What to do if my password is found on the dark web?

OmniWatch

Oct 13, 2023 • 8 min read

Reviewed by Mike Marcacci, Sr. VP of Engineering at OmniWatch

Having compromised passwords can be a frightening and overwhelming experience. A password can give thieves access to sensitive personal information or even the ability to steal funds.

It’s essential to understand the risks associated with having your password exposed on the dark web, as well as what steps you should take if it does happen. Below, we'll cover:

How to recognize if your password has been compromised
What to do to protect yourself from further damage
Tips to help prevent identity theft in the future

Knowing these things can help you feel more secure and confident that you have taken all the necessary precautions against having your personal information stolen again.

What is the Dark Web?

The dark web is a part of the internet that can only be accessed using special internet browsers, such as The Onion Router (TOR). Sites accessible through these special browsers cannot be seen or accessed from normal internet browsers like Google® or Microsoft Edge®. It is an anonymous network where users can communicate and access websites without fear of being tracked or identified. Many people use the dark web to buy and sell illegal goods, as well as engage in other criminal activities.

However, it also has legitimate uses such as allowing whistleblowers to communicate securely with journalists or activists to share information without fear of government surveillance. In addition, some individuals may use the dark web for more mundane tasks like browsing online forums or playing video games. Regardless of its purpose, it remains largely unregulated and often serves as a hub for illegal activities.

How did my Password end up on the Dark Web?

There are several ways your name can end up on the dark web. One way is through an online data breach. This is when hackers target websites to gain access to a company’s database and steal the personal information of users, customers, and employees. Another way for a name to be exposed is if someone with malicious intent deliberately posts it on the dark web. In some cases, a password can be exposed due to human error or negligence. For example, if an employee accidentally uploads a file containing sensitive information to a shared server that is not properly secured.

What can Hackers do with my Password?

Besides using your password to gain access to the account that the password got leaked from, thieves will often try using that password to gain access to your other accounts since many people reuse passwords. They can also sell your password on the dark web as a form of currency. Since most people tend to rotate very similar and simple passwords by remixing them (with a new year date for example) to create new ones, knowing the pattern of a past password often makes cracking new passwords trivial.

Enter your email address and get results in seconds

Hackers and thieves don’t wait and neither should you! See if your passwords have been exposed in a data breach.

What Should I do if my Password is Leaked?

The good news is that fixing a leaked password can be done quickly and easily.

Change your password

First, go to the account of the password that was breached and change your account password. Multiple tools can help crack passwords, especially if they are short or use things like addresses, emails, or anything that may be associated with you. Ideally, you want to create a long password with numerous special characters that spell no particular word. Since these are hard to remember, using password managers like 1Password can help you create secure and varied passwords while still allowing you to easily log in.

Review your account

Check the account that was breached to see if you’ve been hacked. Look for signs of identity theft by seeing if anything has been changed, especially recovery emails or passwords. Make sure to then “log out all devices” after changing your password to ensure any potential thieves don’t keep access to your account.

If the breached account was an email account, check if any new inbox “rules” were created. Attackers will attempt to maintain access to victims’ information by creating inbox rules that forward all emails to the attacker.

Change all similar passwords

Because thieves will try to use whatever password was breached on other accounts you own, make sure to change any passwords that were the same as the breached account. This can sometimes be overwhelming so start with important accounts like banks first.

Use a password manager

Password managers, like 1Password®, are services that create and manage passwords for you.

When using a password manager, you will only need to remember your master passphrase to your password manager, which will provide you with access to your other passwords.

A master passphrase is a more secure version of a password. Instead of one simple word, a passphrase is a combination of words or phrases. Because it is longer and more complex it’s more difficult to compromise.

It’s also helpful to create a story or scenario to help you remember your master passphrase. For example, instead of TLOUl0v3r7, a master passphrase could be Last-of-Our-Chardonnay-Couch. The story could be that you were having a viewing party for The Last of Us, and someone spilled chardonnay on the couch.

Using special characters or breaks in a master passphrase, such as the hyphens in the example above, are great strategies to use to create a strong passphrase. For maximum security, refrain from using commonly used replacements, such as “1” for “i” and “3” for “E”. Instead, use random capitalization, punctuation, randomly placed numbers, and similar strategies to break up words in your phrase.

Aside from creating complex passwords and storing passwords, many password managers also offer Two-factor authentication (reviewed in the next section), can alert you of duplicate or re-used passwords, and may offer services to help you remember fake answers to security questions.

Using a reliable password manager can address many of the other suggestions made in this article.

Use Two-Factor Authentication (2FA)

Two-factor authentication, meaning that along with a username and password, you need another “factor” to unlock your account, will also help make your accounts more difficult to access. Common examples are when you have to enter a code you receive on your email or phone. Another option is an authentication app that provides a rotating code to enter to log in.

Google will also allow you to enable “advanced security” on your accounts and order a hardware multi-factor authentication (MFA) token directly from them. A FIDO2 hardware token is currently probably the most secure implementation of MFA. Consumers can also buy a FIDO2 token like a Yubikey on Amazon that will work with nearly every service they use.

Strengthening security questions

When creating answers to security questions, you should never put real answers. This information can often be found through online records. Instead, create your answers the same way you would create long difficult passwords.

Leverage OmniWatch™

If you already have OmniWatch don’t worry you’re covered with up to $2 million in identity theft insurance if you’re the victim of identity theft (some exclusions and limitations apply). We have US-based restoration specialists available 24/7 to walk you through the entire process and even fill out and submit paperwork for you.

If your password has been compromised, contact OmniWatch support to get started on the process of restoring your identity.

What Cybersecurity Professionals are Saying

Chester Wisniewski

Principal Research Scientist at Sophos

“Looking forward into 2023 has me very concerned with what developments we see with the malicious use of machine learning technologies”

Matt Kapko

Cybersecurity Reporter

"Threat actors don’t just follow the news — they react to it and identify new ways to target potential victims during moments of heightened sensitivity."