I loved email. It was the perfect kinda-personal-but-boundary-affirming way to keep in touch. However, over time, I, like many people, entrusted my email address to companies that gave away, sold, or lost my personal information in data breaches, which led to criminals posting my email address (and millions more) on the dark web.
Recently, I had to close the first Gmail account I ever created. I’d dodged scam and spam emails in that inbox for years, but generative AI’s rise created a new wave of sophisticated scams. Alas, my inbox had become a minefield of phishing links and malware-laden attachments. To make myself feel better, I decided to find out which company lost my email address first.
While researching, I learned that there are many paths our personal information can take on the journey from your computer to the dark web.
Follow the Data
“Follow the money,” the source known as Deep Throat says in the film adaptation of All the President’s Men. “Always follow the money.” In the same vein, you should always follow your data, particularly after a company files for bankruptcy or in the aftermath of a data breach.
To help map out how our information gets to the dark web, I revisited my discussion with Dr. Darren Williams, a ransomware and cybersecurity expert at BlackFog. We spoke earlier this year about ways to protect your private information after a data breach. When I told him about my leaked email address, he told me, “Everybody on planet Earth has had their data leaked at this point.” With that in mind, here are some of the ways your data can end up on the dark web.
Data Sales
Companies often sell off customer data during an acquisition or as part of bankruptcy settlements. In these cases, your data gets packaged up and sold to another company, as seen in the recent 23andMe buyout by Regeneron Pharmaceuticals. If the new company gets hacked or otherwise fails to protect your information, that data could end up on the dark web.
Sometimes your information goes straight to a data broker after a company dissolves. Data brokers post your information online and sell off bits of it to anyone who can afford it. Unfortunately, your information isn’t even safe behind the brokers’ paywall, since those sites get hacked, too. We saw an example of this earlier this year when hackers on a Russian cybercrime forum posted screenshots of user data from Gravy Analytics, a location data firm.
Data Breaches
A company may have lost your information to hackers in a data breach or other security incident. Those criminals usually don’t use all of the customer data they steal. Instead, they’ll sell it on dark web forums and websites for other criminals and scammers (or anyone else) to buy.
Phishing
Did you click on a phishing link in an email or text message? I’ve talked to experts who say that texting scams tend to ramp up during the holiday season or around major events, like tax filing deadlines. Scammers will send messages containing links to websites that collect all of your data, including financial information, and then they’ll post it on the dark web.
Quizzes and Surveys
When’s the last time you entered your birthdate on a website to read your horoscope? Have you ever taken a quiz or survey on Facebook or another social platform? When you entered that personal information, you sent it to a database that could be attacked or sold. If either of those things happened, that data is on the dark web now.
Malware or Spyware
Maybe you’ve picked up some malware or spyware on one of your devices. Malicious apps or browser extensions can steal the data right off of your computer or mobile device, and you may not know about it until much later.
Williams cited the 2024 cyberattack on Change Healthcare as an example of this method. “They were latent for nine days inside the company’s computers, behind the firewalls, just doing reconnaissance work,” Williams said. “You only need to have one weak link, and you can get in.”
4 easy things you can do to be more secure online — Clarification Please
Here’s How to Scan Data Breach Reports Fast
My old email address’ path to the dark web is one that may be familiar to my fellow millennials. A some point in the mid-aughts, I signed up for Tumblr, a microblogging site, and then forgot about the account after a few months. When that website’s servers were breached 12 years ago, my email address, along with 65 million others, was stolen.
Finding this information was incredibly easy: I used a data breach report scanner. I chose Bitwarden‘s scanner because it gives you detailed reports that show all of the records exposed in a breach, like your birthdate, photos, phone number, physical address, and other sensitive personal information.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Most of the password managers I’ve tested include some form of dark web monitoring or scanning in the password health section of the app. Password manager dark web scanners can check for mentions of anything in your password manager vault, including email addresses, usernames, or the password themselves.
A data breach report from Bitwarden. (Credit: Bitwarden/PCMag)
Many financial companies, like Experian, offer free dark web scanning tools. You can also set up dark web monitoring for your Google accounts. You enter a bit of info about yourself, usually your email address, and the tool scans known data breach lists posted to the dark web for that information.
Recommended by Our Editors
Only use dark web scanners from companies you recognize and trust. I say this because it’d be incredibly easy for anyone to set up a web form that can steal your social security number, banking details, address, and other private information under the guise of scanning data breach reports.
You Can Prevent Fallout From Future Breaches
It’s incredibly hard to take your data off the dark web. Even dark web forum closures or site bans won’t save you, because the breach list data is probably saved elsewhere. Removing your data from the public web is tough, too. Consider signing up for a personal data removal service to help get some of your personal information off of data broker sites.
“I’d always advise people to be very careful what you put out there,” Williams told me. “If you’ve posted anything online, it’s already out there. You can’t put the genie back in the bottle.”
In other words, don’t give data brokers or criminals anything to collect in the first place. Maybe that means making your profile private or not using social media platforms at all. You can also start entering as little information as possible when signing up for online services or shopping. Does the hardware store really need your full name and birthdate because you’re buying a rake? Probably not; don’t give that away (or better yet, lie about it).
Consider poisoning your online data well, too. That means filling online forms with fake information (get creative with your pseudonyms) so when that information is lost in a data breach or sold during a corporate acquisition, you won’t care, because it’s not your real information anyway.
With help from Williams, I’ve written a detailed guide to recover your privacy after a data breach. After giving that a read, check out PCMag’s cybersecurity checklist for a list of periodic tasks to help you clean up your online presence and shore up your digital defenses.
About Kim Key
Senior Security Analyst
