What a data-breach notification really means (and what to do)
So your inbox says your data was leaked. Here's how to tell whether to shrug or actually panic.
Two kinds of leaks
Not every leak is equal. Sort yours into one of these buckets.
Bucket A — Low-stakes: email + hashed password.
Bucket B — High-stakes: government ID (Aadhaar / PAN), address, phone, DOB, or cleartext password.
If you're in Bucket A
- Check reuse on haveibeenpwned.com.
- Change the password on the breached site and anywhere you reused it.
- Turn on MFA on that account.
- You're done. Move on.
If you're in Bucket B
This is identity-theft territory. Do all of the above, and:
- Lock your Aadhaar biometric at uidai.gov.in.
- Get a free credit report from CIBIL / Experian / Equifax; dispute anything you don't recognise.
- Set a fraud alert on your primary bank — ask them to flag any address / phone-number change requests.
- Consider a fresh SIM card if your number was in the dump (SIM-swap risk).
A note on "delete my data" requests
Under India's DPDP Act you have a right to request erasure. In practice the response time is measured in months, and data already leaked cannot be un-leaked. Treat it as a cleanup step, not a fix.
