How to Check If Your Personal Data Has Been Leaked

Everyone tells you to check if your data's been leaked. "Run your email through a breach checker," they say. "Stay on top of it." I nodded along for years and never actually did it. Figured I was careful enough. Strong-ish passwords, didn't click on obvious spam, kept my Aadhaar locked. Good enough, right?

Then last November, I pulled my CIBIL report. Routine check before applying for a home loan. And there it was — a personal loan inquiry from a microfinance company in Hyderabad. Rs 1.2 lakh. I've never been to Hyderabad in my life. Never heard of this lender. But someone had used my PAN, my email, and enough personal details to get past their KYC checks. The inquiry was three months old by the time I saw it.

I spent the next two weeks untangling that mess. Police complaint, calls to the NBFC, a dispute with CIBIL, hours of documentation. And when I finally traced how my data got out there, the answer was anticlimactic. A telecom provider I'd used briefly in 2023 had suffered a breach affecting around 30 million records. My email, phone number, PAN, date of birth — all in the dump. The breach had been public knowledge for months. If I'd spent five minutes checking, I'd have caught it and changed my passwords before anyone could weaponize my details.

Five minutes. That's what this whole thing cost me in hindsight. Instead I spent two weeks.

So yeah. I'm now the annoying person who tells everyone to check if their data's been leaked. Because I learned the expensive way that ignoring this stuff doesn't make you safe. It makes you a sitting target who won't see the hit coming.

India's Breach Problem Is Worse Than Most People Realize

Here's something that might surprise you. India had the fourth-highest number of data breach victims globally in 2025, according to multiple cybersecurity reports that came out late last year. We're not talking about some hypothetical risk. Actual breaches, with actual Indian users' data floating around on Telegram channels and dark web forums.

The hit list is long. Telecom companies — and I won't name mine specifically, but you can probably guess — have been breached multiple times. Food delivery platforms leaked order histories, addresses, and phone numbers for millions of customers. A major ed-tech company exposed student records. Government portals had vulnerabilities that sat open for months before anyone patched them. A health-tech startup left an entire database of patient records accessible without authentication. I wish I were exaggerating any of this.

And the type of data that gets leaked in India? It's not just email addresses. We're talking Aadhaar numbers, PAN details, bank account numbers, UPI IDs, medical histories, home addresses. Stuff you can't change like a password. My PAN number is the same one I'll have for life. Once it's out there, it's out there. That reality should probably bother more people than it does.

The weird part is how quiet most of these breaches are. In the US or Europe, a breach affecting 30 million users would be front-page news for a week. Companies would issue public statements, offer free credit monitoring, maybe face regulatory action. In India, a lot of these incidents barely make it past a few tech news sites. The affected company puts out a vague statement — "we take security seriously" — and that's more or less where it ends. CERT-In gets a report. Maybe. Users rarely get notified individually.

Which means the responsibility falls on you to go looking for the damage yourself.

The Night I Actually Ran My Email Through a Breach Checker

After the CIBIL fiasco, I sat down one evening and decided to do what I should've done years ago. Took maybe twenty minutes total, and what I found was honestly a bit sickening.

I started with Have I Been Pwned — haveibeenpwned.com. It's run by Troy Hunt, an Australian security researcher who's been cataloguing breaches since 2013. You type in your email address, hit the button, and it tells you every known breach that email appeared in. Free. No account needed. Takes about three seconds to load results.

My primary Gmail showed up in seven breaches. Seven. Two of them were services I'd forgotten I ever signed up for — some forum from 2019 and a job board I used once. Three were Indian companies. The data exposed varied: email and hashed password in some cases, email plus phone number plus physical address in others. One breach included partial payment information.

I sat there staring at the screen feeling genuinely stupid. Not because I'd been breached — that part wasn't really my fault — but because this information had been sitting there, publicly queryable, for months or years, and I'd never bothered to look.

Then I checked my secondary email. Four more breaches. My old college email? Two. Every single email address I've ever used had been compromised in at least one breach. And I'd bet good money that's true for you too, if you've been using the internet in India for more than a few years.

Here's a thing people don't always know: HIBP also lets you check phone numbers for certain breaches. You enter your number in international format — +91 followed by your ten digits — and it'll tell you if your number showed up in something like the 2021 Facebook data scrape, which included around 6 million Indian phone numbers. My number was in there. Wonderful.

