What Actually Happened to You

You opened your phone at 11 PM and the email from Google said it for you: "a new sign-in on a Windows device, Mumbai." You are sitting in Delhi. You don't own a Windows device. Your stomach drops. You try to log in. Wrong password. Your account is gone. By the time you finish reading the alert, three things have already happened — somebody changed your recovery email, somebody read your messages, and somebody is now you on the internet.

Or maybe it is gentler and uglier at the same time. A cousin who knew your old PIN logged into your UPI app and "borrowed" Rs 18,000. A boyfriend who once watched you type your Instagram password is now reading your DMs. A former employee still has the WhatsApp Web login from the office laptop and is forwarding your client chats. The form changes. The legal wrong is the same.

This article is for the person staring at that alert right now. It tells you what Indian law actually calls this, what you can do tonight, and what the next thirty days look like.

Is This Even a Crime in India?

Yes. Indian law treats the misuse of someone's password as a serious offence and has built specific provisions for it. The most direct one is Section 66C of the Information Technology Act, 2000 — the law against identity theft. The section reads:

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Read that one more time. The law does not require that the wrongdoer hacked anything technical. It does not require that they used some genius software. The mere "fraudulent or dishonest making use" of your password is enough. Cyber-law commentary makes the point sharply: when a person comes to know about another's password and then misuses it on a computer or phone, that conduct falls squarely inside Section 66C.

There is a second, parallel provision — Section 66 of the IT Act — the law against computer-related offences. It says that if any person, dishonestly or fraudulently, does any act referred to in Section 43, they are punishable with up to three years' jail or up to Rs 5 lakh fine. Section 43, in turn, lists ten kinds of unauthorised acts: getting into a computer without permission, downloading or copying data, damaging or disrupting it, and so on. So when someone uses your password to log into your account, they have done two things at once — they have misused a unique identification feature (Section 66C) and they have secured access without permission (Section 66 + Section 43(a)).

If the wrongdoer pretended to be you — for example, messaged your friends from your account to ask for money — there is also Section 66D — the law against cheating by personation using a computer or phone. The IPC equivalent is Section 419, but Section 66D is the technology-specific version, with up to three years' jail and Rs 1 lakh fine.

Add to this the broader principle from K.S. Puttaswamy v Union of India (2017), where a nine-judge Bench of the Supreme Court held that the right to privacy is a fundamental right under Article 21 of the Constitution. Informational privacy, the Court said, is part of that right. When somebody breaks into your account, they are not just breaking a software lock — they are trespassing on a constitutionally protected zone.

The Two Tracks: Police Case & Compensation

Most people think of "going to court" as one big thing. The IT Act splits it into two clean tracks, and you can use both in parallel.

Track A — the criminal track. This starts with a First Information Report (FIR) under Section 173 of the Bharatiya Nagarik Suraksha Sanhita, 2023 — the new criminal procedure law. The police investigate, file a charge sheet under Section 193 BNSS, and the accused stands trial. The result is jail and/or fine, payable to the State. You are the victim and witness, not the recipient of money.

Track B — the compensation track. This is filed before the Adjudicating Officer under Section 46 of the IT Act — a special officer who decides cyber compensation claims. For claims up to Rs 5 crore, the Adjudicating Officer is the forum. The Officer can award damages directly to you, payable by the wrongdoer. Beyond Rs 5 crore the matter goes to a regular civil court. Crucially, the bar of Section 61 of the IT Act ousts the jurisdiction of regular civil courts in matters that the Adjudicating Officer can decide — so this is your forum, not the local civil judge.

The two tracks do not block each other. Cyber-law commentary explains it like this: Section 43 acts continue to be grounds for damages, and the same act done dishonestly or fraudulently additionally becomes a Section 66 offence. So the wrongdoer can face an FIR and a compensation claim arising out of the same login.

Save the Evidence First

Lawyers say "preserve the chain of custody". A real person should hear: screenshot before you reset. The login alert email, the OTP messages, the password-reset notifications, the new-device pop-ups — these are the bones of your case. Once the platform sends a "your account is now secure" message, the alerts often disappear from your inbox the next day.

Specifically, before you do anything else:

  1. Take phone screenshots of every alert message and notification — full screen, with the timestamp visible.
  2. Open the platform's login history or active sessions page (Gmail has it, Instagram has it, every banking app has it) and screenshot the device, IP location, and time of every suspicious login.
  3. Save the original email — for forensic value, the email headers matter, not just the body. On Gmail, "Show Original" reveals the full headers. Save that as a PDF.
  4. If money moved, do not delete the bank SMS. Note the transaction ID, beneficiary name, and time.
  5. Make a written timeline — date, time, what you saw, what you did. This becomes your FIR draft.

