Dark web exposure monitoring guide
Billions of stolen credentials are traded on the dark web every day. Learn what the dark web is, how your data ends up there, and what you can do to monitor and protect yourself.
Understanding the Threat
What is the dark web?
The internet has three layers. The surface web is everything indexed by search engines like Google, representing only about 5% of the total internet. The deep web includes content behind login pages, paywalls, and databases that search engines cannot crawl, such as your email inbox, medical records, or company intranets. This makes up about 90% of the internet and is mostly benign.
The dark web is a small subset of the deep web that requires special software (typically the Tor browser) to access. It uses onion routing to anonymize both the user and the server, making it extremely difficult to trace who is hosting or accessing content. While the dark web has legitimate uses for privacy and free speech in oppressive regimes, it is also home to thriving criminal marketplaces.
On these marketplaces, criminals buy and sell stolen credentials, personal identity information, credit card numbers, hacking tools, malware, and access to compromised corporate networks. Prices are surprisingly low because supply is enormous. Your data may already be there without your knowledge.
15B+
stolen credentials on the dark web
Over 15 billion username and password combinations from thousands of data breaches are available for purchase or free download on dark web marketplaces.
$1-$8
price per stolen credit card
Credit card numbers with CVV and billing address sell for just a few dollars. Full identity packages (SSN, DOB, address, bank info) sell for $15-$65.
6 months
average time to detect a breach
Most organizations take 197 days to identify a data breach and another 69 days to contain it. Dark web monitoring can dramatically reduce this detection time.
80%
of breaches involve stolen credentials
The vast majority of successful cyberattacks begin with compromised credentials, whether from phishing, data breaches, or dark web purchases.
Attack Vectors
How your data ends up on the dark web
Data Breaches at Third-Party Services
When a company you have an account with gets breached, your email, password, and personal information are stolen in bulk. Major breaches at LinkedIn (700M records), Facebook (533M records), and Yahoo (3B records) have exposed billions of credentials. You do not need to be individually targeted. Your data is exposed simply because you had an account.
Phishing and Social Engineering
Attackers create convincing fake login pages for popular services like Microsoft 365, Google, and banking websites. When you enter your credentials on these fake pages, your username and password are captured and immediately added to the attacker's database, often appearing on dark web markets within hours.
Malware and Infostealers
Infostealer malware like RedLine, Raccoon, and Vidar silently harvest saved passwords, browser cookies, autofill data, and session tokens from infected computers. A single infostealer infection can expose every password saved in your browser. These logs are sold on dark web marketplaces in batches.
Credential Stuffing Cascades
When attackers obtain your credentials from one breach, they systematically try those same credentials on hundreds of other services. Because most people reuse passwords, a breach at a low-value site like a forum or gaming platform can lead to compromised access at your bank, email, and work accounts.
Insider Threats and Data Theft
Disgruntled employees, contractors, or partners with access to sensitive databases may exfiltrate and sell data on the dark web. This is especially concerning in industries like healthcare and financial services where individual records have high black-market value.
Warning Signs
Signs your credentials may be exposed
Many people do not realize their credentials have been compromised until significant damage is done. Watch for these indicators.
- You receive a data breach notification from a service you use or have used
- You notice unauthorized login attempts or security alerts from your email, bank, or cloud accounts
- You start receiving password reset emails that you did not request
- You find unfamiliar accounts or transactions on your financial statements
- Your credit report shows inquiries or accounts you did not open
- You receive IRS notices about tax returns you did not file (indicates identity theft)
- Colleagues report receiving strange emails from your account
- You are locked out of accounts you previously had access to
- You receive two-factor authentication codes you did not request
- A dark web monitoring service alerts you that your credentials have been found
Protection
Dark web monitoring approaches
Proactive monitoring lets you discover exposures before criminals exploit them. Here are the main approaches available.
Automated Dark Web Scanning
Specialized services continuously crawl dark web marketplaces, forums, paste sites, and Telegram channels searching for your organization's data. When your email domains, credentials, or company data are found, you receive an alert with details about what was exposed and where.
Credential Breach Databases
Services like Have I Been Pwned aggregate known data breaches and let you check if your email address or password has appeared in a breach. While not as comprehensive as active dark web scanning, these databases are a valuable free resource for checking historical exposure.
Managed Dark Web Intelligence
For organizations with higher security requirements, managed dark web intelligence services provide human analysts who investigate findings, provide context, and recommend specific remediation steps. This goes beyond automated scanning to include threat actor profiling and targeted threat assessment.
Action Plan
What to do if your data is found
Discovering that your credentials are on the dark web can be alarming, but acting quickly limits the damage. Follow these steps in order.
Change Compromised Passwords Immediately
Change the exposed password on the affected account and on every other account where you used the same password. This is why password reuse is so dangerous. Use your password manager to generate a unique, strong password for each account.
Enable Multi-Factor Authentication
Add MFA to every account that supports it, prioritizing email, banking, and cloud storage accounts. Even if an attacker has your password, MFA prevents them from logging in without the second factor.
Check for Unauthorized Access
Review recent login activity on all critical accounts. Look for logins from unfamiliar locations, devices, or IP addresses. Check email sent folders for messages you did not write. Review financial accounts for unauthorized transactions.
Freeze Your Credit
If personal identity information (SSN, date of birth, address) was exposed, place a security freeze with all three credit bureaus (Equifax, Experian, TransUnion). This prevents criminals from opening new credit accounts in your name. A credit freeze is free and does not affect your credit score.
File an IRS Identity Protection PIN
If you are a tax professional or your Social Security Number was exposed, apply for an IRS Identity Protection PIN (IP PIN). This six-digit number prevents someone from filing a fraudulent tax return using your SSN. Renew it annually.
Monitor and Document
Set up ongoing monitoring for new exposures. Keep records of everything you discover and every action you take. If you are a business, you may have legal obligations to notify affected individuals and regulatory bodies within specific timeframes.
Find out if your data is exposed
Our team performs comprehensive dark web scans for your email domains, executive credentials, and company data. Get a free exposure report and remediation plan.
Get Free Exposure Scan