Between January and August 2025, Indian cybersecurity firms tracked a sharp increase in email account takeovers. The numbers reported by multiple sources paint a consistent picture: credential stuffing attacks against Indian email users roughly doubled compared to the same period in 2024, and the source data powering those attacks came overwhelmingly from breaches at smaller Indian platforms rather than global ones.

CERT-In, the Indian Computer Emergency Response Team, issued two separate advisories on email security during this period. The first, in March 2025, warned of a large-scale phishing operation targeting Indian government email addresses. The second, in June 2025, addressed the broader credential-stuffing threat and urged all Indian internet users to turn on two-factor authentication and check their email forwarding settings. CERT-In's published data shows that complaints related to email account compromise rose 38% in the first half of 2025 compared to the first half of 2024.

Credential Stuffing Is Driving Most Email Breaches in India

Credential stuffing is an automated attack. An attacker obtains a list of email-password pairs leaked from a data breach at one service (a food delivery app, an exam registration portal, a regional e-commerce site, a ticket booking platform) and then uses software to try each pair against Gmail, Outlook, Yahoo, and other email login pages. The software runs through thousands of combinations per hour. When a username-password pair works because the user reused the same credentials across services, the attacker gains access.

The Bengaluru-based security firm CloudSEK published a report in July 2025 documenting over 12 million Indian email credentials available for sale on dark web marketplaces. These credentials were compiled from 38 separate data breaches that occurred between 2022 and 2025. The affected platforms spanned education portals, healthcare booking sites, fintech apps, and local e-commerce operations. Most of the affected users had registered on multiple platforms using the same email address and the same password.

“The average Indian internet user has around 40 online accounts but uses only three or four distinct passwords across all of them. When one service is breached, that password unlocks a chain of accounts — and the email is almost always the first target because it gives access to everything else.” — Rahul Sasi, founder of CloudSEK

The pattern after a successful credential-stuffing login is remarkably consistent. The attacker does not change the password. They do not send obvious spam from the account. Instead, they set up a forwarding rule, a setting buried inside the email account's configuration, that silently copies every incoming message to an external address. Password reset emails, OTPs from banks, job offers, Aadhaar correspondence, insurance documents, investment statements. All of it flows to the attacker's inbox in real time, alongside the victim's. Because the victim's own access is not disrupted and no visible changes appear in their inbox, the compromise can go undetected for weeks or months.

According to a separate analysis by the Internet Freedom Foundation, fewer than 18% of Indian Gmail users have two-factor authentication enabled. The global average is roughly 30%. Among Outlook users in India, the figure drops to approximately 11%. These numbers mean that the majority of Indian email accounts are protected only by a password, and for most users, that password is shared with other accounts that have already been or will eventually be breached.

The demographics most affected, based on CloudSEK's data, are college students (who reuse passwords across educational and entertainment platforms), small business owners (who use a single personal email for business and personal accounts), and senior citizens (who tend toward short, predictable passwords and rarely set up two-factor authentication). Among the compromised accounts in the CloudSEK dataset, the median password length was eight characters. Sixty-two percent of the passwords contained a name, a birth year, or a phone number.

Laptop showing email inbox with security lock icon and encrypted email notification

How Attackers Get In: The Three Main Methods

Credential stuffing accounts for the largest share of email compromises in India, but it is not the only method. Attackers use three primary techniques, each targeting a different weakness.

Credential stuffing, as described above, targets password reuse. The attacker does not need to know anything about the victim specifically. They just need a leaked database and automated software. Tools for credential stuffing (programs like OpenBullet, SentryMBA, and custom scripts) are freely available on hacking forums and require no programming skill to operate. A tutorial and a list of proxies to avoid IP blocks are all a beginner needs. The defence is a unique password for your email account, one that is not used for any other service.