For trial, this evidence will be proved under Section 65B of the Indian Evidence Act, 1872 — the rule for electronic record admissibility (now Section 63 of the Bharatiya Sakshya Adhiniyam, 2023). A printout of an electronic record needs a Section 65B certificate identifying the device and confirming the contents are unchanged. Cyber-law commentary stresses how easily electronic information can be lost — every reboot of a computer subtly changes resident data — so capture early and capture often.

How to File an FIR for Password Misuse

You have three doors and they all open.

Door one — the National Cyber Crime Reporting Portal. Go to cybercrime.gov.in or call the helpline 1930. Upload the screenshots, describe what happened in plain language, and submit. The complaint is routed to the cyber cell of your state. This is the fastest first step, especially for financial fraud, because the helpline can freeze suspicious bank accounts before the money moves further.

Door two — your local police station. Walk in with your screenshots, a written complaint and ID. Insist on registration of an FIR under Section 66C of the IT Act. BNSS Section 173 introduced "zero FIR" — a station cannot refuse to register the FIR just because the offence happened in another district. An e-FIR option also now exists. If the duty officer hesitates, ask for the entry in the Daily Diary at minimum.

Door three — the Magistrate. If both above fail, BNSS gives you escalation rights. Section 173(4) BNSS lets you send the substance of the complaint in writing to the Superintendent of Police, who must order an investigation if the information discloses a cognizable offence. Section 175(3) BNSS lets you approach a Magistrate to direct the police to register and investigate. An order from the Magistrate in cyber matters is rarely refused, especially if your file is tight.

Adjudicating Officer orders from Maharashtra have repeatedly come down hard on stations that refused to register cyber-FIRs. In one published order, the Adjudicating Officer noted that police were "making the citizens run around, refusing to lodge FIRs (which is against various instructions of Hon'ble Supreme Court), and then simply not doing anything at all". So you are not alone in facing reluctance — but the law backs you, not the desk officer.

If You Lost Money: The Compensation Claim

This is where Section 43 of the IT Act earns its keep. The section grants statutory damages — the largest specific quantum of damages anywhere in Indian law — for ten different kinds of unauthorised acts. When someone uses your password and:

  • logs in (Section 43(a) — accessing without permission),
  • reads or downloads your messages or photos (Section 43(b) — copying or extracting data),
  • changes settings or deletes content (Section 43(d) — damaging data),
  • or simply locks you out (Section 43(e) — disrupting the resource),

they have given you grounds to claim damages by way of compensation. There is no requirement of proving "intention" or "knowledge" for the civil action — the unauthorised act itself is the wrong.

The forum is the Adjudicating Officer of your state under Section 46. For most states the IT Secretary holds this post. The procedure is summary, the Officer has the powers of a civil court, and an unpaid award can be recovered as arrears of land revenue under Section 64 of the IT Act — meaning the Tahsildar can attach the wrongdoer's property to satisfy your decree.

If a bank, payment app or platform's negligence enabled the misuse — for example, the bank ignored your "my OTP was used by someone else" complaint and refused to reverse a transaction — Section 43A of the IT Act — the law of compensation for failure to protect data — comes in. Section 43A makes a body corporate liable when it is negligent in maintaining reasonable security practices and that negligence causes you wrongful loss. The damages here are not capped. Under Rule 3 of the IT Rules, 2011, "password" is itself sensitive personal data — so loss of your password through a service provider's slack security gives you a direct Section 43A claim.

Get legal help from Pinaka Legal — Cyber Law experts in Delhi

When the Misuser Is Someone You Know

Most password-misuse cases in India are not faceless hackers in a basement. They are an ex-partner, a sibling, a colleague, a flatmate, a former employee. The law does not soften because the wrongdoer is family. But the proof equation changes.

The Singapore Court of Appeal in Lim Siong Khee v Public Prosecutor, discussed approvingly in Indian cyber-law commentary, examined the case of a man whose girlfriend had once given him her email password to check her account during a holiday. After the relationship ended, he kept logging in. The court rejected his "she gave it to me" defence — consent given for one purpose does not extend into perpetuity. Indian law is the same. The moment you said "no more" — verbally or by changing the password — every further login is unauthorised.

If your situation involves a partner who has used the password access to harass, threaten or extort you, the conduct may also overlap with the topic cluster on online harassment and cyber harm, where additional tools — protection orders, takedown requests, and Section 67 IT Act offences — become available.

Save your evidence of withdrawn consent. A WhatsApp message that says "do not access my account again" is gold. A password reset email confirming the new password is gold. A change in your phone lock screen with timestamp is gold. The civil and criminal cases both rest on showing that the use was without your present consent — not merely without your historical permission.

