Upstox 2021 Data Breach

Upstox Indian Brokerage Platform Breach (2021): Bank Account Numbers, Government ID, Income & Family Member Names Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

ShinyHuntersMisconfigurationFinancialBank Account NumberDate of BirthEmail AddressFamily Member NamesFinancial ProfileGenderGovernment ID
High SeverityWebsite / service breach

Upstox Indian Brokerage Platform Breach (2021): Bank Account Numbers, Government ID, Income & Family Member Names Exposed

Indian online brokerage and investment platform.

Verified by ObscureIQ Intelligence
65/100Breach Risk Index
70Data Value
10Market Recency
1559dSince Breach

Breach Intelligence Summary

Entity: Upstox · Actor: ShinyHunters · Sources: 8 references
Attack: Misconfiguration
Profile: Financial institution · Investment and trading services · Brokerage platform · India
Timeline: Breach (2021-04-08) · Indexed (Jan 19, 2022) · Year (2021)
Exposure: 111K records · 13 fields: Bank Account Number, Date of Birth, Email Address, Family Member Names, Financial Profile, Gender, Government ID, Job Information, Nationality or Citizenship, Password, Phone Number, Physical Address, Relationship Status
Status: Confirmed

Executive Summary

Upstox, one of India's largest online retail brokerage platforms, suffered a data breach in April 2021. Information from the breach circulated on data-trading forums and was indexed by Have I Been Pwned in early 2022. The threat actor responsible has been associated with the ShinyHunters cybercrime collective, which has been linked to a long series of data-theft and extortion campaigns against companies in India and elsewhere.\n\nThe exposed dataset covered approximately 111,000 customer records. Compromised fields formed an unusually deep know-your-customer profile, including names, dates of birth, gender, marital status, nationality, occupation, income levels, family member names, government-issued identification documents, bank account numbers, physical addresses, phone numbers, email addresses, and passwords stored as bcrypt hashes. The dataset also reportedly contained scanned identity documents, bank statements, and cancelled cheques associated with the platform's KYC onboarding process. Bcrypt is a strong password-hashing algorithm, which limits the immediate risk of password recovery, but the surrounding identity, financial, and family data is not similarly protected.\n\nFor affected individuals, the practical risk is severe and durable. The combination of Aadhaar or PAN identifiers with bank account numbers, family member names, and address creates a strong foundation for synthetic identity fraud, fraudulent loan applications, and impersonation at both Indian financial institutions and government services. Family member names create additional risk of family-emergency scams. Income and occupation fields support targeted financial-product fraud. Affected Upstox customers should treat their KYC data as durably exposed, monitor bank and broker accounts closely, and remain alert to unsolicited contact referencing past trading activity, family members, or Aadhaar-related verification.

ObscureIQ assessment: Severe risk of account takeover, investment fraud, phishing, and identity theft. Trading and holdings context can also help attackers prioritize high-value targets.

Breach Impact

The 2021 breach drew sharp public scrutiny in India and contributed to wider regulatory momentum on consumer data protection in the financial services sector. Upstox publicly acknowledged the incident, reset customer passwords, and engaged external incident-response specialists. The company stated that it had also notified Indian authorities. Public reporting did not surface specific regulatory penalties or settlement outcomes tied to the breach, in part because India's modern data-protection law was not yet in force. The reputational damage was meaningful given the platform's rapid customer-acquisition strategy and competitive positioning, and the breach has continued to be cited in coverage of Indian fintech security as a reference incident.

About Upstox

Upstox is one of India's largest online retail brokerage platforms, operated by RKSV Securities India Pvt. Ltd. Headquartered in Mumbai and backed by investors including Tiger Global, Ratan Tata, and Kalaari Capital, the platform offers commission-free equity trading, mutual funds, futures and options, and digital onboarding for retail investors. Indian regulatory requirements mean the platform collects an unusually deep set of know-your-customer (KYC) records during account opening, including government-issued identity documents, bank account verifications, income proofs, and family-relationship declarations. The customer base is heavily concentrated in India and skews toward first-time and digitally native retail investors.

Why They Hold Your Data

Brokerage platforms collect customer identity, account details, bank-linkage records, trading activity, balances, device metadata, and compliance documentation across investment workflows.

Recent Developments

Upstox has continued to grow rapidly in the Indian retail-investing market in the years since the 2021 incident, supported by the broader expansion of digital trading platforms among Indian retail investors. The company stated at the time that it had reset customer passwords and secured affected systems. Indian regulatory frameworks have since matured significantly, with the Digital Personal Data Protection Act of 2023 providing stronger consumer protections than were in force at the time of the breach. There has been no public reporting of further large-scale data breaches at Upstox since 2021. ShinyHunters, the threat actor associated with the original incident, has remained one of the most active data-extortion groups globally through 2025 and into 2026.

Data Points Exposed

13 verified field types
Bank Account Number Critical
Date of Birth High
Email Address
Family Member Names High
Financial Profile High
Gender
Government ID Critical
Job Information
Nationality or Citizenship High
Password Critical
Phone Number
Physical Address High
Relationship Status

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Financial fraud using exposed financial profile data
  • Identity theft and synthetic identity construction using government-issued IDs
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
  • Employment-based social engineering using job and employer data
Threat vectors:
  • ACH fraud & unauthorized transfers
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Family emergency scams & impersonation
  • Loan fraud & targeted financial scams
  • Profile enrichment
  • Identity fraud with official bodies
  • Occupation-specific phishing
  • Targeted visa & government scams
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Social engineering context
  • Romance & family emergency fraud

Threat Actor: ShinyHunters

ShinyHunters
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Upstox breach?

Upstox, one of India's largest online retail brokerage platforms, suffered a data breach in April 2021. Information from the breach circulated on data-trading forums and was indexed by Have I Been Pwned in early 2022. The threat actor responsible has been associated with the ShinyHunters cybercrime…

What data was exposed?

Verified fields include Bank Account Number, Date of Birth, Email Address, Family Member Names, Financial Profile, Gender, Government ID, Job Information, Nationality or Citizenship, Password, Phone Number, Physical Address, Relationship Status.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Hashmob
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
Cross-source
LeakCheck.io
Independent catalogue listing
Cross-source
LeakCheck.net
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation