An archive containing roughly 10.6 million Yatra customer records is circulating in dark-web channels. Yatra is one of India's larger online travel-booking platforms, and the leak comprises 109 numbered CSV files of indexed user data.
The records include numeric user ID, email address, salutation, first and last name, full Indian-format mailing address (street, city, state, country, PIN code), and both primary and secondary phone numbers. The data is unambiguously Indian: addresses are formatted to the Indian postal scheme, phone numbers carry Indian country codes, and the email mix leans heavily on rediffmail, yahoo.co.in, and other domestic providers. One row in the file contains the Yatra office address in Gurgaon, which suggests the export originated from inside the company's own systems.
Why a contact-only leak still hurts
There are no passwords here, no payment data, and no booking history. That sounds limited until you consider what a list of confirmed travelers with verified phone numbers and physical addresses is worth to a phone-scam operation. Indian fraud teams have spent the last decade industrializing pretext calls that purport to be from a bank, a courier, or an airline. A clean, segmented contact list of people who actually book travel makes that operation more efficient by eliminating cold leads.
For users in the file, the immediate risk is unsolicited contact. Treat any inbound call about a refund, cancellation, fare upgrade, or KYC update with extreme suspicion, particularly when the caller already knows your name and address.