Upstox, one of India's largest online retail brokerage platforms, suffered a data breach in April 2021. Information from the breach circulated on data-trading forums and was indexed by Have I Been Pwned in early 2022. The threat actor responsible has been associated with the ShinyHunters cybercrime collective, which has been linked to a long series of data-theft and extortion campaigns against companies in India and elsewhere.\n\nThe exposed dataset covered approximately 111,000 customer records. Compromised fields formed an unusually deep know-your-customer profile, including names, dates of birth, gender, marital status, nationality, occupation, income levels, family member names, government-issued identification documents, bank account numbers, physical addresses, phone numbers, email addresses, and passwords stored as bcrypt hashes. The dataset also reportedly contained scanned identity documents, bank statements, and cancelled cheques associated with the platform's KYC onboarding process. Bcrypt is a strong password-hashing algorithm, which limits the immediate risk of password recovery, but the surrounding identity, financial, and family data is not similarly protected.\n\nFor affected individuals, the practical risk is severe and durable. The combination of Aadhaar or PAN identifiers with bank account numbers, family member names, and address creates a strong foundation for synthetic identity fraud, fraudulent loan applications, and impersonation at both Indian financial institutions and government services. Family member names create additional risk of family-emergency scams. Income and occupation fields support targeted financial-product fraud. Affected Upstox customers should treat their KYC data as durably exposed, monitor bank and broker accounts closely, and remain alert to unsolicited contact referencing past trading activity, family members, or Aadhaar-related verification.

Brokerage platforms collect customer identity, account details, bank-linkage records, trading activity, balances, device metadata, and compliance documentation across investment workflows.

Upstox has continued to grow rapidly in the Indian retail-investing market in the years since the 2021 incident, supported by the broader expansion of digital trading platforms among Indian retail investors. The company stated at the time that it had reset customer passwords and secured affected systems. Indian regulatory frameworks have since matured significantly, with the Digital Personal Data Protection Act of 2023 providing stronger consumer protections than were in force at the time of the breach. There has been no public reporting of further large-scale data breaches at Upstox since 2021. ShinyHunters, the threat actor associated with the original incident, has remained one of the most active data-extortion groups globally through 2025 and into 2026.