Beyond HIBP: Other Tools Worth Your Time

Have I Been Pwned is the gold standard, but it's not the only option. And honestly, using multiple sources gives you a more complete picture because no single database has every breach catalogued.

Google's built-in password checker is probably the most underused tool out there, considering how many Indians have Google accounts. Go to myaccount.google.com/security-checkup. If you've been saving passwords in Chrome — and statistically, you probably have — Google will cross-reference every stored credential against known breach databases. It'll flag compromised passwords, reused passwords, and weak passwords all in one dashboard. When I ran it, seventeen of my saved passwords were flagged as compromised. Seventeen. A few of them were for accounts I actually cared about.

Firefox Monitor is Mozilla's version. It pulls from the same HIBP database, but the nice thing about it is the ongoing monitoring. You link your email, and Firefox sends you a notification whenever your address shows up in a new breach going forward. Set-and-forget protection, basically. I've gotten two alerts from it since I signed up in December, both for services I no longer use but whose old credentials could still be exploited if I hadn't changed them.

There are other services too — Dehashed, Intelligence X, various dark web monitoring tools — but those tend to be more technical and some require paid subscriptions. For most people, the combo of HIBP, Google Security Checkup, and Firefox Monitor covers about 90% of what you need. Maybe more.

One word of caution, though. Be careful about random "breach checker" websites you find through Google searches. Some of them are legitimate. Some are phishing pages designed to harvest the very email addresses people type into them. Stick to the tools I mentioned above — they're well-known, independently verified, and have solid reputations. If some site you've never heard of asks for your email and password to "check if you've been breached," close the tab immediately.

Okay, So My Data's Been Leaked. Now What?

Finding out you're in a breach is the easy part. The annoying part is what comes after. But I'll walk you through exactly what I did, because I think the specific steps matter more than vague advice.

Passwords first. I changed every password for every account that showed up in a breach. Not just the breached ones — any account where I'd reused the same password. And yeah, I'd been reusing passwords. I know better. I did it anyway, like most humans. The fix was installing Bitwarden — it's a free password manager, open source, works on Android and desktop — and letting it generate a unique random password for every single account. Took me about an hour to go through my most important accounts. Banking, email, social media, government portals. The less important stuff I updated over the following week whenever I happened to log into something.

That one hour is probably the single best investment I've made in my own security. Ever. Because here's what most people don't think about: when your email and password leak from some random shopping site, the attackers don't just try that combination on the shopping site. They try it everywhere. Gmail, Instagram, your bank's net banking portal, Paytm, Amazon. It's called credential stuffing, and it's automated. Bots can try your leaked email-password combo across hundreds of services within minutes of a breach going public. If you used the same password on your throwaway shopping account and your SBI net banking, you've basically handed over both.

Two-factor authentication on everything that matters. 2FA. You've heard about it. Maybe you've turned it on for your bank because they forced you to. But your email? Your Instagram? Your Amazon account? Most people skip it on those. Don't. If an attacker gets into your email, they can reset passwords for practically every other account you own. Your email is the skeleton key. Protect it with 2FA — an authenticator app like Google Authenticator or Authy is better than SMS-based OTP, since SMS can be intercepted through SIM swap attacks. But even SMS-based 2FA is a thousand times better than nothing.

Bank and UPI monitoring. After discovering I was in multiple breaches, I went through three months of bank statements line by line. Nothing suspicious, thankfully. But I also turned on SMS alerts for every transaction, which I'd somehow never done on one of my accounts. If your bank offers real-time push notifications through their app, turn those on too. The faster you spot an unauthorized transaction, the better your chances of getting the money back through the RBI's fraud liability framework. Wait more than three days to report, and the bank's liability to you drops significantly.

Watch for phishing — because it will come. Here's something people don't connect: after a breach, the phishing attempts spike. Because the attackers now have context. They know your name, your email, which services you use, maybe your phone number and address. So instead of a generic "Dear Customer" email, you get one that says your name, references a real company you actually have an account with, and looks scarily legitimate. I got a convincing-looking "security alert" from what appeared to be my telecom provider about two weeks after the breach went public. Same branding, same fonts, a link to "verify your account." The URL was one letter off from the real domain. If I hadn't been on high alert, I might've clicked it.

