Why Your Data Matters More Than You Think

Every time you visit a website, download an app, or make an online purchase, you leave behind tiny fragments of information about yourself. On their own, these fragments seem harmless — a name here, an email address there, maybe a phone number when you signed up for that new food delivery app at two in the morning. But when you zoom out and look at the bigger picture, those fragments come together to form a remarkably detailed portrait of who you are, what you do, where you go, and what you care about.

Data brokers — companies whose entire business model revolves around collecting and selling personal information — are working around the clock to compile exactly these kinds of profiles. They scrape public records, purchase data from apps and websites, and cross-reference everything until they have a file on you that would make a private detective jealous. Your name, age, location, income bracket, shopping habits, political leanings, health conditions — it is all fair game. And the worst part is that most people have absolutely no idea this is happening.

Think about the apps on your phone right now. Your food delivery app knows your home address, your office address, what you eat, when you eat, and how often you order. Your ride-hailing app knows your daily commute, your favourite weekend hangouts, and the time you usually head home at night. Your UPI app has a record of every transaction you have made — who you paid, how much, and when. Individually, each app sees only a slice of your life. But if someone were to combine all that data, they would know you better than most of your friends do.

“If you are not paying for the product, you are the product.” — This old saying has never been more true than it is in 2025.

In India, the situation carries an extra layer of complexity thanks to Aadhaar. Your twelve-digit Aadhaar number is linked to your bank accounts, your phone number, your PAN card, your gas connection, your mutual fund investments, and dozens of other services. A single leak of your Aadhaar details can potentially unravel your entire financial and personal identity. There have already been multiple reported instances of Aadhaar data being exposed through poorly secured government databases and third-party services that had no business storing biometric data in the first place.

Did you know? According to a 2024 report by Surfshark, India ranked among the top five countries globally for the number of data breaches. Millions of Indian users had their personal information — including email addresses, phone numbers, and even Aadhaar details — exposed in just a single year.

The real danger is not just that someone might see your data. It is what they can do with it. Identity theft, financial fraud, targeted phishing attacks, social engineering scams — all of these become exponentially easier when the attacker already has a pile of accurate personal information about you. Your data is not just data. It is the key to your digital life, and treating it carelessly is like leaving your front door wide open in a busy neighbourhood.

Check What Is Already Out There

Before you can protect your data, you need to understand what is already floating around on the internet. Most people are genuinely surprised when they take the time to look. The first step is embarrassingly simple, and yet almost nobody does it: Google yourself. Open an incognito window so your results are not personalised, type your full name in quotes, and see what comes up. Try variations — your name with your city, your name with your workplace, your name with your college. You might find old social media profiles you forgot about, comments you left on forums years ago, or directory listings that display your phone number and address to anyone who searches for them.

Next, head over to haveibeenpwned.com. This is a free service run by security researcher Troy Hunt, and it lets you check whether your email address or phone number has appeared in any known data breaches. Just type in your email and hit search. If you see a list of breaches — and chances are you will — do not panic. It does not necessarily mean someone has accessed your accounts. But it does mean your credentials were part of a data dump, and if you were using the same password across multiple sites (we will talk about that in the next section), you should take action immediately.

Warning: If haveibeenpwned shows your email in a breach, change the password for that service right away. If you used the same password anywhere else, change those too. Do this before reading the rest of this article.

Now, take a hard look at your social media privacy settings. On Facebook, go to Settings > Privacy and check who can see your posts, your friends list, your phone number, and your email address. Set everything to “Friends only” at minimum. On Instagram, consider whether you really need a public profile. If you are not running a business or building a following, switching to private gives you much more control over who sees your content. On LinkedIn, review your public profile settings — you might be surprised how much information is visible to people who are not even logged in.

Do not forget your Google account. Visit myaccount.google.com and click on “Data & Privacy.” Here you will find a timeline of your location history, your search history, your YouTube watch history, and a record of every app that has access to your Google account. Go through the “Apps with access to your account” section carefully. You will probably find services you signed up for once and never used again. Revoke access for anything you do not actively use. Each connected app is a potential door into your account, and there is no reason to leave doors open that you do not need.

This whole process should take about thirty to forty minutes, and it is genuinely eye-opening. Once you see what is already out there, you will have a much clearer picture of what needs to be cleaned up and locked down. Think of it as a health check-up for your digital life — not the most exciting way to spend an evening, but absolutely worth doing.

Lock Down Your Accounts Properly

If there is one single thing you can do right now to dramatically improve your online security, it is this: stop reusing passwords. I know, I know — you have heard this advice a thousand times. But there is a reason security experts keep repeating it. When a service gets breached and your email-password combination leaks, attackers do not just try that combination on the breached service. They try it everywhere — your email, your bank, your social media, your shopping accounts. This is called credential stuffing, and it works frighteningly well because most people use the same two or three passwords for everything.

