use anymore (JustDelete.me has instructions for most services), generate a new Aadhaar VID, and back up your password manager vault.
I've been doing this routine for about two years now. It takes less time each month because there's less cleanup to do. The first month was rough — I spent a couple of hours just going through old accounts and updating passwords. Now it's genuinely 20-30 minutes, usually while watching something on TV. The key is scheduling it. I do mine on the first Sunday of every month. Put it in your calendar. If you don't schedule it, it won't happen.
Tools worth having
Free
| Tool | What It Does |
|---|---|
| Have I Been Pwned | Breach checking and notifications |
| Bitwarden | Password manager (free tier is genuinely good) |
| Google Dark Web Report | Dark web monitoring |
| UIDAI myAadhaar | Aadhaar lock and authentication history |
| CIBIL | Free annual credit report |
| Firefox Monitor | Breach checking with Firefox integration |
Paid (but worth considering)
| Service | Price | What It Adds |
|---|---|---|
| 1Password | Rs 250/month | Premium password manager with Watchtower breach monitoring |
| SimpleLogin Premium | Rs 250/month | Unlimited email aliases |
| Bitdefender Premium | Rs 3,000/year | Antivirus + dark web monitoring + VPN |
| CIBIL Premium | Rs 550/month | Real-time credit monitoring and alerts |
I use Bitwarden (free) for passwords, SimpleLogin (paid) for email aliases, and CIBIL's free annual report. For more privacy-respecting alternatives to mainstream apps, check out our guide to privacy-focused apps and alternatives. Total cost is about Rs 250 a month, which seems like reasonable insurance against the nightmare of identity theft.
If someone's already using your identity
If you find unauthorized accounts, loans, or fraud in your name:
- File an FIR at your local police station with all evidence — unauthorized transactions, breach notifications, account statements.
- Report to CERT-In (cert-in.org.in) for cybercrime specifically.
- Report to RBI if banking fraud is involved — the Banking Ombudsman can investigate unauthorized transactions.
- Dispute with credit bureaus — file a dispute with CIBIL, Experian, and Equifax to flag fraudulent accounts.
- Talk to a lawyer if the financial damage is significant.
Fair warning: this process is slow and frustrating. Indian cybercrime infrastructure is getting better but it's still underfunded. Document everything and follow up persistently.
A practical tip from someone who's helped friends through this: create a dedicated folder (physical or digital) for all fraud-related documents from day one. Keep copies of every FIR, every bank complaint acknowledgment, every email exchange. When you follow up — and you will need to follow up, multiple times — having everything organized and numbered makes a big difference. Bureaucracies respond better to people who are organized and persistent.
If the fraud involves someone taking a loan in your name, write directly to the NBFC or bank's nodal officer (not just the customer service line). Under RBI guidelines, they're required to respond within a specific timeframe. If they don't, escalate to the Banking Ombudsman with proof that you contacted them and they didn't act.
The honest version
Here's what I wish someone had told me years ago: perfect privacy is impossible if you use the internet. Your data has already been collected by hundreds of companies, and some of them will inevitably get breached. The Digital Personal Data Protection Act (DPDPA) has made some progress, but enforcement is still catching up.
What you can control is the blast radius when something goes wrong. If you want to lock down your home network too, our home network security guide covers every step. Unique passwords mean one breach doesn't cascade. Email aliases keep your real address clean. 2FA means a stolen password alone isn't enough. Aadhaar biometric lock means your identity can't easily be misused even if the number leaks. Credit monitoring means you catch fraud early.
None of this is exciting. Password managers and email aliases aren't glamorous. But the alternative — weeks of untangling identity fraud, arguing with banks, living with the anxiety of compromised personal data — is way worse. I've watched a colleague go through identity theft recovery. It took her four months, dozens of phone calls, two trips to the police station, and a lawyer — all because someone used her leaked PAN and Aadhaar to open a credit card she didn't know about until the collection calls started.
Take 30 minutes today. Check Have I Been Pwned, set up a password manager, lock your Aadhaar biometrics. That half hour could save you months of pain down the road.
Anurag Sharma
Founder & Editor
Software engineer with 8+ years of experience in full-stack development and cloud architecture. Founder of Tech Tips India, where he breaks down complex tech concepts into practical, actionable guides for Indian developers and enthusiasts.
Stay Ahead in Tech
Get the latest tech news, tutorials, and reviews delivered straight to your inbox every week.
No spam ever. Unsubscribe anytime.
Comments (0)
Leave a Comment
All comments are moderated before appearing. Please be respectful and follow our community guidelines.
Related Articles
Privacy-Focused Alternatives to Every App You Use Daily
Replace everyday apps with privacy-focused alternatives: messaging, email, search, storage, and more for Indian users.
Phishing Scams in India 2026: Spot and Stop Them
A detailed guide to identifying and avoiding phishing scams prevalent in India, with real examples, URL analysis techniques, and steps to protect your family.
10 Cybersecurity Tips Every Indian Should Know
Protect yourself online with these practical cybersecurity tips. From strong passwords to VPNs, stay safe in the digital world.