Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

My Email Information Is on the Dark Web. What Do I Do?

Don’t panic.

What action to take on breach and exposure notifications depends on how much information you get.
A stressed individual sitting in front of a computer. The computer screen prominently displays a large, bold breach notification alert with the word 'BREACH!' across it. The setting is a modern office space or home desk environment, dimly lit to enhance the seriousness of the situation. Surrounding the individual are visible digital data points floating in the air, symbolizing the breach of digital information. The scene conveys urgency and concern.
(Image: DALL-E 3)
Question: I got notices from several services that my username/email and password are on the dark web. Since I have two-factor identification on, I have not had any issues with anybody breaking into any of my accounts. I have also had issues with Microsoft sending me notifications of two-factor notification numbers even though I never requested them. The problem is that I don’t know which websites are affected, so I cannot change the website password. Can you tell me how to identify the affected website to change my passwords?

There are two separate items raised by this question I want to address:

  • What to do if you’re told your information is on the dark web.
  • What to do if you get unsolicited two-factor notices.

They’re separate issues, but sometimes they’re related.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

If your email is on the dark web

You might be able to find which passwords need changing by using services like HaveIBeenPwned to check if your email account is linked to known breaches. If passwords are compromised, update them immediately, especially if reused across sites. Change passwords immediately if you receive unsolicited two-factor authentication requests.

What is the dark web?

The dark web is best thought of as another internet that you need special tools to access. It uses the existing internet as technology to push information around, but it’s separate in terms of how you access it.

A good example are “onion” sites, which are accessible only using TOR, The Onion Browser. It’s known for both anonymity and untraceability, and therefore hosts a variety of sites that would be considered illegal in most countries.

The dark web is also an important resource for privacy advocates, investigative reporters, whistle-blowers, and individuals in oppressed countries attempting to gain access to uncensored information.

It’s a subset of what’s referred to as the deep web, which also includes all websites on the normal internet that are protected from being searched and don’t appear in normal search engines’ search results.

One of the things you’ll find on the dark web is individuals selling stolen information. For instance, most data breaches result in large collections of user account information that the hackers attempt to sell on the dark web.

So say your email address, username, or even password was discovered in such a breach and has appeared on the dark web: now what?

The action you take is determined by what sort of information has been exposed. Three of the most common situations involve personal information like your email or physical address, a password in its hashed state, or an actual password. Once we look at those, we’ll consider the case of the two-factor notification.

If your personal info is revealed

There’s surprisingly little you can do about most breaches. Things like an email address or a username are semi-public anyway. Other private information, like your address, while not something you’d necessarily want to be published widely, is also generally public information.

One tool that can help is HaveIBeenPwned. Enter your email address there, and it will list any known data breaches in which it was discovered. Sometimes, though not always, this will identify the affected service, so you can change your password there.

Aside from potentially setting up credit watches or some other form of fraud monitoring, there’s not much more to do beyond remaining appropriately skeptical and wary.

If your passwords are exposed: which one(s)?

If your password’s been exposed, you need to change that password as quickly as possible. That part seems obvious enough.

But the password to which account?

Unless it’s included in the notification, there’s no way to know. It’s not uncommon for a dump of information to appear on the dark web without any indication of where it came from.

If you can find the password that was exposed, you should take a different approach. If you use a different password on every site — as you should — then it’s a simple matter of looking at your own password vault (or whatever you use to keep track). Whichever service has that as your stored password is the service at which you need to change the password.

Using that same password in more than one place? You must change them all. Use this as an opportunity to make them all strong and different from one another.

The real problem arises when the breach includes your password; not the “hashed” password (that’s typically1 safe) but your actual password. However, it’s uncommon for notifications to tell you the password even if it was completely and clearly exposed.

Usually, you’re left knowing your username and/or email address was exposed, and/or some password on some service.

Not helpful, and, honestly, not actionable. All you can do is make certain your overall security is as it should be and keep an eye out for suspicious behavior.

Which brings us to item number 2.

Unrequested two-factor notifications

If you suddenly get two-factor notifications, such as one of your accounts sending you a code you didn’t ask for, change that account’s password immediately.

Here’s why: most services send out the two-factor request only after the correct password has been entered. That implies that if you didn’t enter it, someone else did, and thus they know your password. While two-factor authorization is protecting you, it’s still a sign that you should change that password right away.

This right here is why two-factor authentication is so important. Even knowing your password — perhaps having slurped it up from a data dump on the dark web — a hacker is not be able to get into your account.

No exposure at all

There are situations where an email telling you your information has been compromised is completely bogus. It’s a common form of spam and phishing.

In addition to watching for all the signs of a phishing attempt, even if the email appears legitimate, do not click links in the email. Period.

