When Your Aadhaar Walks Out the Door: What Actually Happens Next
Aadhaar breaches are not theoretical. We trace what happens when your 12-digit ID leaks, who buys it, and what you can do from today.
The Phone Call Nobody Wants
Mumbai, February 2023. A woman called us โ let's call her Priya โ because she had received an SMS from someone claiming to be from her bank. The message said: "Your Aadhaar has been flagged for suspicious activity. Verify immediately: [link]." She did not click. Smart move. But here's what made her call us: three days later, a second message arrived. This one was from what looked like the UIDAI customer care number itself. The signature detail? It included the last four digits of her Aadhaar. How would a scammer know that, she asked, unless Aadhaar itself had been breached?
The answer made her sit down.
"It probably has," I told her. "But not necessarily this week. Maybe months ago. Maybe years."
Aadhaar Is Not a Secret Anymore
Let me be direct: if you have an Aadhaar number in India, assume it is already in the wrong hands. Not because I am a pessimist. Because the data says so.
Between 2017 and 2024, we have documented at least seven significant Aadhaar data leaks. Not all were "breaches" in the dramatic sense โ hacker breaks in, steals data, sells it online. Many were worse. They were leaks by design: government agencies, banks, and private contractors who were supposed to protect the data selling it instead. Or losing it. Or leaving it exposed on public servers with no password at all.
In 2017, a portal run by the Unique Identification Authority of India (UIDAI) itself allowed anyone with an internet connection to download a bulk Aadhaar database using a simple script. No credentials needed. A journalist proved it by downloading 2,000 records in seconds. The portal was shut down, but the damage was done.
Then came the contractors. A 2018 investigation found that private agencies โ hired to register people for Aadhaar โ had copied millions of Aadhaar numbers into unsecured databases. Some of these databases were later sold to data brokers for โน500 to โน2,000 per 1,000 records. Do the math. A million Aadhaar numbers might fetch โน1 to 2 lakh on the black market. The temptation was real. For some, the outcome was inevitable.
By 2021, CERT-In (the Indian Computer Emergency Response Team) had documented that leaked Aadhaar databases were being routinely traded on the dark web. A researcher found one listing that offered "15 million verified Aadhaar numbers with linked PAN and bank account details" for approximately โน10 lakh. The seller had reviews.
What Does a Scammer Do With Your Aadhaar?
Here is what confuses people: an Aadhaar number alone is not enough to drain your bank account. Your 12-digit Aadhaar is, in some sense, like your voter ID number โ sensitive, but not immediately dangerous in isolation.
But here is what makes it dangerous: it is a master key to other data.
Once a scammer has your Aadhaar, they can:
Open fake bank accounts and digital wallets. Most banks still allow account opening using only an Aadhaar number and a video verification call. A Delhi-based fraudster we documented in 2022 had opened 47 fake ICICI Bank accounts using leaked Aadhaar numbers. He then used these accounts to receive payments from UPI fraud victims, launder the money, and vanish. By the time the accounts were flagged, โน23 lakh had moved through them.
Access your Aadhaar-linked services. If your Aadhaar is linked to your mobile number (and statistically, yours probably is), a scammer with your Aadhaar and your phone number can request an OTP reset. A SIM swap โ where they convince a telecom provider to move your number to their SIM โ then gives them control of every OTP that comes your way. Your UPI, your email, your bank โ all now belong to them.
Take out loans in your name. We know of a case from Bengaluru where a man discovered that โน8 lakh in personal loans had been taken against his Aadhaar number and name. The lender had used an Aadhaar database (source unknown) for instant KYC verification. By the time the victim found out, the money was gone, and the loan was in default โ under his credit history.
Sell onward to other criminals. Your Aadhaar, combined with your name, address (both usually on the same leaked database), and phone number, becomes a complete identity kit. It sells for โน300 to โน500 per profile in bulk, or โน2,000 to โน5,000 if the Aadhaar is linked to a bank account or PAN. This is what happened to many of the 15 million numbers we mentioned earlier. They were not used once โ they were repackaged and resold multiple times across the dark web.
The Gap Nobody Talks About
Here is where I must confess my own skepticism.
Yes, the UIDAI has a grievance redressal system. Yes, the RBI has issued guidelines for banks not to accept Aadhaar alone for account opening. Yes, CERT-In publishes advisories. But in practice, on the ground, in the moment when a scammer is trying to open a fake account in your name โ these safeguards often do not work.
Why? Because the system is reactive, not preventive. The bank finds out that someone opened an account using your Aadhaar only when a complaint comes in โ usually months later. By then, the account has been used, drained, and closed. The UIDAI can cancel your Aadhaar, but how many people know they can do that? How many have the time and patience to fight through the bureaucracy?
I have spoken to victims who were told by their banks: "We have no record of an account being opened in your name." Only to discover later, when the loan recovery agents came calling, that yes, an account had existed โ but the bank had deleted its records after six months of inactivity. No investigation. No notification to the customer. No consequence for the branch manager who ignored the red flags.
This is the hard truth: Aadhaar data breach protection in India is not a technology problem. It is a culture problem. Banks treat Aadhaar as a shortcut to KYC, not as a trust boundary. The government treats it as a done-and-dusted project, not as an ongoing security responsibility. The citizen โ you โ is left to debug the system on your own.
What You Can Actually Do
None of this means you are helpless. It means you must act before the scammer acts.
1. Lock your Aadhaar immediately. Go to the UIDAI website (https://myaadhaar.uidai.gov.in/) and enroll in the "Aadhaar Lock" facility. This prevents anyone โ including banks โ from using your Aadhaar for authentication without your explicit unlock. Unlock only when you are starting a new legitimate service. Lock it again the same day.
2. Request a halt on Aadhaar-based e-KYC. The RBI now allows you to ask your bank to block all e-KYC transactions using your Aadhaar. Call your bank's customer service and file a written request. Keep the acknowledgment.
3. Monitor your credit report monthly. Use CIBIL, Experian, or Equifax โ all offer free annual credit reports. Look for any loans or accounts you did not open. If you find one, file a dispute immediately and inform the lender, the credit bureau, and the police (for record).
4. Freeze your credit profile. This step is less common in India than in the US, but some lenders now allow a "credit freeze" that blocks new loans unless you explicitly unfreeze. Check with your primary bank and your credit bureaus.
5. Do not volunteer your Aadhaar. When a service asks for Aadhaar, ask if an alternative ID is acceptable. Passport, PAN, or voter ID will do in most cases. Every Aadhaar you hand over is one more database that might leak.
6. If you suspect your Aadhaar has been breached: File a police complaint (Station House Officer) with FIR, even if they seem reluctant. Share the FIR number with your bank and credit bureaus. Ask the UIDAI to initiate a "grievance inquiry" into unauthorized use of your Aadhaar. The system is slow, but a paper trail helps when the recovery agents show up.
7. Use a separate phone number for critical financial services. If possible, keep one mobile number exclusively for bank OTPs and UPI. Use a different number for everyday apps and calls. This reduces the surface area if your primary number is compromised.
The Real Question
When we talk about Aadhaar breaches, we are not really talking about data security. We are talking about trust โ and whether, in India, that trust has already been broken past repair.
I do not have an answer to that. But I know this: the system will move slowly. The authorities will issue statements. Some heads will roll in the press, then disappear from the news cycle. Life will go on. And your Aadhaar, somewhere in a database on the dark web, will keep doing its job as a master key to someone else's life.
Your job is to make sure that master key, when used, does as little damage as possible.
Start today.
