Discovering that your personal data is circulating on the dark web is akin to a personal violation. Your email address, a password, credit card number, or social security number could potentially be on the highest bid. This isn’t just someone messing with your info. You start spiralling: “Okay, so what now?”
To better understand the hidden corners of the internet where your data is trading, you can read our article on what is dark web and how it works.
So, while the feeling is valid, the most powerful thing you can do is channel that energy into focused, decisive action. This isn’t the end of your digital life—it’s the beginning of you taking full control of it.
Time’s not your friend, and the longer you wait, the more mischief these hackers can pull with your info. But, no need to panic; just take a second there, breathe it out, and make a plan – a smart game plan will help you out in the situation.
This article explains what to do if your information is found on the dark web (step-by-step guide). We’ll also guide you how to secure your accounts, preventing access to your data, whether you are on an iPhone, Android, or a laptop.
Your 8-step safeguarding plan (jump links)
If you discover any of your information (email address, card details, etc.) lurking on the dark web, take the following steps immediately to protect your identity and secure your accounts:
- Change your passwords immediately: Begin with the accounts related to the information exposed.
- Turn on two-factor authentication: All of your important accounts should require an additional security step.
- Keep an eye on your financial accounts: Look out for unauthorized transactions and freeze your credit if advisable.
- Report identity theft: You can report FTC online and your local police department if necessary.
- Set up fraud alerts: In most states, you can usually do this through one of the three major credit bureaus (Equifax, Experian, or TransUnion).
- Pay for a dark web monitoring service: Ongoing monitoring helps a lot; you get alerts if more of your data pops up.
- Time to time, check your credit report: Dig through all three main bureaus—look for anything shady or weird.
- Upgrade your security software: No one wants viruses or sketchy malware sneaking in while you’re trying to clean up this mess.
We’ll get to the details a little later, but first, in case you’re wondering, “how can I check if any of my information is on the dark web?” Let’s get to that right away.
How to find out if your information is circulating on the dark web
Before we get into the steps to take, how were you notified of this to begin with? You also want to confirm which of your personal information is actually out there. Generally, people find out through a data breach monitoring service.
Let’s be real—most of those “identity theft protection” sites love to brag about their dark web scanning. Basically, they poke around the internet’s sketchiest back alleys, looking for your info—stuff like your email, Social Security, or phone number. You pay them, they panic for you.
But you don’t need to shell out cash just for a little peace of mind. Services like Have I Been Pwned can be your peace of mind. Enter your email and see if it’s floating around where it shouldn’t be (for free mostly).
If your address is listed, chances are your information is already circulating in the dark corners of the web. It’s better not to wait until it’s too late. Check if your information is floating around out there; it’s better to be safe than to be disappointed.
Here are helpful steps to find out:
Check breach notification databases
Go to a tool like HaveIBeenPwned.com – a total lifesaver if you’re even a little bit suspicious about your info floating on the dark web. Enter your email, and it’ll cough up a list of all the breaches your details got caught up in. No need to freak out about privacy either, since they don’t store your email or anything. Just a quick check, nothing too serious.
Use built-in features in your browser
Don’t sleep on your browser, either. Top browsers, like Chrome and Firefox, now have features to flag if your saved passwords have been spotted in a breach. Super handy; just take a peek at your browser’s security settings and make sure the password check thing is switched on. It’s usually buried somewhere in there, but trust me, it’s worth the two minutes.
Here’s how to check it on famous browsers:
In Chrome:
- Head to Chrome’s settings, then go to “Privacy and security” and tap on “Safety check” or navigate directly to passwords.google.com and check by running the Password Checkup tool.
In Firefox:
- Firefox Password Manager has this built-in feature, alerting you about any saved credentials that may have been breached.
Try free dark web scanning tools
There are various types of companies that provide free dark web scans. For example, Experian offers a free dark web scan that will check whether your Social Security number, email, or phone number is on the dark web. These tools won’t pick up everything; however, they might be a good place to start.