Phishing targets human judgement. The victim receives an email that appears to come from Google, Microsoft, their bank, the Income Tax Department, or their employer. The email contains a link to a page that looks identical to the real login screen. The victim enters their username and password. Those credentials go directly to the attacker. Phishing attacks have grown more sophisticated in India over the past two years. According to CERT-In's quarterly reports, phishing emails impersonating Indian government services (Income Tax, EPFO, Aadhaar, DigiLocker) increased by 47% between 2024 and 2025. The emails use official logos, correct formatting, and .gov.in-adjacent domain names that look legitimate at a glance. A phishing email claiming your PAN card is about to be deactivated or that your ITR has a discrepancy creates enough urgency that many recipients click before thinking.

The defence against phishing is two-part. First, develop the habit of checking the sender's email address (not just the display name) and the URL you are being sent to before entering credentials. A login page at “googIe.com” (with a capital I instead of a lowercase L) or “incometax-gov.in.verification-portal.com” is not what it appears to be. Second, two-factor authentication protects you even if you do enter your password on a phishing page, because the attacker still needs the second factor to log in.

Third-party app exploitation is the least discussed but increasingly common method. Every time you click “Sign in with Google” or “Continue with Microsoft” on a website or app, you grant that third-party application some level of access to your email account. The permissions vary. Some apps get read-only access to your profile. Others get full access to read, send, and delete emails. If one of those third-party apps has poor security practices and gets breached, the attacker can use the app's access tokens to reach your email without ever needing your password. A 2025 analysis by Google's Threat Analysis Group found that compromised third-party apps were responsible for approximately 8% of Gmail account takeovers globally. In India, where users tend to accumulate “Sign in with Google” connections across dozens of platforms over years, the percentage may be higher.

Recovery After a Breach: Step by Step

If you suspect your email has been compromised (unusual login alerts, emails you did not send appearing in your Sent folder, contacts reporting spam from your address, or password reset notifications for accounts you did not request), the recovery process needs to happen quickly and in a specific order.

For Gmail accounts:

Go to myaccount.google.com/security on a device you trust. If you can still log in, change your password immediately. Choose something completely new, not a variation of the old password. After changing the password, click “Sign out of all other sessions” to force any attacker who is currently logged in to lose access. Then go to Settings > See all settings > Forwarding and POP/IMAP. Check whether any forwarding address has been set up. If you see an address you do not recognise, disable forwarding. Next, go to Settings > Filters and Blocked Addresses. Look for any filters you did not create. Attackers sometimes create filters that automatically archive or delete security alert emails so the victim never sees them. Delete any suspicious filters. Then go to myaccount.google.com > Security > Third-party apps with account access. Revoke access for any app you do not recognise or no longer use. Finally, turn on two-factor authentication if it was not already enabled. Use Google Authenticator or Authy rather than SMS.

If you cannot log in because the attacker changed the password, go to accounts.google.com/signin/recovery. Google will walk you through identity verification using your recovery phone number, recovery email address, or answers to security questions. The process takes longer if you never set up recovery options, which is why setting them up before a breach matters.

For Outlook/Microsoft accounts:

Go to account.microsoft.com and sign in. Change your password. Then go to account.microsoft.com/security and review recent sign-in activity. Microsoft shows you the IP address, location, browser, and device for each login. Flag anything you do not recognise. Go to Settings > Mail > Forwarding and check for unauthorised forwarding rules. Go to account.microsoft.com > Privacy > Apps and services and revoke access for anything unfamiliar. Enable two-factor authentication through the Microsoft Authenticator app.

If you are locked out of an Outlook account, go to account.live.com/password/reset. Microsoft's recovery process uses the recovery phone number or email address associated with the account. If neither is available, Microsoft has a manual account recovery form that asks for information only the real account owner would know: recent email subjects, contacts you have emailed, and details about when and how you created the account. This process can take 24 to 48 hours.

After recovering either type of account, check every service that uses that email as a login. If the attacker had access to your email, they may have used password reset links to get into your bank account, social media, UPI apps, or e-commerce accounts. Change passwords on any linked account. Check your bank statements and UPI transaction history for activity you do not recognise. If financial accounts were accessed, contact your bank and file a complaint at cybercrime.gov.in or call the national cybercrime helpline at 1930.

