What to Do If (or When) Your Email Is Leaked to the Dark Web
The dark web has a bad reputation – a reputation it has deserved. This is a complex subsection of the web, and it’s not. all bad in every way, but its nature allows illicit and illegal activities to flourish anonymously. This is why hackers choose the dark web as their outlet for stolen user data: if you plan to traffic in digital contraband, you will do it as privately as possible.
As such, you might be a little stressed if you’re told that your email address was found on the dark web. Perhaps you use an identity theft service that discovered your information here. Perhaps you notice an increase in spam, especially spam that appears to be aimed at you personally. In any case, it’s understandable to be anxious. The good news is that this is more common than you think, and there are steps you can take to protect your data in the future.
What is the dark web?
Despite its aforementioned reputation, the dark web is not “Evil Doers Central.” It is simply a part of the deep web, or the part of the Internet not indexed by search engines. The deep web makes up the vast majority of the global Internet, but the dark web is unique because it requires a specific type of browser, like Tor, and knowledge of specific dark web addresses to access it.
The dark web is inherently private and anonymous. This is why it attracts bad actors. But that doesn’t mean that’s all it’s used for. Anyone who needs to access the Internet without worrying about intervention can use the dark web. Think about journalists in countries who would prefer not to tell their stories, or citizens whose governments censor the public Internet. There’s a lot of bad stuff out there, sure, but there’s also some perfectly innocent and productive content. For more information on this murky and mysterious place, check out our full explanation and guide here.
Why is my email address on the dark web?
If your email address is on the dark web, it’s likely because one of the companies you shared it with suffered a data breach. Unfortunately, data breaches happen all the time, and there’s really no way to guarantee that a company you choose to share your email address with won’t be subject to a breach at some point in the future. Sometimes the company itself is breached; other times it’s a third party the company shares data with.
When bad actors break into an organization’s systems and steal their data, they often put the loot on the dark web. This makes it easier to sell stolen data anonymously. As such, it’s really no surprise if your email ends up on the dark web, although that may not be much consolation.
What can hackers do with my email on the dark web?
Your email address is for sale and someone is buying it. And now ? Well, such a hacker could choose a few tactics here. First, they will probably want to try to break into different accounts that you may have used that email address with. If you lost passwords in the data breach, they might try those too. That’s why it’s a great idea to change your passwords as soon as you become aware of the breach, but we’ll talk more about that later.
If they can’t access your accounts on their own, they will want to hire your services, unknowingly of course. To do this, they will likely target you in phishing attacks, and since they know your email address, they will likely contact you via email. There is a plot phishing campaigns, but here are some examples: you might receive fake data breach notifications, with a link to verify your account; you might find a message telling you it’s time to change your password; you may receive an email alerting you to a connection attempt; you might even receive an aggressive email with demands from the hackers.
Hackers may also choose to impersonate you. They can create an email that looks a lot like yours and contact your contacts to make them believe it’s really you. Tell your close contacts (especially those who you think won’t look closely at the “from” line in an email) that your email has been leaked on the dark web, and watch out for impostors.
Here’s what to do if your email address is on the dark web
First of all, don’t panic. Again, data breaches happen so often that many of our email addresses (among other data) have been leaked onto the dark web. Although it is not a GOOD thing, it’s not the end of the world either.
What do you think of it so far?
Next, change your passwords, starting with your email account itself. If you know the account from which the email was stolen, be sure to change it afterwards, as your password may also have been affected by the data breach. As usual, make each password strong and unique: you should never reuse account passwords, and they should all be long and difficult for both humans and computers to guess. As long as each of your accounts uses a strong, unique password, you really shouldn’t have to change all of your passwords: hackers may have your email address, but they won’t have all of those passwords to use with it.
From there, make sure all your accounts use two-factor authentication (2FA), where available. 2FA ensures that even if you have the email address and password for a given account, you still need to access a trusted device to verify your identity. Hackers won’t be able to do anything with your stolen credentials if they don’t have physical access to, say, your smartphone. This is a crucial step in maintaining your security following a data breach. You can also choose to use passwords instead of passwords for all accounts that offer it. Access keys combine the convenience of passwords with the security of 2FA: you log in with your fingerprint, facial scan, or PIN, and there are no passwords to steal.
From there, monitor your different accounts connected to this messaging, including your financial accounts. Your email address alone probably won’t put you in too much danger, but if you lose additional information, you’ll want to make sure hackers don’t hack into your important accounts. You could take drastic action, like freezing your credit, but, again, if it’s just your email address, that’s probably a step too far.
Can I remove my email from the dark web?
Although some data removal services claim to be able to remove data such as email addresses from the dark web, this is simply not 100% possible. The dark web is vast and unregulated, and once data is leaked there, the cat is out of the bag. Of course, a service like DeleteMe could ask data hosts to delete your email, but that’s not required. Plus, hackers who buy your email already own it. Again, exposed email addresses are not the end of the world. But if you can’t stand having your email on the dark web, your best bet may be to create a new account.
Prevent your email address from ending up on the dark web
What you can do is take steps to prevent data loss in the future. The best action to take is to stop sharing your email in the first place. However, you don’t need to be a hermit: use an email alias service, like Apple’s Hide My Email or Proton’s Email Alias feature, to generate a new alias every time you need to share your email. Messages sent to the alias are forwarded to your inbox, so the experience is the same for you, all without exposing your real address to the world. If one of these companies suffers a data breach, no problem: just delete the alias.
At this point, consider using a data monitoring and deletion service. Maybe you’ve done this before, and that’s how you discovered your email on the dark web to begin with. But if you don’t, you have plenty of options to choose from. While no one can promise that they will remove email addresses from the dark web, they might spot your email if they get there. If you are using aliases, then you can delete that particular address and create a new one for the respective account. Also, if your email arrives somewhere other than the dark web, they may be able to remove it for you.
