Passwords on the dark web: What risks should you know?

The dark web is a hidden place of the Internet that cannot be indexed or accessed through traditional search engines (a.k.a. the surface web). Its limited access, high anonymity, and encryption make it an attractive location to sell sensitive data obtained during a data breach.

How common are passwords on the dark web? Why do they end up there? How to protect your data from being dumped?

What is the purpose of the dark web?

The dark web is a part of the deep web. It is a hard-to-access, anonymized place that attracts (cyber)criminals and people ready to pay for (illegal) goods and services.

Different from the deep web, the dark web is built on darknets. This means that you need special software (like Tor Browser) to access it.

Although accessing the dark web does not break the law, most content and activities are illegal. Examples include selling unlawful items (such as guns) or offering illegal services (terrorism, money laundering, etc.).

The dark web is also used by hackers to sell leaked passwords. They can also sell credit card details, bank account information, or other sensitive personal data.

How do passwords end up on the dark web?

Platforms get breached, passwords get leaked. Since 2005, there have been over 11 billion records breached globally. Statistically, each person on Earth should have at least one credential breached so far.

Recently, video conferencing software Zoom was leaked. Immediately, more than 500,000 passwords were sold over the dark web. The buyer could receive victims’ emails, passwords, and personal meeting links.

What are the risks of dumped passwords on the dark web ?

Once hackers leak password databases, they publish them on the dark web or hackers’ forums for other people to buy them. This provides a financial advantage for the cybercriminal – he can earn money by reselling them.

All dumped passwords on the dark web raise privacy and security concerns. In the Zoom case, anybody could buy such databases for as little as $0.0020 per account.

Cybercriminals frequently use this leaked data for further cybercrime:

• social engineering attacks;
• credential stuffing attacks;
• break into financial accounts;
• request to pay the ransom.

Passwords on the dark web are prone to further cyber attacks. That’s why it is crucial to act immediately after the data gets compromised in a breach.

Your data has been dumped into the dark web. Now what?

After your account gets breached, most likely, your login credentials immediately appear on the dark web.

Here are a few things you can do once you find out about the data breach:

1. If that password was protecting a valuable account, change it immediately. Create a new, never-used, strong password.
2. If you recycled that password on a few platforms, update credentials on all of them. Choose a unique password for each account. This will protect your accounts from further breaches.
3. Turn on Two-factor authentication for (at least) the most valuable accounts.

You can always check if your email address or phone was breached here.

How to protect your sensitive data?

A few data protection principles can prevent dumped passwords on the dark web. Although bullet-proof security does not exist, these steps will assuredly help you to minimize the risk:

1. Never create the same password for multiple platforms. Cybercriminals can use it to access other accounts.
2. Always create random, unique passwords that consist of at least 15 characters.
3. Use a password manager to store your most sensitive credentials.
4. Enable Two-factor authentication on a password manager and other important accounts.
5. Never click on any suspicious links, messages, or email attachments.

Secure your data before a breach happens and minimize the risk of dumped passwords on the dark web.