The dark web has a bad reputation—one it has earned, at that. It’s a complex subsection of the web, and it’s not all bad by any means, but its nature does allow illicit and illegal activity to prosper anonymously. That’s why hackers choose the dark web as their point of sale for stolen user data: If you’re going to traffic digital contraband, you’re going to do so as privately as possible.
As such, you might be a bit stressed if you’re told your email address was found on the dark web. Maybe you use an identity theft service, which discovered your information here. Perhaps you’re noticing an uptick in spam, especially spam that seems targeted to you personally. In any case, it’s understandable to be anxious. The good news is, this is more common than you think, and there are steps you can take to protect your data going forward.
What is the dark web?
Despite its aforementioned reputation, the dark web is not “Evil Doers Central.” It’s simply one part of the deep web, or the part of the internet not indexed by search engines. The deep web makes up the vast majority of the global internet, but the dark web is unique, because it requires a specific type of browser, like Tor, and knowledge of specific dark web addresses, to access.
The dark web is inherently private, and inherently anonymous. That’s why it attracts bad actors. But that doesn’t mean that’s all it’s good for. Anyone who needs to access the internet without worrying about intervention can use the dark web. Think about journalists in countries that would rather they not tell their stories, or citizens whose governments censor the public internet. There’s plenty of bad to be had, to be sure, but there’s also perfectly innocent and productive content, too. For more information about this murky, mysterious place, check out our full explainer and guide here.
Why is my email address on the dark web?
If your email address is on the dark web, it’s likely because one of the companies you shared it with suffered a data breach. Unfortunately, data breaches happen all the time, and there’s really no way to ensure that a company you choose to share your email address with won’t be a victim of a breach at some point in the future. Sometimes the company itself is breached; other times, it’s a third-party the company shares data to.
When bad actors break into an organization’s systems and steal their data, they often put the spoils on the dark web. This makes it easier to sell the stolen data anonymously. As such, it’s really no surprise if your email ends up on the dark web—though that might not be much consolation.
What can hackers do with my email on the dark web?
Your email address is for sale, and someone buys it. Now what? Well, such a hacker could choose a few tactics here. First, they’ll likely want to try breaking into different accounts you might have used that email address with. If you lost any passwords in the data breach, they might try those, too. That’s why it’s an excellent idea to change your passwords as soon as you learn about the breach—but more on that later.
If they can’t break into your accounts on their own, they’ll want to enlist your services—unknowingly, of course. To do so, they’ll likely target you in phishing attacks, and, seeing as they know your email address, they’ll probably come via email. There are a lot of phishing campaigns out there, but here are some examples: You might receive fake data breach notices, with a link to check your account; you might find a message telling you it’s time to change your password; you might get an email warning you about a login attempt; you might even receive an aggressive email, with demands from the hackers.
Hackers may also choose to impersonate you. They might create an email that looks very similar to yours, and reach out to your contacts in order to trick them into thinking it’s really you. Tell your close contacts (especially any you think won’t look close at the “from” line in an email) that your email was leaked on the dark web, and to watch out for imposters.
Here’s what to do if your email address is on the dark web
First of all, don’t panic. Again, data breaches happen so often that many of our email addresses (among other data) have leaked onto the dark web. While this isn’t a good thing, it also isn’t the end of the world.
What do you think so far?
Next, change your passwords, starting with your email account itself. If you know the account the email was stolen from, make sure to change this next, as your password may have also be affected in the data breach. As usual, make each password strong and unique: You should never reuse passwords with any account, and all of them should be long and difficult for both humans and computers to guess. As long as each of your accounts uses a strong and unique password, you really shouldn’t have to change all of your passwords: Hackers may have your email, but they won’t have all these passwords to use with it.
From here, make sure all of your accounts use two-factor authentication (2FA), when available. 2FA ensures that even if you have the email address and password for a given account, you still need access to a trusted device to verify your identity. Hackers won’t be able to do anything with your stolen credentials if they don’t have physical access to, say, your smartphone. This is a crucial step for maintaining your security following a data breach. You could also choose to use passkeys instead of passwords for any accounts that offers it. Passkeys combine the convenience of passwords with the security of 2FA: You log in with your fingerprint, face scan, or PIN, and there’s no password to actually steal.
From here, monitor your various accounts connected to this email, especially your financial accounts. Your email address alone likely won’t put you in too much jeopardy, but if you lost additional information, you’ll want to ensure hackers don’t breach your important accounts. You could take drastic steps, like freezing your credit, but, again, if it’s just your email address, this is likely a step too far.
Can I remove my email from the dark web?
While some data removal services claim to be able to remove data like email addresses from the dark web, it’s just not 100% possible. The dark web is vast and unregulated, and once the data leaks onto it, the cat’s kind of out of the bag. Sure, a service like DeleteMe could request data web hosts to take down your email, but they don’t have to. Plus, hackers who buy your email already have it. Again, exposed email addresses are not the end of the world. But if you can’t stand having your email on the dark web, your best bet may be to make a new account.
Preventing your email address from winding up on the dark web
What you can do is take measures to prevent data loss in the future. The best step to take is to stop sharing your email in the first place. You don’t need to be a hermit, though: Use an email alias service, like Apple’s Hide My Email or Proton’s email alias feature, to generate a new alias every time you need to share your email. Messages sent to the alias are forwarded to your inbox, so the experience is the same for you, all without exposing your actual address to the world. If one of these companies suffers a data breach, no problem: Just retire the alias.
To that point, going forward, consider using a data monitoring and removal service. Maybe you already do, and that’s how you learned about your email on the dark web to begin with. But if you don’t, there are many options out there to choose from. While none can promise they’ll remove email addresses from the dark web, they might spot your email if it ends up there. If you use aliases, you can then kill that particular address and make a new one for the affected account. Plus, if your email ends up somewhere other than the dark web, they might be able to remove it for you.
Originally published at Lifehacker
