How does a password even get leaked?

It means some company where you had an account got broken into by attackers, and those attackers copied the entire database of usernames and passwords. Yours was in that database. Not because someone was targeting you personally. They grabbed the whole lot at once, often millions of records in a single go.

The way it usually works is that a company has a security weakness. Maybe their software was outdated. Maybe an employee clicked a bad link. Maybe their servers were misconfigured. The attackers find a way in, locate the database that stores user credentials, and pull everything out. Sometimes they encrypt the stolen data and demand ransom from the company. Sometimes they just sell the database on underground forums. And sometimes they dump the whole thing online for free, where anyone can download it.

These databases pile up over the years. There are collections floating around right now that contain billions of entries pulled from hundreds of separate breaches. If your email address has been active since 2012 or so, there is a very high chance that at least one of your old passwords is sitting in one of these collections. That is not a guess. Security researchers who track these things say the probability approaches near certainty for anyone who has used more than a handful of online services over the past decade.

India has had its own share of breaches, and some of them were quite large. BigBasket had a breach in 2020 that exposed the data of around 20 million users. Dominos India lost data on 180 million pizza orders, including names, phone numbers, and email addresses. Air India confirmed a breach in 2021 that affected 4.5 million passengers. MobiKwik had a disputed but widely reported breach where 8.2 terabytes of user data allegedly surfaced on the dark web. These are just the ones that made the news. Smaller companies get hit all the time and never disclose it. India does not yet have a strict breach notification law, so companies often stay quiet and hope nobody notices.

One thing that surprises people: having a strong password does not always save you here. If the company stored your password in plain text, which some companies still do, it does not matter if your password was 30 characters with symbols and numbers. The attackers just read it directly from the database. Good companies hash passwords before storing them, which means your password is cryptographically scrambled in a way that cannot be easily reversed. But not every company does this properly. Some use old hashing methods that can be cracked in hours. The company’s security practices matter as much as your password quality when it comes to breach protection.

So when someone says your password was “leaked,” what they really mean is: a company failed to keep its systems secure, and your data was one of millions of records that got stolen as a result.

Laptop showing data breach check website with leaked passwords highlighted in red

Should I be panicking right now?

No. Take a breath.

Most breaches are old. The data has been circulating for months or even years before anyone notices it. If nobody has broken into your accounts by now, that is actually encouraging. It means either your credentials have not been specifically targeted yet, or the breached password was for a service you no longer use, or the password was hashed well enough that it has not been cracked.

But here is the deal: the fact that nothing has happened yet does not mean nothing will happen. Attackers are patient. They collect leaked databases, organize them, and use automated tools to try credentials across popular services. The technical term for this is credential stuffing. An attacker takes a list of email-password pairs from one breach and feeds them into a script that tries logging into Gmail, Facebook, Amazon, Flipkart, Paytm, and dozens of other services. The script runs through thousands of accounts per minute. If even two percent of people reuse their passwords, that is a successful attack yielding hundreds of thousands of compromised accounts from a single batch. The numbers work in the attacker’s favour even with a low success rate.

So panicking will not help you. But spending twenty minutes checking and fixing things absolutely will. Think of it like getting a health check-up. The fact that you feel fine does not mean you should skip it. You check, you deal with whatever comes up, and then you move on with your day feeling a lot better about the situation.

How do I check if my passwords were in a breach?

Good question. The single best tool for this is called Have I Been Pwned, or HIBP for short. It was built by a security researcher named Troy Hunt, and it has become the global standard for breach checking. Governments, corporations, and security professionals all use it. And it is completely free.

I am going to walk you through it step by step because I want you to actually do this right now, not just read about it and forget.

Open your browser and go to haveibeenpwned.com. You will see a large search box on the homepage. Type in your email address. Not a fake one, not a test one. Your actual primary email address. Hit the search button or press enter. The site will check your email against every known breach in its database, which currently covers over 700 separate breaches and more than 12 billion compromised accounts.

