India’s data protection landscape has come under renewed scrutiny after a new website, LeakData (leakdata,org), began publishing sensitive personal information of Indian citizens in early December. The platform exposes mobile numbers, email addresses, alternate contact details, residential information, and even Aadhaar-linked data for unrestricted public access. The incident comes shortly after the Proxy Earth leak, signalling an accelerating wave of illicit data aggregation platforms exploiting public datasets and past breaches.
Authorities responded swiftly. India’s national cybersecurity agency CERT-In, along with the Ministry of Home Affairs’ cybercrime division, has opened a formal investigation into the site’s origins, operators, and data sources. Initial assessments suggest that the site may not be the result of a single, large-scale breach but an aggregation of leaked and publicly available datasets stitched together — a trend that significantly complicates enforcement and mitigation.
A Platform Built for Mass Lookups — and Growing Fast
LeakData.org went live in December 2025, accompanied by a Telegram group created on December 8 which has already gathered around 300 members. The site allows anyone to query personal information of up to 12 individuals at a time using only a mobile number or email ID. A complementary mobile app also provides direct access to the same dataset, expanding the platform’s reach and ease of misuse.
Although the database does not contain every number tested by users, the volume and sensitivity of the information already available have raised serious concerns across the cybersecurity and privacy community.
A Dubious Attempt at Legitimacy: “Hide My Data” Feature
In an attempt to project itself as a responsible platform, LeakData has introduced a new “Hide My Data” feature — allowing users to request immediate removal of their information from search results. The platform claims that:
No identity verification is required
The request is executed instantly, adding the record to a “Do Not Display” registry
The registry is stored in an encrypted backend
However, this feature does little to address the core issue: the unauthorized publication and aggregation of personal data. Cybersecurity experts note that such features often act as a smokescreen to reduce regulatory pressure while retaining the underlying datasets.
Regulators Face an Evolving Threat Model
The emergence of LeakData.org illustrates a growing challenge for Indian regulators — the shift from direct data breaches to large-scale data aggregation networks. These platforms scrape, compile, and cross-reference leaked datasets to construct massive identity maps that can be monetized or exploited.
Despite India’s Digital Personal Data Protection (DPDP) Act coming into force, enforcement gaps remain. Blocking such platforms addresses symptoms rather than root causes, as new sites often reappear with mirrored data on alternative domains or apps.
Cybersecurity analysts argue that India must now:
Target data brokerage networks instead of isolated domains
Strengthen oversight on entities handling citizen data
Impose higher penalties for negligent data custodians
Invest in early detection and intelligence on breach dump circulation
Until systemic improvements are made, the risk of recurring public data leaks will persist.
A Call for Stronger Data Governance and Citizen Awareness
The LeakData.org incident reinforces the urgent need for improved cybersecurity hygiene across organizations, tighter compliance under DPDP, and increased public awareness around identity protection. As long as fragmented datasets continue to circulate in underground markets and unsecured repositories, platforms like LeakData.org will continue to surface.
The incident marks yet another reminder that in a digital economy, privacy violations don’t always come from direct attacks — often, they stem from years of unaddressed vulnerabilities and weak data governance practices.
