What to do if my email is found on the dark web?
Reviewed by Mike Marcacci, Sr. VP of Engineering at OmniWatch
Suffering a breach can be an overwhelming feeling. We're here to help guide you through the risks, what actions to take now, and how to keep yourself safe in the future.
What is the Dark Web?
The dark web is a part of the internet that can only be accessed using special software, such as The Onion Router (TOR). It is an anonymous network where users can communicate and access websites without fear of being tracked or identified. Many people use the dark web to buy and sell illegal goods, as well as engage in other criminal activities.
However, it also has legitimate uses such as allowing whistleblowers to communicate securely with journalists or activists to share information without fear of government surveillance. In addition, some individuals may use the dark web for more mundane tasks like browsing online forums or playing video games. Regardless of its purpose, it remains largely unregulated and often serves as a hub for illegal activities.
How did my Email end up on the Dark Web?
There are several ways an email can end up on the dark web. One way is through an online data breach, where hackers gain access to a company’s database and steal personal information like emails as well as other sensitive information. Another way for an email to be exposed is if someone with malicious intent deliberately posts it on the dark web. Finally, in some cases, an email can be exposed due to human error or negligence. For example, if an employee accidentally uploads a file containing sensitive information to a shared server that is not properly secured.
What can People do With my Email Address?
If your email address was found on the dark web or your email address was leaked in a breach, it can potentially be used in several harmful ways:
- Spam: Your email address could be added to lists that are sold to marketers or scammers, leading to a significant increase in the amount of spam emails you receive.
- Phishing Attempts: You might receive emails designed to trick you into providing sensitive data, such as your passwords or credit card information. These emails often appear to come from legitimate organizations that you may already do business with.
- Spear Phishing: This is a more targeted version of a phishing attack where the email you receive may be tailored specifically to you, making it seem more legitimate and increasing the chances that you fall for the scam.
- Identity Theft: In some cases, your stolen email address can be used to answer recovery questions or reset passwords for various accounts, which could lead to identity theft.
- Malware Distribution: Emails can be used to distribute malware. You might receive an email with an attachment or a link that, if clicked or downloaded, could infect your computer with harmful software.
- Credential Stuffing: If you use the same password across multiple sites (a practice that is not recommended), and a bad actor gains access to your email address or password from a data breach, they might attempt to use these credentials to gain access to other sites or services.
- Cross-reference: Hackers can use existing breach data to learn more about your behaviors, likes, dislikes, email addresses used, etc.
Given these risks, it's critical to take appropriate steps to secure your email. Use a strong, unique password for your email account, enable two-factor authentication, and always be wary of unexpected emails that contain links and attachments or ask for personal information.
Enter your email address and get results in seconds
Hackers and thieves don’t wait and neither should you! See if your passwords have been exposed in a data breach.
What Should I do if I Think my Email Address was Leaked?
Discovering that your email address has been leaked can be distressing, but there are several important steps you can take to secure your information:
Change Passwords
Your first step should be changing your email password. Even if that wasn’t leaked, this step will add extra security. Multiple tools can help crack passwords, especially if they are short or use things like addresses, email addresses, or anything that may be associated with you.
Strengthen Passwords
Ideally, you want to create a long password with numerous special characters that spell no particular word. Better yet, you can use a complicated and unique passphrase. Since these are hard to remember, using password managers like 1Password® can help you create secure and varied passwords or passphrases while still allowing you to log into accounts easily and quickly.
Use Two-Factor Authentication (2FA)
Two-factor authentication requires a username, password, and another “factor” to unlock your account. This added step will help make your accounts more difficult to access. Common examples are when you have to enter a code you get in your email or phone. Another option is an authentication app that can be used to provide a rotating code to log in.
SMS two-factor authentication is the least secure because phone numbers are easier to hack. In 2022, hackers claimed they breached T-Mobile over 100 times. This was done partly to gain access to phone numbers to break into 2FA-enabled accounts.
Make sure to use either email-based 2FA or an app like Google® Authenticator for all accounts.
Strengthening Security Questions
When creating answers to security questions, you should never put real answers. This information can be discovered. Instead, create your answers the same way you would create long difficult passwords. A password manager can also help you manage these security question answers.
Check Your Inbox for any new Account Emails
Review your inbox to see if anyone has used your email address to create a new account or if any emails are asking you if you just attempted to sign in to your account.
How can I Protect my Email?
Because so many sites require you to input email addresses, you may look at using an email address strictly for signing up for these programs and keeping your email address private. If you’re an Apple® user creating an account, using your Apple ID will allow you to hide your real email address.
What Cybersecurity Professionals are Saying
Chester Wisniewski
Principal Research Scientist at Sophos
“Looking forward into 2023 has me very concerned with what developments we see with the malicious use of machine learning technologies”
Matt Kapko
Cybersecurity Reporter
"Threat actors don’t just follow the news — they react to it and identify new ways to target potential victims during moments of heightened sensitivity."
Chester Wisniewski
Principal Research Scientist at Sophos
"ChatGPT3 could easily be weaponized to help criminals write more convincing phishing and business email compromise scams."