If your email has appeared in any breach, HIBP will list them. Each entry tells you the name of the breached service, the date the breach happened, how many accounts were affected, and what specific types of data were exposed. You might see entries like “Email addresses, Passwords, Usernames, Phone numbers” under a breach. Pay special attention to any breach that includes “Passwords” in the data types. That means your actual password for that service was in the stolen database.

After checking your main email, go back and check your other email addresses. Your old Yahoo account. That Rediffmail address from college. The Gmail you use only for shopping sites. Check all of them. The old forgotten ones tend to show up in more breaches than you would expect, because you probably signed up for all sorts of random websites with those addresses years ago and those websites had weaker security than the services you use today.

HIBP also has a separate page specifically for checking passwords. Go to haveibeenpwned.com/Passwords and type in a password you want to check. It will tell you how many times that exact password has appeared across all known breach databases. If the number is anything above zero, that password should be considered compromised and you should stop using it immediately, everywhere. A lot of people worry about typing their password into a website, which is a reasonable concern. HIBP handles this safely through a technique called k-anonymity. Your password gets converted into a hash on your own computer, and only the first five characters of that hash are sent to the HIBP server. The server sends back all known hashes that start with those five characters, and your browser checks for a match locally. Your actual password never leaves your device. The system was designed specifically so that Troy Hunt himself could not see what you are searching for even if he wanted to.

Beyond HIBP, there are a few other tools that do similar checks:

  • Google Password Checkup at passwords.google.com/checkup. If you save passwords in Chrome, this scans all of them at once and flags which ones have appeared in known breaches. It also flags passwords you are reusing across multiple sites and passwords that are considered too weak. Quite useful if Chrome is your main browser.
  • Mozilla Monitor at monitor.mozilla.org. This uses the same HIBP data under the hood, but packages it nicely. Firefox also warns you if you visit a website that has recently been breached, which is a thoughtful touch.
  • Apple Security Recommendations. On an iPhone, open Settings, go to Passwords, then tap Security Recommendations. Apple quietly checks your saved passwords against known leaks in the background. It flags compromised, reused, and weak passwords without you having to do anything.

Once you have run these checks, sign up for HIBP’s notification service. Enter your email address on the notify page, and HIBP will email you automatically whenever your address appears in a new breach. It is like having a smoke detector for your credentials. You set it once and do not think about it again until it goes off.

Is using the same password everywhere really that bad?

Yes. This is the single most dangerous habit in online security, and I am not exaggerating. Let me explain with a concrete example.

Say you signed up for BigBasket in 2019 with your Gmail address and a password you also use for Gmail itself, your HDFC net banking, and your Zerodha trading account. You probably did this because remembering four different passwords felt like a hassle, and nothing bad had happened so far, so why bother.

Then BigBasket gets breached in 2020. Twenty million accounts stolen. Your email and password are now in a database that anyone can buy for a few hundred dollars. An attacker downloads that database, runs a credential stuffing script, and tries your BigBasket email-password combination against Gmail. It works, because you used the same credentials. Now the attacker has access to your Gmail.

From your Gmail, they can see which bank you use because of monthly statements and transaction alerts in your inbox. They go to HDFC’s net banking portal and hit “Forgot Password.” The reset link goes to your Gmail, which they already control. They reset your net banking password, log in, and now they are inside your bank account. They change the transaction limits, add a new beneficiary, and start moving money out. Every OTP that gets sent during this process goes to your phone via SMS, but they may have already initiated a SIM swap in parallel, or they might be using the web interface of your email to read the OTPs if your bank sends them by email as well.

The same chain of events can play out with your mutual fund platform, your UPI apps, your social media accounts. One leaked password from one breached grocery delivery app, and the attacker potentially has access to your entire digital life. That is what credential stuffing is. It is not a sophisticated hack. It is not genius-level cybercrime. It is an automated script trying the same username and password across hundreds of websites, and it works because people reuse credentials.