Credit monitoring and potential freeze. If your PAN or financial data was part of the breach, pulling your CIBIL report isn't optional — it's urgent. You get one free report per year from cibil.com. Check for inquiries you don't recognize, accounts you didn't open, and any changes to your personal details. If you spot something, dispute it immediately through CIBIL's portal. And consider placing a credit alert — you can request CIBIL to notify you whenever someone pulls your credit report. It won't stop a determined fraudster, but it gives you a heads-up before damage gets done. In extreme cases, you can request a freeze that prevents new credit inquiries entirely, though the process in India isn't as straightforward as it is in the US. You'd need to contact CIBIL, Experian India, and Equifax India separately.

The Stuff I Wish I'd Done Before Any of This Happened

Hindsight's great, obviously. But there are things I could've done — and that you can still do — that would've made the breach fallout a lot less painful.

Password manager from day one. I already mentioned Bitwarden, but the specific tool doesn't matter as much as the habit. Bitwarden, 1Password, KeePass — pick one. The point is that every account gets its own unique, randomly generated password that you never have to remember. If one site gets breached, the blast radius is exactly one account. Nothing chains together. I genuinely think password managers are the most impactful security tool that regular people aren't using. It's probably under 10% adoption in India, if I had to guess.

Alias emails for untrusted signups. This one changed how I operate online. Services like SimpleLogin and Firefox Relay let you create throwaway email aliases that forward to your real inbox. So when some random e-commerce site wants your email to create an account, you give them burner47@youralias.com instead of your actual Gmail. If that alias starts getting spam, or shows up in a breach, you kill it. Your real email stays clean. I wish I'd been doing this five years ago — my primary Gmail wouldn't be in seven breach databases if I had.

Regular app permission audits. This might seem unrelated to breach checking, but it's connected. Go to myaccount.google.com and click "Third-party apps with account access." You'll see every app and service you've ever signed into with your Google account. I found seventeen apps I no longer use that still had access to my Google data. Some of them were apps from companies that had been breached. Revoked all of them. Do the same for your Apple ID and Facebook login if you use those for sign-ins. Takes maybe ten minutes and closes a bunch of doors you forgot were open.

Stop handing over PAN and Aadhaar to every site that asks. I know this sounds obvious. But the reality is that Indian users are constantly asked for sensitive identity documents on websites whose security practices are a complete mystery. That "instant KYC" on a lending app, the "verification" on a new fintech platform, the "identity proof" for a gym membership — every one of those is a copy of your PAN or Aadhaar sitting in someone else's database. Before you hand over those documents, ask yourself: do I trust this company to protect them? If the answer isn't a confident yes, don't do it. Use DigiLocker verification where accepted. Use masked Aadhaar downloads. And for PAN, ask if they'll accept a declaration instead of a photocopy.

Making This a Habit, Not a One-Time Panic

After my November scare, I set up a simple routine. First of every month, I spend about fifteen minutes on breach hygiene. Check HIBP for new breaches. Glance at Firefox Monitor alerts. Run Google's security checkup. Pull up my bank statements. Check my Aadhaar authentication history on the UIDAI portal while I'm at it.

Sounds like a lot when I list it out. In practice, it's faster than scrolling through Instagram reels for fifteen minutes. Which I also do, so clearly time isn't really the issue.

The thing that changed my mindset was realizing that breaches aren't if — they're when. Indian companies are getting breached constantly. Some announce it. Many don't. Your data is probably already out there in at least one dump, statistically speaking. The question isn't whether you've been exposed. It's whether you know about it, and whether you've done anything to limit the fallout.

I started this post talking about how I ignored the "check your data" advice for three years and paid for it with a fraudulent loan inquiry, two weeks of cleanup, and a lot of stress I didn't need. The tools to catch that breach existed the entire time. They were free. They took five minutes. I just couldn't be bothered.

Don't be me from 2023. Be me from now — the slightly paranoid version who checks once a month and hasn't had a surprise on his credit report since. It's a much better version. Less interesting stories, maybe. But I'll take boring and secure over interesting and compromised any day of the week.