Security Measures That Actually Work

The defences against email compromise are well understood and free to implement. The technology exists. The bottleneck is adoption.

Unique passwords break the credential-stuffing chain entirely. If the password for your email is different from every other password you have, a breach at any other service cannot affect your email. Password managers like Bitwarden (free, open-source, available on every platform) generate random, unique passwords for each account and store them in an encrypted vault. The user memorises one master password. The manager handles everything else. Google's Password Checkup tool, available at passwords.google.com, scans saved passwords against known breach databases and flags any that are reused or appear in leaked datasets.

A separate approach is passphrases. A string of four or five unrelated words, something like “lantern-receipt-sparrow-calcium,” is both long enough to resist brute-force attacks and easy enough to remember without writing it down. For users who are uncomfortable with password managers, passphrases are a reasonable alternative for their most important accounts.

Two-factor authentication stops an attacker even if they have the correct password. The attacker logs in with the stolen credentials and is then asked for a second verification code. Without access to the device that generates that code, they cannot proceed. Google's transparency data shows that accounts with 2FA enabled are 99% less likely to be compromised through credential stuffing.

Gmail supports multiple types of 2FA: Google Prompts (a tap on your phone), authenticator apps (Google Authenticator, Authy), and hardware security keys (YubiKey, Titan). Outlook supports the Microsoft Authenticator app and phone-based verification. Among these options, authenticator apps are preferred over SMS-based codes. SIM-swapping attacks, where a scammer convinces a telecom provider to port the victim's phone number to a new SIM card, have been documented in India multiple times. If an attacker swaps your SIM, they receive your SMS verification codes. An authenticator app generates codes locally on your device and cannot be intercepted this way.

Forwarding rule audits catch compromises that have already happened silently. In Gmail, go to Settings > See all settings > Forwarding and POP/IMAP. Check whether forwarding is enabled. If it is, verify that the forwarding address is one you set up. In Outlook, go to Settings > Mail > Forwarding. Also review email filters. In Gmail, go to Settings > Filters and Blocked Addresses. Attackers create filters that auto-delete or auto-archive security alerts from Google, banks, or other services so the victim never sees warnings about suspicious activity on their account.

Connected app reviews close the third-party exploitation vector. In Gmail, go to myaccount.google.com > Security > Third-party apps with account access. In Outlook, go to account.microsoft.com > Privacy > Apps and services. Revoke access for anything you do not recognise or no longer use. Many Indian users have accumulated dozens of “Sign in with Google” connections over years of casually granting access to apps, websites, and services. Each one is a potential entry point if that third party's own security is compromised.

Recovery options need to be set up before you need them, not after. In Gmail, go to myaccount.google.com > Security > Ways we can verify it's you. Add a recovery phone number and a recovery email address. In Outlook, go to account.microsoft.com > Security > Advanced security options and do the same. These are the fallback channels Google and Microsoft use to verify your identity if you get locked out. Without them, account recovery becomes significantly harder and slower.

Email security settings showing 2FA and encryption options enabled

Email Providers and Their Security Differences

Not all email providers offer the same security features, and the differences matter depending on your threat model.

Gmail is the dominant email provider in India, with an estimated 450 million Indian users as of 2025. Its security infrastructure is the most mature of any free email service. Gmail's spam and phishing filters use machine learning models trained on data from over 1.8 billion accounts globally, and Google claims to block more than 99.9% of spam, phishing, and malware before it reaches the inbox. 2FA options include Google Prompts, authenticator apps, hardware security keys, and passkeys. Gmail also supports Google Advanced Protection Programme, a free opt-in feature designed for high-risk users (journalists, activists, politicians) that requires a hardware security key for login and blocks all third-party app access to Gmail data. The main security weakness of Gmail is its business model. Google scans email content to target advertising, which means your email data is processed by Google's systems in ways that a privacy-focused provider would not allow.