I have talked to people who lost money this way. One person in Bangalore had her Swiggy account credentials used to get into her Outlook email, and from there the attacker accessed her Kuvera mutual fund account and tried to initiate a redemption. She caught it in time because of an SMS alert, but the whole incident started with a food delivery app breach. Another person in Delhi had their Dominos India data used in a credential stuffing attack against PhonePe. The password matched, and the attacker initiated multiple small UPI transfers before the person noticed.

The only real defence against credential stuffing is to never reuse a password. Every account should have its own unique password. I know that sounds like an impossible task when you have sixty or seventy accounts. Which is exactly why password managers exist, and we will get to that shortly.

Can a password manager actually be trusted?

I hear this question all the time, and it makes sense to be sceptical. You are basically putting all your eggs in one basket. If someone breaks into your password manager, they get everything, right?

In theory, yes. In practice, it is more complicated than that, and the answer comes down to how good password managers are designed. Let me walk through the architecture so you can make an informed decision rather than going on a gut feeling.

A reputable password manager like Bitwarden, 1Password, or Proton Pass uses something called zero-knowledge encryption. What this means is that your data gets encrypted on your own device, using your master password as the encryption key, before it is ever sent to their servers. The company that runs the password manager never sees your master password. They never see your stored passwords. All they have on their servers is a blob of encrypted data that is useless without your master password to decrypt it.

If the password manager company itself gets hacked, the attackers get that blob of encrypted data. Without your master password, they cannot read it. They could try to brute-force your master password, which is why your master password needs to be strong. If you set a master passphrase of four or five random words, something like “monsoon-cricket-railway-mango-umbrella,” cracking it with current computing power would take longer than the age of the universe. That is the mathematical reality of how encryption works when the key is long enough.

Bitwarden is the one I personally use and recommend to most people. It is free for personal use, open-source so anyone can audit the code, and it works across Android, iOS, Windows, Mac, Linux, and all major browsers. The free version gives you unlimited passwords on unlimited devices. The premium tier costs about 750 rupees a year and adds features like encrypted file storage and emergency access sharing. 1Password is another solid option at around 250 rupees per month, with a very polished interface and good family plan pricing. Proton Pass has a generous free tier and is built by the same team behind ProtonMail, which has a strong track record on privacy. You can also use the built-in password managers in Chrome, Safari, or Samsung devices. They are convenient but they lock you into that one platform. Your Chrome passwords will not show up on Safari, and your Apple Keychain passwords will not sync to a Windows machine.

The transition to a password manager takes about a week if you do it gradually. Every time you log into a website during your normal browsing, let the password manager save the credentials. After seven days, most of your regularly used accounts are stored. Then go back through your important accounts, the ones that touch money and email, and change those passwords to randomly generated ones. A month from now you will have unique, strong passwords on every account that matters, and you will not have to remember a single one of them except the master passphrase.

Compare this to the alternative: reusing passwords across sites, trying to remember which variation you used where, writing them down on paper or in a Notes app on your phone. The password manager approach is genuinely less risky than any of those habits, even though it feels counterintuitive to store everything in one place. The encryption model is what makes it work.

Padlock breaking open with password data streaming out into digital particles

Does changing my password actually help?

It depends on when you do it and what you change it to.

If your password was leaked in a breach and you change it immediately to something unique and strong, then yes, you have just slammed the door shut on anyone trying to use those leaked credentials. The old password sitting in the breach database no longer works. The attacker tries it, gets a login error, and moves on to someone else. You are no longer a viable target through that particular breach.

If you change it but use a predictable variation, like going from “india123” to “india124” or “India123!,” you have done almost nothing. Attackers know people make minor tweaks. Their cracking tools account for common substitutions and appended characters. Adding an exclamation mark or capitalising the first letter does not meaningfully increase the difficulty of cracking the password.

