In the wake of several high-profile data breaches in 2024 — including one of the largest to date — Americans have once again turned their attention to the dark web. Stolen data often ends up for sale on this secret section of the internet, where the total amount of money made by markets and fraud shops amounted to $1.7 billion in 2023.
Discovering that your personal information has been leaked on the dark web can be deeply unsettling. But while you might not be able to remove it entirely, you can take steps to avoid, or at least minimize, the damage.
Read on to learn more about the dark web and how to protect yourself from fraud if your data turns up there.
What is the dark web?
The dark web is an intentionally hidden part of the internet that requires specialized software, like the Tor browser, to access. Unlike the surface web, which is accessible to anyone using the internet, and the deep web, which is hidden only from search engines, the dark web is designed to keep users anonymous by masking their location and IP address. (Confusingly, the dark web is actually part of the deep web.)
While some use the dark web for privacy and free speech purposes, its characteristic anonymity has also attracted cybercriminals and other malicious actors who carry out illicit activities online.
Many illegal goods and services are bought and sold on the dark web, including stolen financial information, counterfeit money, weapons, malware, hacked accounts and drugs. These so-called darknet transactions often involve cryptocurrencies like bitcoin to further obscure users’ identities.
What to Do if Your Information Is on the Dark Web
Even the best identity theft protection can’t prevent every data leak. If you believe your personal info has ended up on the dark web — for example, as a result of a data breach or a phishing scam — you should act right away to protect your finances. Here are some steps you can take to limit the impact.
1. Identify the leaked information
Your first and most important step is to determine what type of information was exposed.
Finding your full name and email address on the dark web can be concerning, but a leaked Social Security number (SSN), driver’s license or credit card number is far more dangerous. The former might just get you more spam sent to your inbox, while the latter puts you at risk of becoming a victim of identity theft or fraud.
Online tools such as DeHashed and Have I Been Pwned can check whether your email account has been associated with any known breaches. If you receive an alert from a dark web or credit monitoring service, assess the report carefully. Data breaches can include multiple types of information, and not every piece of leaked data should be addressed the same way.
2. Scan your device(s) for malware
Malware is harmful software designed to disrupt, damage or gain unauthorized access to a digital device. Although data breaches are the most common way for your personal data to end up on the dark web, cybercriminals can also gain access to your information — and later sell it to the highest bidder — through the use of trojans, viruses or other forms of malware.
Verify that your antivirus protection is up to date and perform a thorough security scan on all your devices. If you find malware, take steps to isolate the device by turning on airplane mode or manually turning off network access and Bluetooth. This will disable the malware’s ability to infect other devices and allow you to then attempt to remove it.
3. Change any compromised credentials
Any login credentials (usernames and passwords) or PINs that are found on the dark web should be changed immediately.
Make sure to create unique passwords for every online account, as reusing them can increase the risk of multiple accounts being hacked. For a strong password, remember to keep it long and complex: at least eight characters — preferably 12 or more — and a combination of uppercase and lowercase letters, numbers and punctuation.
If you have trouble remembering multiple passwords, consider downloading a password manager. These tools generate and store complex passwords, keeping track of them while helping you stay safe so you aren’t clicking “Reset your password” every time you log into an account.
4. Check your credit information
Take a look at your credit score and make note of any recent changes to it. An unexpected drop in your score can indicate illegal activity, fraud or identity theft, and should be taken seriously even if it doesn’t trigger a fraud alert.
A reliable way to pinpoint the information that could have caused your score to drop is reviewing your credit report. You can request free credit reports online weekly from the three main credit reporting bureaus — Equifax, Experian and TransUnion — using AnnualCreditReport.com.
Report any unauthorized accounts and ask the credit bureaus to remove fraudulent items from your credit report. Consider placing a credit freeze if you suspect foul play, as doing so prevents anyone from opening new accounts or taking out loans in your name.
5. Secure your financial accounts
If you find unauthorized activity or transactions you weren’t aware of, contact your bank or card provider to notify them of the suspicious activity.
Request a new card number and consider asking your bank to freeze your credit or debit card temporarily. If you notice any fraudulent charges, report and dispute them immediately. In some cases, your bank may recommend additional cybersecurity measures, such as setting up transaction limits or requiring approval for large purchases.
You should also think about enabling fraud alerts and two-factor authentication when possible. Two-factor authentication requires you to provide secondary information, like from a text message or a code provided by a third-party app, when logging into an account.
Using two-factor authentication or more complex multi-factor versions makes it significantly harder — though not impossible — for someone who has found or bought your usernames and passwords on the dark web to access your accounts.
6. Keep an eye out for scams
After your data has been leaked, cybercriminals may still need a few missing pieces of information to access your accounts. Some of them might rely on multi-pronged scams, including phishing and other forms of manipulation, to get what they need.
Be wary of unexpected messages that ask for sensitive information, contain urgent warnings or threats (“Your account will be locked unless you verify now!”) and have suspicious links or attachments. Never click on unknown links or download attachments from unsolicited emails.
Be especially careful with social media apps. Many apps are susceptible to scamming activity, such as WhatsApp scams, in which criminals pose as a family member or friend calling from a new phone number and claim to have an emergency.
How to Find Out if My Information Is on the Dark Web FAQ
How do you do a dark web scan?
A dark web scan indexes collections of stolen data and compares them to your established identity profile to see if your information has been compromised. It requires specialized skills and software, so you’ll probably need professional help.
Look for an IT security or identity protection agency to carry out a dark web scan on your behalf. Remember that dark web scans are complicated, even for companies specializing in them.
It’s impossible to search the entire dark web for your information because it’s designed to hide what’s stored within it. The most that a typical scan can do is determine the date your data may have been exposed. Still, there’s always the chance that more of your data is out there than can be detected.
Can you remove your information from the dark web?
Once your information is on the dark web, removing it can be difficult, or even impossible. Dark web repositories of stolen personal data generally operate in support of criminal activity. Even if you could get in touch with an administrator, they likely would ignore your message.
Even if you could remove your information from one dark web location, there is no guarantee that it hasn’t been copied or posted on other sites. Instead of removing information that has been compromised, focus on changing passwords, notifying your credit card companies and ensuring the stolen data becomes irrelevant.
How did my information get on the dark web?
Learning that your information has been stolen in a data breach can be shocking. Still, it can be somewhat reassuring to know that the thieves probably didn’t target your data in particular, but rather stole thousands of records at once.
The most common way personal data gets stolen is through data breaches at banks, credit card processing companies and online retailers. Even government agencies can fall victim to cybercriminals.
Other risks include using public Wi-Fi for banking transactions or throwing away sensitive documents. To stay secure, always use a virtual private network (VPN) — a service that isolates and encrypts your internet connection — or a private Wi-Fi network you trust. To avoid leaving a paper trail, invest in a paper shredder.
What if my SSN is on the dark web?
More from Money:
AT&T Data Breach: How to Make Sure Your Personal Information Is Safe
Identity Theft: Who’s at Risk and How It Affects Their Lives
Should You Freeze Your Credit After Identity Theft?