What Should I Actually Do Now?

  1. Stop and breathe. The next twenty minutes matter. Do nothing on the compromised account until you have screenshotted the alerts.
  2. Screenshot every alert and notification. Login alerts, OTP messages, recovery emails, device-changed warnings. With timestamps visible.
  3. Open the login history page on Gmail / Instagram / WhatsApp / your bank app. Screenshot the suspicious devices and IP locations.
  4. From a different, secure device, change the password and enable two-factor authentication. Sign out of all other sessions.
  5. Note money loss separately. Bank SMS, transaction ID, beneficiary, time. If money moved in the last 24 hours, call 1930 immediately — the helpline can freeze the receiving account.
  6. File a complaint at cybercrime.gov.in. Upload your evidence pack. You will get a complaint reference number — keep it.
  7. File a written FIR at the local police station under Section 66C IT Act and Section 66/Section 43 IT Act. Carry printed screenshots and a one-page narrative. Insist on a copy of the FIR — you are entitled to one free of cost under BNSS Section 173(2).
  8. If the police refuse, send a written complaint to the Superintendent of Police citing Section 173(4) BNSS, and if needed approach the Magistrate under Section 175(3) BNSS.
  9. For money loss above Rs 50,000 or sustained intrusion, file a separate Section 46 IT Act application before the Adjudicating Officer of your state for compensation. This runs parallel to the FIR.
  10. Inform contacts that your account was compromised, especially if the wrongdoer may have messaged them from your account asking for money — this prevents further cyber scam losses in your name.
  11. Keep a folder of every email, screenshot, FIR copy, and acknowledgement. Cloud backup. Print copies. A year from now, this folder is your case.

You Are Not Helpless Here

The law is uneven, the police are sometimes slow, and the bailable nature of Section 66C means the accused will not stay locked up for long. Cyber-law commentary acknowledges this honestly — calling the bailability of identity-theft offences "a paper tiger" feature of the statute.

And yet, every part of this system exists for you. Section 66C exists because Parliament accepted that an Indian citizen's digital identity deserves criminal protection. Section 43 and Section 46 exist because the legislature chose, over twenty years ago, to give cyber victims a faster civil remedy than ordinary tort. The K.S. Puttaswamy bench of nine judges sat for months to confirm that informational privacy is part of your fundamental right to life. BNSS Section 173 was rewritten in 2023 specifically to allow zero-FIR and e-FIR for moments like this. The law has bent itself, slowly, toward people in your situation.

You may walk out of the police station tonight more frustrated than when you walked in. That is normal. Keep the FIR copy. Keep the screenshots. File the cybercrime.gov.in complaint. File the Adjudicating Officer claim once the dust settles. The wrongdoer who took five minutes to log in will, if you do this right, spend the next two years answering for it. That is not a clean victory. But it is justice the way it actually arrives in India — slowly, in writing, in stages, but it does arrive.

Frequently Asked Questions

Someone misused my password — is it a crime in India?

Yes. The moment another person fraudulently or dishonestly uses your password, it falls under Section 66C of the IT Act, which is the Indian law against identity theft. The same act may also amount to unauthorised access under Section 66 read with Section 43, and cheating by personation under Section 66D if the wrongdoer pretended to be you. You do not need a digital signature certificate or any technical setup to invoke these provisions — a stolen email, social media or banking password is enough. Punishment is up to three years' imprisonment and up to Rs 1 lakh fine.

Can I file an FIR if my password was misused but no money was taken?

Yes. You can file a First Information Report under Section 173 of the BNSS even if no financial loss happened, because identity theft and unauthorised access are themselves cognizable offences. The IT Act treats the misuse of a password as a stand-alone wrong. Loss only affects how much compensation you can claim; it does not decide whether the police can register an FIR. A pure intrusion — reading your messages, deleting your files, posting from your account — is enough. The FIR process is the same as any cognizable matter.

Where do I file a complaint if my password was misused by someone?

You have three parallel options. First, the National Cyber Crime Reporting Portal at cybercrime.gov.in or the helpline 1930 for any cyber complaint. Second, the local police station closest to where you live or where you discovered the misuse — under BNSS Section 173, FIR can now be registered irrespective of jurisdiction (zero-FIR). Third, the Adjudicating Officer of your state under Section 46 of the IT Act if you want money damages up to Rs 5 crore. You can use all three together; they do not block each other.

What evidence should I collect before going to the police?