Outlook (including Hotmail and Live accounts) is Microsoft's offering and the second most widely used email service in India. Outlook supports 2FA through the Microsoft Authenticator app, SMS, and hardware keys. Microsoft has been pushing passkey adoption since early 2025, and new Outlook accounts can now be created without a password at all, using only biometric or device-based authentication. Outlook's spam filtering is solid but generally considered slightly less effective than Gmail's. One advantage Outlook has is its integration with the Microsoft 365 suite. For users who rely on Word, Excel, and OneDrive, having email and productivity tools under one security umbrella reduces the number of separate accounts to manage. The security weakness mirrors Gmail's: Microsoft processes email data for advertising and product improvement purposes.

Yahoo Mail remains in use among older Indian internet users, many of whom created Yahoo accounts in the 2000s and never migrated. Yahoo's security track record is the worst among major providers. The company disclosed two massive breaches in 2016: one affecting 500 million accounts (occurring in 2014) and another affecting all 3 billion accounts (occurring in 2013). Yahoo now supports 2FA through its Yahoo Account Key feature, which sends a push notification to a linked mobile device. The spam filter is adequate but weaker than both Gmail and Outlook. For users still on Yahoo Mail, the recommendation from most security researchers is to migrate to Gmail or a privacy-focused provider and use the Yahoo address only as an alias or forwarding source.

ProtonMail is a Swiss-based encrypted email service that has gained traction in India among privacy-conscious users, journalists, and activists. ProtonMail uses end-to-end encryption for emails sent between ProtonMail users, meaning that even ProtonMail's own servers cannot read the content. Emails sent to non-ProtonMail addresses (Gmail, Outlook) can optionally be encrypted with a password that the recipient must enter. ProtonMail does not scan email content for advertising. It does not log IP addresses by default. It supports 2FA through authenticator apps. The free tier includes 1 GB of storage and 150 messages per day, which is sufficient for personal use. The paid plans start at approximately Rs 330 per month. The trade-off is that ProtonMail's encryption means it cannot integrate with third-party email clients as easily as Gmail or Outlook, and its search functionality is limited because the server cannot index encrypted content.

For most Indian users, Gmail with 2FA enabled and a unique password provides a strong security baseline. For users who want to minimise data collection by the email provider itself, ProtonMail is the strongest option among widely available services. Outlook is a reasonable middle ground for users already relying on Microsoft products. Yahoo should be treated as a legacy service to be migrated away from rather than relied upon.

Google began rolling out passkey support for Indian users in late 2024. Passkeys replace traditional passwords with biometric or device-based authentication. A fingerprint scan or face unlock on your phone serves as your login credential, and no password is transmitted or stored. Microsoft announced similar passkey integration for Outlook in early 2025. Both companies have signalled that they plan to make 2FA mandatory for new account registrations by 2026, though no firm date has been set for existing accounts.

On the regulatory side, CERT-In's 2022 directive requiring organisations to report data breaches within six hours has improved breach visibility in India but has not done much for breach prevention. The Digital Personal Data Protection Act of 2023 includes provisions for penalising organisations that fail to protect user data, but enforcement is still in its early stages. The Data Protection Board of India, set up under the Act, had yet to issue its first penalty as of late 2025.

The dark web market for Indian email credentials continues to expand. CloudSEK's July 2025 report noted that prices for verified Indian Gmail credentials with no 2FA have dropped from approximately $10 per account in 2023 to $2 to $3 per account in 2025. That price drop reflects growing supply, not shrinking demand. Credentials for accounts with 2FA enabled are rarely listed because they are not useful to buyers who lack access to the second factor.

For individual users, the situation comes down to a small number of actions. Use a unique password for email. Turn on two-factor authentication using an app, not SMS. Check haveibeenpwned.com once a quarter. Review connected apps and revoke anything you do not recognize. That is it. Not glamorous, but effective.