The solution is a password manager. A password manager generates and stores unique, complex passwords for every single account you have. You only need to remember one master password — the one that unlocks the manager itself. My recommendation for most people is Bitwarden. It is completely free for personal use, open-source (meaning its code can be independently audited), and it works across Windows, Mac, Linux, Android, iOS, and every major browser. There are premium options like 1Password and Dashlane, but honestly, Bitwarden's free tier does everything most people need.

Getting started with Bitwarden: Download the app on your phone and the browser extension on your computer. Create an account with a strong master password (a passphrase like “mango-monsoon-cricket-lamp” is both strong and memorable). Then, every time you log into a website, let Bitwarden save the credentials. Over a week or two, your entire digital life will be neatly organised and properly secured.

The second essential step is enabling two-factor authentication (2FA) on every account that supports it. Two-factor authentication means that even if someone gets your password, they still cannot log in without a second piece of verification — usually a code sent to your phone or generated by an authenticator app. For the authenticator app, I recommend Google Authenticator or Authy. Authy has the advantage of backing up your 2FA codes to the cloud, so you do not lose everything if you lose your phone.

Now, here is something that is especially important for Indian users: enable 2FA on your UPI apps and bank accounts. Most major banks in India now offer two-factor authentication for net banking, but it is not always enabled by default. Log into your bank's website or visit your branch and make sure it is turned on. For UPI apps like Google Pay, PhonePe, and Paytm, make sure your app lock is enabled — use biometric authentication (fingerprint or face) if your phone supports it. UPI fraud is one of the fastest-growing categories of cybercrime in India, and a simple app lock can be the difference between keeping your money and losing it.

Important: Never share your UPI PIN, OTP, or bank password with anyone, no matter how convincing they sound. Your bank will never call you and ask for these details. If someone does, it is a scam. Hang up immediately.

While you are at it, take five minutes to review the security settings of your primary email account. Your email is the master key to your digital life — it is where password reset links are sent, where account verification emails arrive, and where sensitive communications live. If an attacker gets into your email, they can reset passwords on virtually every other account you own. Enable 2FA, use a strong unique password, and set up a recovery phone number and recovery email. On Gmail, check Security > Your devices to see every device that is currently logged into your account. If you see anything you do not recognise, remove it immediately and change your password.

Clean Up Your Phone

Your smartphone knows more about you than your closest family members do. It knows where you sleep, where you work, who you talk to, what you search for at 2 AM, and what you buy when you are feeling impulsive. All of this data is accessible to the apps installed on your phone — but only if you have given them permission. The problem is, most of us tap “Allow” on every permission request without thinking twice, and over time, this adds up to an alarming amount of access.

Start with a basic audit. On Android, go to Settings > Privacy > Permission Manager. On iPhone, go to Settings > Privacy & Security. What you will see is a list of permissions — Camera, Microphone, Location, Contacts, Files, and so on — and which apps have access to each. Go through them one by one. Does your flashlight app really need access to your contacts? Does that PDF reader need your location? Does a wallpaper app need your microphone? If the answer is no, revoke the permission. If you are not sure, revoke it anyway. If the app genuinely needs it, it will ask again when you try to use the relevant feature.

Pay particular attention to location permissions. Many apps request “Allow all the time” for location access when they only need it while you are actively using them. Change these to “Only while using the app” or “Ask every time.” There is absolutely no reason for a shopping app or a news app to track your location in the background. Some popular Indian apps are particularly aggressive about this. Food delivery apps, cab-booking apps, and even some payment apps request persistent location access. Limit this wherever possible.

Quick cleanup checklist for your phone:
  • Delete apps you have not used in the last 30 days
  • Revoke camera and microphone access from apps that do not need it
  • Set location to “Only while using” for delivery and cab apps
  • Turn off contacts access for social media apps
  • Disable “Personalised ads” in your phone settings

Next, delete apps you no longer use. Every app on your phone is a potential security risk. Unused apps still sit there with whatever permissions you originally granted, they may still be collecting data in the background, and if the developer stops updating them, they become vulnerable to exploits. Be ruthless — if you have not opened an app in the last month, delete it. You can always reinstall it later if you need it.

Finally, turn off ad tracking. On Android, go to Settings > Privacy > Ads and select “Delete advertising ID.” On iPhone, go to Settings > Privacy & Security > Tracking and turn off “Allow Apps to Request to Track.” This will not eliminate ads entirely, but it will significantly reduce the amount of data that advertisers can collect about your behaviour across different apps. It is a small change that makes a meaningful difference in how much of your activity is being profiled and monetised.

Think of your phone as your digital home. You would not hand out copies of your house key to every salesperson who knocked on your door. Treat app permissions the same way — only give access to what is genuinely needed, and review those permissions regularly.

Be Careful With Public Wi-Fi

Free Wi-Fi is everywhere in India now. Coffee shops, airports, railway stations, shopping malls, hotels — almost every public place offers it. And almost everyone connects without a second thought. After all, who wants to burn through their mobile data when there is a perfectly good free connection available? The problem is that public Wi-Fi networks are one of the easiest places for attackers to intercept your data, and most people have no idea how exposed they are when they connect.