Capture the basics before they vanish. Take screenshots of every suspicious login alert, OTP message, password-reset email and any chat where the misuse shows up. Note the date, time and device of every event. Download the login-history page from the platform (Gmail, Instagram, banking app, UPI app). Save email headers if a message was sent from your account. If money moved, keep bank SMS, transaction IDs and beneficiary details. Do not delete anything, even if it feels embarrassing. For court use, ensure originals are preserved on your device for Section 65B / Section 63 BSA proof.

Can I get compensation for password misuse, not just police action?

Yes. Section 43 of the IT Act treats unauthorised access, copying, alteration or disruption of a computer resource as a civil wrong, and entitles the victim to damages by way of compensation. Claims up to Rs 5 crore are filed before the Adjudicating Officer (the IT Secretary of your state) under Section 46. Beyond Rs 5 crore, you go to a regular civil court. This is a separate and parallel track from the criminal FIR — you can pursue both at the same time. For deeper guidance see the banking remedies cluster if your money was taken.

My ex-partner used my password to log into my account — what now?

Even if you once shared the password willingly, continued use after the relationship ended is unauthorised. The Singapore court in Lim Siong Khee v Public Prosecutor — discussed in Indian cyber law commentary — held that consent given for one purpose does not stretch into open-ended access. In India, the moment your ex logs in without your present consent, Section 66 read with Section 43(a) is attracted, plus Section 66C if your password was used. Send a written notice withdrawing consent, change every credential, and file the FIR. A WhatsApp message that says "do not access my account" is excellent proof of withdrawn consent.

What is the punishment if someone is caught misusing my password?

Section 66C of the IT Act prescribes imprisonment of up to three years and a fine of up to Rs 1 lakh for fraudulent or dishonest use of any password or unique identification feature of another person. If the misuse involved cheating by personation — for example, the wrongdoer pretended to be you to extract money from your contacts — Section 66D adds a separate punishment of up to three years and Rs 1 lakh fine. Section 66 (read with Section 43) carries up to three years and Rs 5 lakh fine. The court can convict on more than one of these in the same trial.

Is password misuse a bailable or non-bailable offence?

It is bailable. The legal commentary is candid that this makes the section a bit of a paper tiger — even if the accused is arrested, bail is a matter of right. That does not mean the FIR is pointless. The FIR forces the police to investigate, freezes evidence under official seal, and is the foundation of any compensation claim later. The accused may walk out on bail, but the case continues and the conviction record at the end of trial is what shapes the deterrent. The civil compensation track under Section 43 / Section 46 carries no bail concept — that recovery proceeds independently.

How is electronic evidence proved if my password misuse case goes to trial?

Through Section 65B of the Evidence Act (now mirrored in Section 63 of the BSA, 2023). Any printout or copy of an electronic record — login logs, screenshots, server data — must be accompanied by a certificate identifying the device and confirming the contents are accurate. Police obtain server records from the platform under formal request. Your job is to preserve the originals on your device, keep dates and times intact, and not edit anything. The hash value of the file is what the court will look at. Cyber-law commentary stresses that every reboot can subtly change resident data, so capture and store early.

How long do I have to file an FIR for password misuse?

There is no fixed limitation for FIR registration in cognizable offences. But under Section 514 of BNSS (the new limitation provision) cognizance of offences punishable up to three years must be taken within three years of the offence. Since most password-related IT Act offences carry up to three years, you should ideally file your FIR within months, not years. The longer you wait, the harder it gets to recover server logs, which most platforms only retain for six to twelve months. Earlier is always better, but late is not always fatal.

Can I claim compensation from the bank or platform that allowed the misuse?

Sometimes yes. Section 43A of the IT Act fixes liability on a body corporate — including a bank, app or service provider — that is negligent in maintaining reasonable security practices and thereby causes you wrongful loss. The claim is unlimited in amount and is filed before the Adjudicating Officer if it is up to Rs 5 crore. Several Adjudicating Officers in Maharashtra have ordered banks to refund money lost to cyber fraud where the bank's security or KYC process was defective. Rule 3 of the IT Rules 2011 makes "password" itself sensitive personal data, strengthening the claim.

What if the police refuse to register my FIR for password misuse?

Use the BNSS escalation. Under Section 173(4) of BNSS, if the officer-in-charge refuses, you can send the substance of your complaint in writing to the Superintendent of Police, who must order an investigation if the information discloses a cognizable offence. If even that fails, Section 175(3) BNSS lets you approach a Magistrate to direct the police to register and investigate. Carry copies of every screenshot and a calm written narrative — refusals are far less common when the paper trail is tight. Adjudicating Officer orders have publicly criticised stations that refuse to register cyber FIRs.

Related Reads

For more articles on Indian law, visit the Pinaka Legal Blog.

For queries, call +91 8595704798 or email info@pinakalegal.com.