If you have been following the local tech news, you likely saw the headlines late last year regarding the Nepal Police data breach and the string of leaks hitting various government and private sectors in 2025.

For many of us in Nepal, “data breach” sounds like a buzzword that only affects big companies or banks. You might think, “So what if my data is out there? I don’t have crores in my bank account.”

Reality Check: It is not just “Tech Stuff.” When entities like the Nepal Police or major ISPs suffer a breach, it is not just their systems that are broken; it is your digital identity that is stolen.

The Anatomy of a “Verified” Scam

The recent breaches didn’t just leak random codes. They exposed full names, citizenship numbers, mobile numbers, and physical addresses. This allows attackers to perform highly sophisticated Spear Phishing attacks.

Leaked Database (Name, Citizenship #) The Scammer (Uses Real Data) You (The Victim) (Trusts the Caller) 1. Acquires Data 2. Calls (“I’m from Bank”) 3. You share OTP

The Three Big Risks for You

Here is what cybercriminals can actually do with this data in the context of Nepal:

Leaked Data Point The Risk The Impact
Mobile Number SIM Swapping Attacker gets a duplicate SIM to bypass your OTP security for eSewa/Khalti.
Citizenship Details Identity Theft Used to verify bogus accounts, take out digital loans, or register illegal services in your name.
Full Name & Address Social Engineering Scammers call pretending to be authority figures (Bank/Police) to panic you into revealing passwords.
Critical Warning: No Nepali bank or police officer will ever ask for your OTP or password over the phone. If someone calls claiming to be from the bank and scares you about a “blocked account,” hang up immediately.

Cybersamir’s Action Plan

We cannot “un-leak” the data. But we can make the stolen data useless. Here are the immediate steps you must take.

Immediate Actions:
  • Enable App-Based 2FA: Stop relying on SMS. Switch to Google Authenticator or Authy.
  • Change Banking PINs: If you haven’t changed your mobile banking MPIN in 6 months, do it today.
  • Be Skeptical: Treat every “urgent” call with suspicion.

How to Secure Your Accounts

Click below for specific instructions on securing your digital life.

SMS OTPs are vulnerable if your SIM card is cloned or swapped (a common attack using leaked citizenship data). App-based authenticators generate the code locally on your device.

Even if a hacker steals your phone number, they cannot get the code generated inside your specific phone’s Google Authenticator app.

Use a password manager like Bitwarden. If you reuse the same password for Facebook and your mobile banking, and one leaks, they all fall.

A password manager creates unique, complex passwords for every site, so a leak at one site doesn’t compromise your whole identity.

The Bottom Line

The data leaks of 2025/26 are a wake-up call. In Nepal, we are digitizing faster than we are securing. Your personal information is now a commodity on the dark web. You don’t need to be paranoid, but you must be prepared.

For a deeper dive, I recommend watching “Cyber Security in Nepal: Reality Check” featuring Prabhat Pokharel on YouTube.

Stay Safe: Monitor your accounts, educate your family members who are less tech-savvy, and never share your OTP.