Create an account with a service for identity theft protection
If you would like to do a more thorough investigation, you can always sign up for a paid identity theft protection service. Companies such as Aura, IdentityForce, and LifeLock monitor the dark web 24 hours a day, 7 days a week, and they will notify you if they see your information.
They’ll cost you money, of course, but the peace of mind with successfully finding out that your information is for sale on the dark web should be worth it given how dangerous the dark web is. You can also opt for a complete data leak checking and removal tool such as Surfshark Alert, which costs around $2.69/month.
What to do when your personal information is found on the dark web – Detailed steps
Now that we have covered how to check if your information is on the dark web, let’s move on to what you can do after you discover it is there.
1. Change your passwords immediately
This is the first line of defense when you discover your data on the dark web. If hackers have your previous password, they will use it elsewhere, including your email, your bank account, your social media account, or any shopping site. You need to cut them off right away.
- Check your email account: Your email is a master key to everything. If someone hacks into your email, you’re in a rough spot. They can basically waltz into your other accounts by resetting passwords, so your first move? Change your email password ASAP. Don’t mess around with weak stuff either—think 12 characters or more, toss in some numbers, symbols, maybe the name of your childhood goldfish, whatever makes it strong and not obvious. (You can read our guide on how to create a strong and unique password)
- Check your financial accounts next: After updating your email account, you need to update your bank and credit card accounts, as well as any payment sites like PayPal, Venmo, and anywhere else that handles your money.
- Make a password manager your friend: Never use a password twice. Remembering passwords sucks, we know that, unless you’re one of those memory wizards. To save yourself from this hassle, get yourself a password manager (Bitwarden, LastPass, 1Password, Dashlane, etc). You only need to remember one master password. Seriously, it’s a lifesaver when you’ve got an army of logins.
- Avoid using the same password for multiple accounts: The most important part; don’t recycle passwords across different sites. Just don’t. If you do, you might as well hand the hackers a skeleton key. The second one site leaks, they’re popping into everything. Hackers love lazy password habits. They grab leaked passwords from one site and try them on every popular web service until it works.
2. Set up two-factor authentication for everything
Only using strong passwords alone isn’t enough anymore. Set two-factor authentication (2FA)—it’s not just a buzzword, it’s a must.
You know, that deal where you need a code from your phone or an app as a second step? Even if a bad actor gets your password, they’re still stuck at the door. It’s like having two locks, and hackers hate it.
- Enable it on all accounts that matter: 2FA should be set up on your email, banking apps, social media, and any other account that stores sensitive data. Most services provide you with the option in their security settings. Setting it up takes about 5 minutes and will save you thousands of dollars in fraud.
- Use an authenticator app: 2FA Authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator can be really helpful. They are by far more secure than just using an ordinary SMS code. Your phone number can be compromised in a SIM-swapping attack, but the authenticator app is simply tied to your device directly.
3. Keep an eye on your financial accounts and freeze your credit
Once your information gets on the dark web, criminals who get hold of it might try to open credit accounts in your name, or to drain any credit accounts, so:
- Review your bank statements every day: It’s good to always be alert in case of unauthorized transactions, no matter if the amount is small. Sometimes hackers like to test stolen cards by doing random small charges before they make a larger purchase. If you see something suspicious, notify your bank immediately.
- Place a fraud alert on your credit reports: Fraud alerts are solid. They make credit bureaus double-check it’s really you before anyone opens accounts in your name. Just ping Equifax, Experian, or TransUnion and you’re set for a year, free.
- Consider a credit freeze: A credit freeze is more potent than a fraud alert. This locks your credit reports so no one can gain access to open new accounts. You will need to temporarily remove the freeze when you apply for credit yourself, but this is the most protective action against identity theft. It is free, and you can do it online, with all three bureaus (mentioned above).
- Review your credit reports: Once a year, you can snag a free copy from each bureau at AnnualCreditReport.com. It’s your right. Look for any accounts you never set up, weird inquiries, or personal info that’s not right. If something’s off, dispute it right away—don’t wait.
4. Report the identity theft to the authorities
If things get serious, documentation is invaluable. Filing official reports helps you dispute fraudulent charges or accounts.
- File a report with the FTC: Head to IdentityTheft.gov to file a report with the Federal Trade Commission. They will build a personalized plan for you to recover and provide an official report of identity theft you can use with creditors and credit bureaus.
- File a report with your local police: Some agencies allow you to file the report online. Make sure to obtain a copy of the report because you will need it to prove to the banks and credit card companies that you are a victim of identity theft.
- File a report with the Internet Crime Complaint Center: If things are really bad, like money just vanished due to anything cybercrime, contact the IC3 at ic3.gov. Don’t expect to get your cash back, but you’ll help the feds track down the bad guys.
5. Notify your financial institutions and creditors
Do not wait until you receive fraudulent charges. Notify your banks and credit card providers that your information has been compromised.
- Let your bank and credit card providers know: Call them directly (use the number on the back of your card rather than a number you find on the internet). Request that they review your accounts regularly for suspicious activity. If they feel so inclined, they may issue you new cards with alternate numbers.
- Close any compromised accounts: If a breach directly affects one of your accounts, disable it immediately and create a new one. Yes, this will likely be a hassle, but it is preferable to unauthorized charges down the line.
- Sign up for account alerts: Most financial institutions will allow customers to sign up for either text alerts or email alerts for transactions that exceed a certain dollar amount, available funds in other states, or for any internet purchases. Turn that function on. It will allow you to identify fraud in real time.
6. Use a dark web monitoring service for ongoing protection
One-time scans are helpful. Continuous monitoring improves the results of monitoring. Malicious actors on the dark web often sell and resell information multiple times.
- What dark web monitoring services do: These services will scan popular dark net marketplaces, chat rooms, and forums for stolen data that criminals use for selling. If the service detects any of your information, it will alert you immediately so you can take action in time. Some top paid monitoring services are Aura, IdentityForce, Experian IdentityWorks, and Norton LifeLock. Although some differ in terms of services and costs, you must choose the service/monitor based on your needs. Some of them will include services like credit monitoring, insurance, and concierge services to assist with resolving fraud cases.
- Free dark web monitoring services vs. paid ones: If you are not prepared to spend money on the paid ones, you can use the free ones. However, no-cost services often come with limited offerings. They may only check for your email or phone number. Paid services, on the other hand, monitor multiple data points (Social Security numbers, credit cards, medical records, etc.) with very valuable alerts and recovery assistance.
7. Physically protect your devices and your devices online
Compromised data typically results in stolen data due to malware or a phishing attack. You need to take actions to harden your digital security to prevent a future incident.
- Run antivirus and anti-malware scans: Scan all your devices with premium security (antivirus) software (Malwarebytes, Bitdefender, Norton). For this, scan and delete anything the active security product or program finds suspicious. Allow it to run in the background so that it will protect your device in real-time, not just by setting it once and forgetting.
- Watch out for phishing emails and texts: Hackers also love phishing – they often send sneaky emails (phishing emails) or texts in attempts to trick you with information they stole. Be cautious about clicking links in your emails or texts you weren’t expecting. If it looks strange, then simply type in the URL yourself.
- Be sure to update all your software: Old software offers a stopgap for protection against vulnerabilities that hackers will exploit. Keep your software up to date (enable updates for your computer operating system).
- Check app permissions: Last, not least – check what permissions you’ve granted to apps on your device. Head to “Settings” and see who’s got access to your contacts, camera, mic, and location. If it’s not really necessary for the app, then best shut it down. No need to let a random game or app spy on your life. Some apps pull much more data than they need and are also actively selling that data to other companies.
8. Stay alert and keep records
Recovering after identity theft is not a “one and done” process. It requires continued vigilance for months (even years) after a breach:
- Document everything: Every move you make (whether a password change, phone call with a bank, filing a police report, freezing your credit), keep notes on them. Keep a record of everything; you never know when you’ll be needing those as evidence to fight back if someone tries to use your information for something shady.
- Schedule reminders on your calendar: You shouldn’t only bank on your memory, which, realistically, isn’t as trustworthy as you might think. Create regular reminders to check your credit report, your checking accounts, and your dark web monitoring alerts (yes, that’s a thing). Do this on a monthly cadence, and don’t let it fall off your calendar to-do list just weeks later.
