Aadhaar Data Breach: Is Your Personal Information Already Being Sold on the Dark Web?

India ranked 5th globally in breached accounts in 2024. Your Aadhaar number, name, phone, and biometric data may already be circulating on dark web marketplaces.

A cybersecurity researcher makes a disturbing discovery: a database containing the names, Aadhaar numbers, phone numbers, and addresses of over 81 crore Indian patients is being sold on a dark web forum for under $80,000. This is not a hypothetical. It happened in October 2023, in what became one of the largest data breaches in Indian history.

India ranked 5th globally in breached accounts in 2024. If you are an Indian citizen with an Aadhaar card, there is a real possibility that some version of your personal data is already available to scammers. The question is not whether your data is valuable to criminals. It is what you can do about it right now.

Why Aadhaar Data Is So Valuable to Scammers

Aadhaar is not just a number. It is the master key to your financial and legal identity in India. Linked to your bank accounts, mobile number, PAN card, insurance policies, government benefits, and tax records, a single Aadhaar number unlocks an entire ecosystem of personal data.

On dark web marketplaces, a verified Indian identity package — name, Aadhaar, PAN, phone, date of birth, and address — sells for as little as ₹500 to ₹2,000. At that price, criminal networks can purchase thousands of identities to run loan fraud, SIM swap attacks, phishing campaigns, and digital arrest scams at industrial scale.

What makes Aadhaar data particularly dangerous is its permanence. Unlike a credit card number, you cannot change your Aadhaar number. Once it is out, it is out. The only protection is controlling what that number can unlock.

What Data Is Being Sold From Indian Breaches

Indian data breaches in the past three years have exposed a combination of records that, when combined, give criminals everything they need to impersonate you:

• Name, Aadhaar number, date of birth, address. Stolen from government databases, telecom providers, insurance companies, and hospital records.
• Mobile number linked to Aadhaar. Enables SIM swap attacks, OTP interception, and UPI fraud.
• PAN card number. Combined with Aadhaar, this enables fraudulent loan applications and financial account takeovers.
• Email address and passwords from previous breaches. Used for credential stuffing attacks against banking portals.
• CIBIL score and credit history. Scammers use this to target individuals with high credit scores for premium loan fraud schemes.

The 2023 ICMR breach alone exposed data from 81.5 crore Indian patients. The CoWIN vaccine registry was reported compromised in the same year, with Aadhaar and passport details appearing on Telegram channels. These are not isolated incidents — they represent a systemic availability of Indian identity data.

How Scammers Use Your Leaked Aadhaar Data Against You

Four ways leaked Aadhaar data is weaponized against Indian citizens: digital arrest, phishing, loan fraud, and SIM swap.

Digital Arrest Scams

Scammers call victims and recite their real Aadhaar number, home address, and PAN card details to establish false credibility. "We have your records. You are under investigation." The victim, shocked that the caller knows their real details, believes the call is legitimate. This is exactly how the digital arrest scam works. Your breached data is what makes it convincing.

Targeted Phishing

Unlike generic phishing emails, targeted attacks using your real personal information are far more convincing. A message that addresses you by name, references your correct Aadhaar's last four digits, and mentions your bank by name is significantly more likely to succeed than a generic scam. This is also how KYC update scams are personalized.

Loan Fraud in Your Name

Using your Aadhaar and PAN combination, fraudsters can apply for personal loans through digital lending platforms that rely on Aadhaar-based e-KYC. The loan is disbursed to an account they control. You discover the debt only when a recovery agent calls or your CIBIL score drops.

SIM Swap Attacks

Your mobile number is linked to your Aadhaar. With sufficient identity data, criminals can approach a telecom store, impersonate you, and get your number ported to a new SIM. Once they control your number, every OTP you receive — banking, UPI, email — routes to them instead.

How to Check If Your Data Has Been Breached

There is no single official government tool that tells you if your specific Aadhaar number has appeared in a breach. However, these four steps give you the most complete picture available:

1. Check your email address at haveibeenpwned.com. This free tool maintained by cybersecurity researcher Troy Hunt checks your email against hundreds of known data breaches. If your email appears in a breach that also contained phone numbers and addresses, your linked Aadhaar data may be compromised too.
2. Check Aadhaar Authentication History at myaadhaar.uidai.gov.in. Log in and navigate to Authentication History. Every entity that has authenticated against your Aadhaar appears here with a date and timestamp. Unknown entries mean your Aadhaar is being used without your knowledge.
3. Pull your CIBIL credit report at cibil.com. Check for loan inquiries or new accounts you did not open. A sudden hard inquiry from an unfamiliar lender is a strong signal of fraud using your identity.
4. Check your Aadhaar-linked mobile number is still active and under your control. If your SIM stops receiving calls, contact your telecom provider immediately — this may indicate a SIM swap in progress.

How to Lock and Protect Your Aadhaar — Do This Today

UIDAI provides four free protection tools at myaadhaar.uidai.gov.in. Using all four significantly reduces what a scammer can do even if they have your Aadhaar number.

Step 1: Lock Your Aadhaar Biometrics

Save this image. Share it with your family today.

Biometric locking prevents any entity from using your fingerprints or iris scan to authenticate your Aadhaar. Even if someone physically possesses your Aadhaar card, they cannot use biometric authentication while the lock is active.

To lock biometrics:

1. Go to myaadhaar.uidai.gov.in
2. Log in with your Aadhaar number and OTP
3. Select "Lock/Unlock Biometrics"
4. Authenticate with OTP and confirm LOCK

You can unlock biometrics anytime the same way when legitimate biometric authentication is needed. This takes under two minutes and is the single most important step you can take right now.

Step 2: Use Masked Aadhaar for Private Companies

Never hand your physical Aadhaar card to a private company. Download a Masked Aadhaar from myaadhaar.uidai.gov.in. This version shows only the last four digits of your Aadhaar number, replacing the first eight with asterisks. It is legally valid for most private sector submissions and does not expose your full 12-digit number.

Step 3: Generate and Use a Virtual ID

A Virtual ID (VID) is a 16-digit temporary number that substitutes for your real Aadhaar number in authentication transactions. When an entity authenticates using your VID, your actual Aadhaar number is never transmitted to them. Generate a VID at myaadhaar.uidai.gov.in and use it in place of your real Aadhaar for submissions wherever accepted.

Step 4: Monitor Your Authentication History

All 4 protections are free at myaadhaar.uidai.gov.in

Log in to myaadhaar.uidai.gov.in monthly and review your Authentication History. You will see every organization that authenticated against your Aadhaar, the date, and the type of authentication used. If you see an entry you do not recognize, call 1947 immediately to report unauthorized use.

If You Believe Your Aadhaar Is Being Misused Right Now

1. Lock biometrics at myaadhaar.uidai.gov.in immediately. This is the fastest action available and takes under two minutes.
2. Call UIDAI helpline 1947. Report the suspected misuse. UIDAI can investigate authentication history and flag your account for monitoring.
3. File a complaint at cybercrime.gov.in. Identity theft is a cognizable offence under the IT Act. A formal complaint creates the legal record needed for bank disputes and loan reversals.
4. File an FIR at your local police station. Bring the cybercrime complaint reference number and any evidence of unauthorized activity. An FIR is essential for disputing fraudulent loans.
5. Notify your bank. Ask them to flag your account for unusual activity and to require additional verification for any high-value transaction. Also change your net banking password and UPI PIN immediately.
6. Contact credit bureaus. Inform CIBIL, Equifax, Experian, and CRIF High Mark of the identity theft. Request a fraud alert on your credit file to prevent new loan approvals without additional verification.

Frequently Asked Questions

How do I lock my Aadhaar biometrics in India?

Go to myaadhaar.uidai.gov.in, log in with your Aadhaar and OTP, select "Lock/Unlock Biometrics," and confirm the lock. Once locked, no one can use your fingerprints for Aadhaar authentication even with your physical card in hand. You can unlock biometrics anytime the same way when needed.

What is Aadhaar Virtual ID and how does it protect me?

A Virtual ID is a 16-digit temporary number generated at myaadhaar.uidai.gov.in that substitutes for your real 12-digit Aadhaar number during authentication. When an entity authenticates using your VID, your actual Aadhaar number is never transmitted to them. You can change your VID periodically for additional protection.

How do I check if my Aadhaar has been misused in India?

Go to myaadhaar.uidai.gov.in and check Authentication History. Every Aadhaar authentication by any entity appears there with a date and timestamp. Also check your CIBIL report for unauthorized loan inquiries, and check your email for known breaches at haveibeenpwned.com.

What should I do if my Aadhaar data has been stolen or misused?

Lock biometrics immediately at myaadhaar.uidai.gov.in, call UIDAI helpline 1947, file at cybercrime.gov.in for identity theft, file an FIR at your local police station, and notify your bank to flag unusual activity. Check our complete scam recovery guide for the full step-by-step process.

Is it safe to share my Aadhaar number with private companies?

Always use Masked Aadhaar (only last 4 digits visible) or a Virtual ID for private company submissions. Never share your physical card without covering the first 8 digits. Download Masked Aadhaar from myaadhaar.uidai.gov.in. You are not legally required to provide your full Aadhaar number to private entities.

Final Thoughts

The Aadhaar data breach situation in India is serious, but it is not hopeless. Unlike countries where victims have no recourse after a data breach, UIDAI has built real protective tools that reduce your exposure even after your data has leaked. Biometric locking and Virtual IDs are genuinely effective at limiting what a criminal can do with your Aadhaar number.

The danger is inaction. Most Indians do not know these tools exist, and most scammers depend on that ignorance. The four steps in this article — lock biometrics, use Masked Aadhaar, generate a Virtual ID, and monitor Authentication History — take under twenty minutes total and cost nothing.

Share this article with your parents and family members who may be less familiar with these protections. In a country where 81.5 crore health records were exposed in a single breach, protecting your own identity starts with understanding what tools you already have access to.