Here is how it works in simple terms. When you connect to a public Wi-Fi network, your data travels through the air between your device and the router. On an unsecured network — and most public networks are either unsecured or use a shared password that everyone in the building knows — anyone with the right tools can eavesdrop on that traffic. They can see which websites you visit, capture login credentials that are transmitted over unencrypted connections, and in some cases, inject malicious content into the web pages you are viewing. A technique called a “man-in-the-middle” attack lets an attacker position themselves between you and the Wi-Fi router, effectively monitoring everything you do online.

That free Wi-Fi at the airport or the mall might be saving you a few rupees of mobile data, but it could be costing you a lot more if someone is watching your traffic.

The risks are especially high at Indian railway stations. The free Wi-Fi provided at many stations, while convenient, connects thousands of users to the same network. In busy stations like Mumbai CST, New Delhi, or Bengaluru City, you are sharing a network with hundreds or even thousands of strangers at any given moment. Similarly, the free Wi-Fi offered at popular cafe chains and malls often has minimal security. Some of these networks do not even require a password — you just connect and start browsing, which means so can anyone else, including people with malicious intent.

Golden rule: Never do banking, UPI payments, or any financial transactions on public Wi-Fi. No exceptions. Switch to your mobile data for anything involving money or sensitive information. The few megabytes of data you use are worth far less than the money you could lose.

If you must use public Wi-Fi regularly, invest in a VPN (Virtual Private Network). A VPN encrypts all of your internet traffic, making it unreadable to anyone who might be snooping on the network. It creates a secure tunnel between your device and the VPN server, so even on a compromised Wi-Fi network, your data stays protected. Good options include ProtonVPN (which has a free tier with servers in multiple countries), Mullvad VPN (affordable and privacy-focused), and Windscribe (generous free plan). Avoid free VPNs from unknown developers — many of them actually make money by logging and selling your browsing data, which defeats the entire purpose.

Some additional precautions for public networks: turn off automatic Wi-Fi connections on your phone so it does not connect to open networks without your knowledge, forget networks after you are done using them, turn off file sharing and AirDrop when you are on public Wi-Fi, and make sure the websites you visit use HTTPS (look for the padlock icon in your browser's address bar). These are small habits that take almost no effort but significantly reduce your risk.

What to Do If Your Data Gets Leaked

Despite your best efforts, there is always a chance that your data will end up in a breach. Companies get hacked, databases get exposed, and sometimes an employee simply misconfigures a server and accidentally makes millions of records publicly accessible. If it happens to you, the most important thing is not to panic — but to act quickly and methodically. The first few hours after you discover a breach are critical, and what you do during that time can mean the difference between a minor inconvenience and a serious problem.

The first step is to change your passwords immediately. Start with the breached service itself, then move on to any other account where you used the same or a similar password. If you have been following the advice in this article and using a password manager with unique passwords for every account, this step is much simpler — you only need to change the password for the affected service. If you were not using unique passwords, now is the time to start. Change the passwords for your email accounts first (since those are the keys to everything else), then your bank and financial accounts, then social media, and then everything else.

Next, enable two-factor authentication on every account that was affected, if you have not already. Even if the attackers have your password, 2FA will stop them from logging in. Check the active sessions on your important accounts — most services let you see which devices are currently logged in — and log out of any sessions you do not recognise.

If your financial data was exposed:
  • Call your bank immediately and alert them about the breach
  • Request a temporary freeze on your debit and credit cards
  • Monitor your account statements daily for at least a month
  • Set up transaction alerts via SMS for every transaction, no matter how small
  • Check your CIBIL report for any unauthorised credit enquiries

For Indian users, there are specific channels for reporting cybercrime. CERT-In (Indian Computer Emergency Response Team) is the government agency responsible for handling cybersecurity incidents. You can report a breach or security incident at cert-in.org.in. For financial fraud or identity theft, file a complaint at cybercrime.gov.in, which is the National Cyber Crime Reporting Portal. You can also call the cybercrime helpline at 1930. If you believe your Aadhaar data has been misused, you can lock your Aadhaar biometrics through the UIDAI website or the mAadhaar app — this prevents anyone from using your biometrics for authentication until you unlock them.

Act fast: If you receive an email or SMS claiming to be from a breached company and asking you to click a link to “secure your account,” be extremely cautious. Scammers often exploit data breaches by sending phishing messages that mimic legitimate breach notifications. Always go directly to the service's website by typing the URL yourself instead of clicking any links.

Keep a record of everything. Screenshot any breach notification emails, note down the dates and times you took action, save confirmation emails from password changes and security updates. If you end up needing to file a police complaint or an insurance claim, having a clear timeline of events and your response will be invaluable. It is also worth checking haveibeenpwned.com periodically — sign up for their free notification service so you get an email alert the next time your details appear in a breach. Being proactive is always better than finding out months after the fact.

Data breaches are an unfortunate reality of the modern internet. You cannot always prevent them, but you can prepare for them and respond effectively when they happen. The steps in this guide — strong unique passwords, two-factor authentication, minimal data sharing, and vigilant monitoring — will ensure that even if your data is exposed, the damage is limited and recoverable.