Instead, visit your affected services, if you know which they are, and address any issues you find there.

Do this

Be wary of phishing attempts and do what you can with the information you’re given. That may not be much, other than keeping your guard up and being extra suspicious of spam or other unsolicited email sent to any affected accounts. And it never hurts to change your passwords for accounts you suspect might be vulnerable.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: If you get a report that your information was exposed in a breach, look for the phrase “salted hash” when it comes to exposed password information. “Salted” means that it’s essentially impossible to determine your password from the hash. Without salt, as it’s referred to, short passwords can be exposed; hence our continued insistence on longer passwords being more secure.

13 comments on “My Email Information Is on the Dark Web. What Do I Do?”

  1. In addition to the great options in this article, I have an idea of my own.

    If you use a throwaway email address for each entity, the address you receive any warning on, is going to be the company you need to amend your info with. And don’t forget to make them a new throwaway. (And have a way of knowing which company has which address)>

    You can also shut down any address that starts to receive SPAM, and any where you no longer do business with them (after unsubscribing with them), all without losing your main email address.

    Reply
    • That would add a layer of protection, but many people have dozens of logins. A password manager can manage those passwords, but it’s probably too much work for the average person to set up, and they would have to log into each of those email accounts regularly to keep them active, otherwise, the email service provider will close the account for lack of use. 2 factor authentication is as safe as you can get (100% is impossible).

      This method might be useful for a few sensitive accounts such as financial institutions, social media, and your main email account’s recovery email address.

      Reply
  2. If a site doesn’t use a salted hash, hackers can easily crack short passwords via Rainbow Tables. Rainbow Table hacks can be mitigated by using long passwords. For now, 15-20 character passwords are safe from Rainbow Tables. It’s always best to stick with the higher numbers as cracking capability is ever-increasing.

    Reply
    • Probably the same way we get notices of our email address having been used as someone else’s recovery address. Typos, satisfying an email address requirement that they didn’t want to satisfy, etc.

      Reply
  3. Mark:

    Thanks for your comment on my post.

    Maybe I used the wrong term: “throwaway email address” Maybe “disposable email address” is more correct?

    My throwaway/disposable email addresses all come to the main inbox. No logging in separately, no risk of being closed for lack of use. They are just an integral part of my email program.

    And, most importantly for me, I know who I assigned the address to. For example if a message supposedly from my bank does not use the correct one, it will be a scam. Regarding the subject of this article I thought it would make tracking who/what/where easier.

    Reply
  4. Concerning the “Unrequested two-factor notifications” part, if I receive a 2FA request and immediately go and try to change the password as you suggest, what keeps the bad guy from receiving my legitimate 2FA response which I would have to input in order to access & change the password? I hope I am making myself clear here. Would it not be better to wait for a little while instead of trying immediately?

    Reply
  5. Today, I dealt with a tangentially related issue. I use an ID monitoring service, provided by my bank. I received an ID alert from them today, notifying me that my SSN has been found on the dark web. A few years ago, I followed advice from the “Ask Bob” website/newsletter, and froze my credit on six Credit Bureaus, including Experian, Equifax, and TransUnion (the big three), so I had already taken the only step needed to protect me, financially. I also learned that SSA will confirm my identity, using one of several methods they know I have access to, so the end result is that there isn’t much else I can/need to do to protect my SSN at this time, other than remaining alert, and watching for unexpected activity related to my SSN.

    The item I read to learn how to get the job done was titled “[ALERT] Freeze Your Credit Files (all SIX of them)”, at (https://askbobrankin.com/alert_freeze_your_credit_files_all_six_of_them.html) on Bob’s website.

    Leo, I hope you don’t mind me posting a resource from another tech-advisor’s website, but I think the information it provides may be as beneficial to others as it has turned out to be for me. After reading the item, it occurred to me that I had no intention of getting a new credit card, or opening a loan any time soon, and that I could easily ask the potential lender which service(s) will be used to verify my credit information when/if the need should arise, and unfreeze that service temporarily, then when the need ends, re-freeze it. It’s a bit more bother when/if I need to borrow money, but it’s also well worth the effort for the added financial security credit freezes provide.

    My2Cents,

    Ernie (Oldster)

    Reply
  6. Who needs the Dark Web? In Britain government data bases are hacked frequently, company data bases are hacked; and government laptops, with unencrypted information, have been left on trains. Not only that, my gym have an anonymous email address of mine that I use for organisations that have my bank account details and personal information (such as date of birth). They gave this email address to a freelance, outside trainer so he could offer me a training session I never asked for.
    The problem is simple, security is not taken seriously and most people don’t understand it.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.