- Be aware of new scams: Scammers never rest, always thinking of new ways to mess with people. Best keep an eye out; check security blogs, sign up for FTC alerts, and stay informed about the latest phishing scams and data breaches (you can get an idea of the biggest data breaches in recent times by reading our this article). It’s a pain, but better than scrambling after the fact.
How to prevent your data from ending up on the dark web
Wiping out every risk may not really be achievable; however, there are ways to make it really hard for crooks to mess with your data. So, how do you possibly stop your info from getting there? Take a look at these few important prevention tips:
- Make your passwords strong and unique: We are always hammering on this, and trust us, it’s worth it. No “password123”. A password manager is your greatest asset here.
- Enable two-factor authentication: Don’t take it easy, it’s worth it. Turn it on everywhere you can.
- Trust no one: Phishing emails are everywhere. Don’t click sketchy links, don’t download weird attachments, and if someone randomly messages you asking for your Social Security number, run the other way. Legit companies never ask for that stuff out of the blue.
- Don’t share so much personal information online: Easy on oversharing. Do you really need your full birthday and home address on your Insta bio? Not really; so best keep it tight and private. The less personal information you publish on social media and, by extension, other public forums, the less data thieves have to put together.
- Don’t access using public Wi-Fi and get a VPN: Do not log in to a banking or shopping site using unsecured public Wi-Fi. If you’re on public Wi-Fi (coffee shop, airport, etc.), fire up a VPN. Public WiFis have the dangers beyond regular internet user’s imagination. A VPN scrambles your traffic so the creep at the next table can’t snoop on your browsing.
- Check your accounts regularly: Don’t just wait for a “fraud alert.” Make it a monthly thing to check your bank and credit card statements, and your credit report. It’s way easier to catch a problem early. The earlier you catch fraud, the less damage it will do.
- Only share data with apps and websites: Only give the necessary amount of information needed. If the shopping app is asking for your birthday or Social Security number, and there is no need for it, do not provide it. The less data that is floating around, the less there is to steal.
FAQs
It’s normal to panic because having your personal info on the dark web can be a big risk. But don’t lose your mind; freaking out helps no one. It indicates that your information is vulnerable to fraud. The main thing is to heed that as a warning and secure your accounts right away. If you follow all the steps we’ve given you in this guide, then you will be safe.
First thing you do is change the password to any of your exposed accounts immediately, and then turn on 2FA. By doing so, anyone still hanging onto your old password will be instantly locked out.
Yes, if you want free guidance on what to do when your information appears on the dark web, follow the above-mentioned steps. From changing the password, enabling 2FA, to putting free fraud alerts and credit freezes in place, you can achieve them all without spending a dime. You don’t actually need to pay for a costly service to protect yourself.
Wondering what to do if your information is found on the dark web on an iPhone? Change your passcode and make sure it’s not one that’s easy to guess, and enable 2FA on your Apple ID – this protects your iCloud, App Store purchases, and anything synchronized on your Apple devices. You can access iOS’ built-in password monitoring via
(it alerts you if the passwords you use have been compromised or if it is weak).
The same process for iPhone goes for what to do if your information is found on the dark web Android. Secure your Google account with a new password and 2FA, as this is the master key to your Android device, Gmail, Play Store, etc. You should also run a security scan with a reputable Play Protect or a third-party antivirus to check if there is malware. You can also use Google’s Password Checkup in Chrome or check the Google account security checkup at
.
Your information typically ends up there due to company data breaches, where hackers steal customer data from retailers or services you use. Hackers can steal your data through phishing scams or malware on your device, and sometimes you lose it as collateral damage when a larger company gets hacked without your knowledge.
You can find dark monitoring services for free up to more than $30 a month. Free services will give you simple alerts about data breaches that you may want to use, and typically, a more robust service will allow for ongoing monitoring for a monthly fee. There are even some banks or credit cards that will provide service for free, as an added customer benefit.
