How to lock down your finances and online accounts after a data breach spreads your information to the secret corners of the internet
How much does your data sell for on the dark web?
• Your credit-card number: $6
• Your PayPal account credentials: $100
• Your crypto wallet login: $350
A few weeks ago, I wrote a column about tools to scrub your information from websites. I received many emails from readers who asked: “What about my data that’s on the dark web?”
This hidden part of the internet is where criminals exchange illegally obtained data, such as passport details, passwords and Social Security numbers—including mine, I recently discovered. The above pricing, provided by cybersecurity company NordVPN, gives you a sense of how marketable your data can be following a hack.
This guide will help you find out if your sensitive information is on the dark web, and prevent bad guys from doing damage with it.
Data in the dark
The dark web requires special software to access, but you don’t have to venture there to search for your data. Password managers, security websites and other services can scan databases of previously leaked information for your passwords or other info. While it isn’t the full picture, it will at least give you a sense of your exposure, so you can take steps to prevent identity theft.
Google rolled out dark web monitoring to all of its users last year. My report identified my email address and username in a dump of 200 million exposed X (formerly Twitter) users from 2023. I scrolled to find that my Social Security number, birth date, home address and more were also on the dark web, from a 2019 AT&T breach of 73 million customers.
Here’s how to look for your leaked records:
Google: You need a personal Google account (not affiliated with work or school) to get started. Go to myaccount.google.com/security > Dark web report> Start monitoring. When you get there, fill out a profile of personal information Google can scan for. The company promises not to use that info for other purposes.
Apple Passwords: The free password-manager appcan identify passwords found in data breaches. In the iPhone, iPad or Mac app, go to settings and select Detect Compromised Passwords.
Have I Been Pwned: This website by security researcher Troy Hunt has compiled data from breaches for over a decade. You can plug in your email address to view where it has been compromised.
Password managers: 1Password ($36 a year) flags any saved passwords that appear in Have I Been Pwned data. Dashlane ($60 a year) and Bitwarden(free and paid plans, starting at $10 a year) also offer dark web alerts.
Identity-theft protection services: Some, such as NordProtect ($90 a year) and Aura ($144 a year), offer monitoring in addition to insurance.
Exposed? What to do
Once your info appears on the dark web, it’s hard to reel it back in, says Dave Chronister, chief executive of Parameter Security, which protects companies against cyber threats. The anonymity of the dark web shields the site’s physical location, which makes it difficult for law enforcement to track down, he says.
Always be wary of scammers who could use your compromised personal info to trick you. And set up roadblocks to prevent criminals from stealing your money or hacking into your accounts.
Lock down your finances: A Social Security number is one of the most dangerous pieces of information that can be leaked, Chronister says. That’s because criminals can use it to commit different kinds of fraud, and it’s difficult to change your number.
Freeze your credit at the three major credit bureaus—Experian, TransUnion and Equifax—to prevent hackers from opening an unauthorized account. You can also lock down lesser-known credit-reporting bureaus, including ChexSystemsand the National Consumer Telecom & Utilities Exchange.
Change compromised passwords: If you reused that password for multiple accounts, reset those, too. Many hackers use leaked passwords to launch attacks on other services. And yes, you really should change all of your duplicated or easy-to-guess passwords. Set up a password manager to help you create complex, unique logins for every site.
Turn on multifactor authentication: Typically a time-sensitive code from your phone, this extra digital lock will protect your account if a hacker gets your password. A code-generating app, such as Authy or Google Authenticator, is the most protective method—but any multifactor authentication is better than none at all. Don’t forget to enable it for your password manager, too. Just be sure to have a backup plan in case you lose your phone.
Open Social Security and IRS accounts: If you haven’t already, sign up for an online Social Security account and IRS account before a hacker can use your info to do it on your behalf, recommends James Lee, president of the nonprofit Identity Theft Resource Center.
He also advises tax filers to sign up for an identity protection PIN from the IRS, which prevents someone else from filing your tax return and claiming a refund. This code changes every year.
SHARE YOUR THOUGHTS
How do you protect your personal information? Join the conversation below.
Stop giving out unnecessary data: Hackers can’t steal data that’s not there, Lee says. Next time a nongovernment entity asks for your Social Security number, like a dentist, try refusing and offering another form of identity. Give out a burner number, and even a burner birth date.
Driver’s licenses have become more valuable to criminals, because companies began using them to verify identity during the pandemic, according to Lee. In 2021, hackers targeted driver’s licenses specifically during an attack on insurance company Geico.
Be careful who gets your license number or a photo of your license. If it ends up on the dark web, you might end up in the DMV line.
Write to Nicole Nguyen at nicole.nguyen@wsj.com
