A warning from Madhya Pradesh’s cyber police about a massive leak of email IDs and passwords has exposed not just the scale of India’s digital vulnerability, but also the fragile assumptions underlying everyday online security for millions of users.
A Leak Measured in Crores
When the Madhya Pradesh State Cyber Police issued its advisory, the number itself was arresting: nearly 68 crore email IDs and passwords allegedly exposed across India. Officials said the compromised data could allow cybercriminals to break into social media profiles, internet banking accounts, digital wallets and a range of everyday applications that form the backbone of daily digital life.
The advisory, circulated publicly on Sunday, did not point to a single breach or company. Instead, it reflected what cyber investigators describe as an aggregation of leaked credentials—data harvested over time from multiple breaches, phishing campaigns and malware infections, now circulating or being traded in criminal forums. The cumulative effect, officials warned, is an ecosystem in which reused passwords and outdated security practices turn isolated leaks into systemic risk.
How Stolen Credentials Become Real-World Fraud
According to investigators, compromised email accounts are often the first domino to fall. Once attackers gain access to an inbox, they can reset passwords on linked services—banking, shopping, government portals—without ever triggering an obvious alarm for the user.
Police officials noted a rise in cases where funds were withdrawn or accounts accessed without OTP verification, suggesting that fraudsters are exploiting backend weaknesses, session hijacking, or prior access to email and devices. Job frauds, parcel delivery scams and mobile hacking incidents frequently trace back to such compromised credentials, they said.
Senior citizens have been particularly vulnerable. Cybercriminals increasingly blend technical access with social engineering—posing as loan agents, investment advisers or customer support executives—to extract further information or push victims into authorising transactions they do not fully understand.
A Proactive Alert, Not a Post-Mortem
Pranay Nagwanshi, Superintendent of Police with the Madhya Pradesh State Cyber Cell, described the advisory as preventive rather than reactive.
“This is not about one incident,” he said, according to officials familiar with the briefing.“It is about patterns we are seeing repeatedly old passwords, same credentials across platforms, and delayed response after compromise.”
The cyber police urged users to immediately change passwords, enable two-factor authentication wherever possible, and avoid logging into unknown apps or websites. They also directed users to independently verify whether their email IDs have appeared in known data breaches using publicly available tools that track leaked credentials.
For those already affected, the department shared direct contact points, encouraging quick reporting to limit damage. Investigators stressed that speed—often within the first few hours—can determine whether stolen data leads to inconvenience or financial loss
The Shifting Playbook of Cybercrime
Behind the advisory lies a broader shift in cybercrime tactics. Fraudsters are no longer relying solely on crude phishing emails or lottery scams. Instead, they are combining leaked databases with targeted messaging—fake links, gift offers, document update alerts and online trading pitches promising high returns.
Digital loan app scams and investment frauds, officials said, now frequently begin with data sourced from older breaches. What appears to be a random call or message is often backed by detailed personal information, lending credibility to the deception.