If you change it months after the breach happened, you may have been lucky and the credentials were never used against you, or you may have already been quietly compromised without knowing it. Either way, changing it late is still better than never changing it. But check your account activity first. Most email providers, banks, and social media platforms show a log of recent logins. Look for sessions from locations or devices you do not recognise. If you see something suspicious, changing the password is only the first step. You also need to log out all active sessions, check your account recovery settings to make sure the attacker did not add their own backup email or phone number, and review any connected apps or forwarding rules.

There is an old piece of security advice that says you should change your passwords every 90 days, regardless of whether there has been a breach. Most security experts have moved away from recommending that. Frequent forced changes lead people to pick weaker passwords because they are tired of memorising new ones. The current recommendation from organisations like NIST, the US National Institute of Standards and Technology, is to use strong unique passwords and only change them when there is a reason to, such as a breach, a suspected compromise, or shared access that needs to be revoked. Using a password manager makes this whole process painless because you are not the one remembering anything anyway. You change a password, the manager stores the new one, and you move on.

One more thing on this. When you change your password on a breached service, also turn on two-factor authentication if the service supports it. Use an authenticator app like Google Authenticator, Authy, or Microsoft Authenticator rather than SMS-based OTPs. Authenticator apps generate time-based codes on your device. They are not tied to your phone number, so a SIM swap attack will not intercept them. The combination of a strong unique password plus app-based two-factor authentication makes it extremely difficult for anyone to break into that account, even if the service gets breached again in the future, because the attacker would need both your new password and physical access to your phone.

Where do I even start fixing this?

I know this can feel overwhelming. You have probably got dozens of accounts, maybe more, and the idea of checking and fixing all of them sounds like a full weekend project. So let me give you a priority order that puts the most effective steps first.

Start by checking your email addresses on Have I Been Pwned. Your primary email, your secondary email, that old address you used in college. Each one takes thirty seconds. Look at the list of breaches and take note of which ones included passwords in the stolen data. Those are the highest risk breaches because the attacker potentially has your actual password, not just your email address.

Next, change the password on your primary email account. Your email is the master key to everything else online because almost every service uses it for password resets. If an attacker controls your email, they can reset the password on your bank, your UPI apps, your social media, your investment platforms. So your email password needs to be unique, long, and stored in a password manager. Turn on two-factor authentication with an authenticator app while you are at it.

After that, change passwords on your financial accounts. Net banking portals, UPI apps like Google Pay and PhonePe, mutual fund platforms like Groww or Kuvera, trading accounts like Zerodha or Upstox. Each one should get its own unique password generated by your password manager. Check the recent login activity on each account while you are there.

Then work through your social media accounts. Facebook, Instagram, Twitter, LinkedIn. These are high-value targets not because of the accounts themselves but because attackers use them for identity theft and to run scams targeting your friends and family. A compromised Facebook account can be used to send money requests to your contacts.

After the high-priority accounts are done, go through the rest as they come up. Every time you log into a site over the next couple of weeks, let your password manager save the login and change the password to a generated one. You do not need to sit down and fix everything in one session. The gradual approach works fine for the lower-risk stuff.

While you are going through this process, keep an eye out for accounts you no longer use. That old Snapdeal account, the music streaming service you tried once, the random forum you signed up for in 2014. If you can delete those accounts, do it. Every account that exists with your email address is another potential breach point. If you cannot delete them, at least log in, change the password to a random generated one, and remove any stored payment methods.

One step that people often skip: check your CIBIL report. If your personal details were in a breach, someone may have used them to apply for loans or credit cards in your name. You can get a free CIBIL report once a year at cibil.com. Look for any credit inquiries or accounts you do not recognise. If you find something, report it to CIBIL and file a complaint at cybercrime.gov.in or call 1930.

Set up HIBP notifications for all your email addresses so you find out about future breaches quickly. And if you take one thing away from reading this: stop reusing passwords. A password manager handles the hard part for you. You remember one strong master passphrase, and the manager handles the other hundred passwords. That single change eliminates the biggest risk factor by a wide margin.

Start with haveibeenpwned.com. Check your main email. Then your backup email. That takes ninety seconds and tells you exactly where you stand. Everything else flows from there.