What to Do If (or When) Your Email Gets Leaked on the Dark Web?
The darknet has a bad reputation—and deservedly so. It’s a complex part of the internet, and far from flawless, but its nature allows illegal and illicit activity to flourish anonymously. This is precisely why hackers choose the darknet as a venue for selling stolen user data: if you’re going to sell digital goods, you want to do so with maximum privacy.
So, if you’re notified that your email address has been found on the dark web, you might be a little worried. Perhaps you use identity theft protection services and your information was discovered there. Perhaps you’ve noticed an increase in spam, especially spam that seems to be targeted at you. In any case, it’s understandable to be concerned. The good news is that this happens more often than you think, and there are steps you can take to protect your data in the future.
What is the darknet?
Despite its aforementioned reputation, the dark web is not a “hub of evil.” It’s simply a subset of the deep web , or the part of the internet not indexed by search engines. The deep web makes up the vast majority of the global internet, but the dark web is unique because accessing it requires a specific browser, such as Tor, and knowledge of specific dark web addresses.
The dark web is inherently private and anonymous. This is precisely why it attracts malicious actors. But that doesn’t mean that’s all it’s good for. Anyone who needs to access the internet without fear of interference can use the dark web. Think about journalists in countries that prefer their stories not be told, or citizens whose governments censor the public internet. Sure, there’s a lot of bad stuff out there, but there’s also perfectly harmless and useful content. For more information about this dark and mysterious place , check out our detailed explanation and guide here .
Why is my email address on the dark web?
If your email address is on the dark web, it’s likely due to a data breach at one of the companies you shared it with. Unfortunately, data breaches happen all the time, and there’s no guarantee that the company you chose to share your email address with won’t be the victim of a future breach. Sometimes the breach occurs within the company itself; other times, it occurs at a third party to which the company shares the data.
When attackers hack an organization’s systems and steal data, they often put the spoils up for sale on the dark web. This makes it easier to sell the stolen data anonymously. So, it’s no surprise if your email ends up on the dark web—though that’s hardly much consolation.
What can hackers do with my email on the dark web?
Your email address is up for sale, and someone is buying it. What should you do next? The hacker could use several tactics. First, they’ll likely try to hack other accounts you may have used with that email address. If you lost any passwords in a data breach, they might try to crack those too. That’s why it’s crucial to change your passwords as soon as you learn of a breach—but more on that later.
If they can’t hack your accounts themselves, they’ll want to use your services—without realizing it, of course. To do this, they’ll likely use phishing attacks, and since they know your email address, they’ll likely send emails. There are many phishing campaigns, but here are a few examples: you might receive fake data breach notifications with a link to verify your account; you might receive a message about needing to change your password; you might receive an email warning you about a login attempt; you might even receive an aggressive email with demands from hackers.
Hackers can also impersonate you. They can create an email very similar to yours and contact your contacts to trick them into believing it’s really you. Inform your close contacts (especially those you don’t think will carefully read the “From” field) that your email address has been leaked on the dark web and to be wary of impostors.
Here’s what to do if your email address is on the dark web.
First of all, don’t panic. Again, data breaches happen so often that many of our email addresses (and other data) have ended up on the dark web. While that’s not good , it’s not the end of the world.
Next, change your passwords, starting with your email. If you know which account was hacked, be sure to change the password for that account as well, as your password may have been compromised in the data breach. As always, make each password strong and unique: never use the same passwords for different accounts, and they should all be long and difficult for both humans and computers to guess. As long as each of your accounts uses a strong and unique password, you really don’t need to change all your passwords: hackers may have your email, but they won’t have all of your passwords to use.
Next, ensure all your accounts use two-factor authentication (2FA), if available. 2FA ensures that even if you have the email address and password for a specific account, you still need access to a trusted device to verify your identity. Hackers won’t be able to do anything with stolen credentials unless they have physical access, such as to your smartphone. This is a crucial step to ensuring your security after a data breach. You can also use access keys instead of passwords for any accounts that support them. Access keys combine the convenience of passwords with the security of 2FA: you log in with a fingerprint, face scan, or PIN, without having to steal your password.
Now, keep an eye on all your accounts linked to this email address, especially financial ones. The email address itself probably doesn’t pose much of a risk, but if you lose additional information, you should ensure hackers don’t breach your important accounts. You could take drastic steps, such as freezing your credit history, but again, if it’s just your email address, that’s probably too drastic.
Can I delete my email from the dark web?
While some data removal services claim to remove data like email addresses from the dark web, this isn’t always 100% possible. The dark web is vast and unregulated, and once data is there, everything becomes public. While a service like DeleteMe can request that hosting providers delete your email, they’re under no obligation to do so. Furthermore, hackers who purchased your email already have access to it. Again, leaked email addresses aren’t the end of the world. But if you don’t want your email on the dark web, creating a new account might be your best option.
How to prevent your email address from being leaked to the dark web.
You can take steps to prevent future data loss. The best step is to stop sharing your email altogether. However, you don’t have to become a hermit: use an email alias service like Apple’s Hide My Email or Proton’s email alias feature to generate a new alias every time you need to share your email. Messages sent to the alias are forwarded to your inbox, so everything works the same for you, but your real address won’t be exposed to the world. If one of these companies experiences a data breach, no big deal: just delete the alias.
In this regard, going forward, consider using a data monitoring and deletion service. You may already be using one, and that’s how you discovered your email was on the dark web. But if not, there are many options to choose from . While none of them can guarantee the removal of email addresses from the dark web, they may be able to detect your email if it ends up there. If you use aliases, you can delete that specific address and create a new one for the affected account. Furthermore, if your email ends up somewhere outside the dark web, they may be able to delete it for you.