What to do if your information is on the dark web

It’s a scary feeling to find out your personal information might be floating around on the dark web. Maybe you got an alert from a monitoring service or heard about a big data breach and want to be sure you’re safe.

Don’t panic; there are practical steps you can take right now to protect yourself. In this guide, we’ll walk you through what it really means when your data is on the dark web, how to check, and what to do next to keep your identity and accounts secure.

What is the dark web?

The dark web is a part of the internet that isn’t indexed by traditional search engines like Google or Bing. Unlike the surface web (the websites you visit every day) and the deep web (pages that aren’t publicly searchable—think your online banking or private databases), the dark web is intentionally hidden and requires special software to access.

Most dark web sites are accessible through the Tor network, which uses onion routing to anonymize traffic by bouncing it through multiple volunteer-run servers. This keeps both users and site operators private. These sites are often called hidden services, and their addresses typically end in “.onion” instead of “.com.”

If you’re wondering how people even find anything on the dark web, there are specialized search engines designed for it.

While the dark web has legitimate uses (like providing safe spaces for whistleblowers, journalists, or people living under repressive regimes), it’s also notorious for illegal activities. Darknet markets can sell stolen data, drugs, weapons, and hacking tools. That’s why it has a reputation for danger and secrecy. Check out how much your data is worth on the dark web.

It’s important to note that accessing the dark web isn’t illegal in most places, but what you do there can be. Buying illicit goods or services is clearly illegal. Always use caution and know the laws in your country before exploring it, as even visiting certain sites could put you at risk of investigation.

Learn more: If you want to understand more about how the dark web differs from the deep web, check out our dark web vs. deep web explained article.

How does personal information end up on the dark web?

Your personal data can show up for sale on the dark web in several ways: some that are entirely outside your control and others that rely on tricking you directly. Here are the most common ways it happens.

• Data breaches at companies and organizations: Hackers frequently target large businesses, online retailers, hospitals, schools, and even government agencies. When these attacks succeed, they can expose millions of users’ email addresses, passwords, payment details, or Social Security numbers. Criminals bundle this stolen data into massive dumps that are resold on dark web marketplaces. Even if you never shared sensitive information with a shady site, you might be affected if a company you use gets hacked.
• Phishing attacks: Cybercriminals send convincing emails or texts pretending to be from trusted organizations like banks, delivery services, or even friends. These messages often contain fake login pages or malicious links to steal your credentials. Once they have your username and password, it’s easy for them to sell or trade this access on the dark web.
• Data broker websites: Data brokers scrape the web for bits of your personal information (from public records, online purchases, and social media) and combine them into detailed profiles. These profiles can be sold legally to marketers but may also be resold or posted on the dark web by less scrupulous buyers.
• Malware infections: Malicious software can secretly harvest personal information from your devices. Keyloggers can record everything you type (including passwords and credit card numbers), while other types of malware might search your device for saved documents or images containing sensitive data. Infected computers become gold mines for criminals who want to sell that information on the dark web.
• Public Wi-Fi connection: When you use unsecured public Wi-Fi, any sensitive information you send, like passwords, credit card numbers, or personal messages, can be intercepted by attackers. This stolen data can then be bundled and sold on dark web marketplaces.
• Social engineering and scams: Sometimes criminals don’t need to hack anything at all; they just trick people into giving up sensitive details directly. Fake tech support calls, phony prize notifications, and other scams can gather data that ends up being sold or used for identity theft.

Real-world examples of leaked data

Data breaches aren’t just abstract threats; they happen constantly, and their scale can be staggering. Here are a few real-world examples that show how personal information ends up in criminals’ hands and on the dark web:

Yahoo data breach

In late 2016, Yahoo revealed that an unauthorized third party had stolen data associated with more than one billion user accounts back in August 2013, making it one of the largest known breaches in history. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and some security questions and answers.

Yahoo worked with forensic experts to confirm the breach after law enforcement provided them with data files claimed to be Yahoo user data. In response, they notified affected users, forced password resets, and invalidated unencrypted security questions and answers.

PowerSchool K–12 student data breach

PowerSchool, a major provider of cloud-based software for K–12 schools (serving over 60 million students), confirmed a breach in December 2024. A threat actor accessed student and teacher data and then attempted to extort multiple school districts.

The stolen data reportedly included names, contact details, dates of birth, Social Insurance Numbers (in Canada), and even limited medical alert information. The incident is a stark reminder of how vulnerable even sensitive educational data can be and how it can be used for identity theft or fraud once sold on dark web markets.

Yale New Haven Health System breach

A major healthcare breach affected Yale New Haven Health, one of the largest health systems in the U.S. Hackers gained access to sensitive patient data, including names, dates of birth, addresses, phone numbers, email addresses, race or ethnicity, Social Security numbers, patient types, and medical record numbers.

Healthcare data is highly prized on the dark web because it can be exploited for identity theft, insurance fraud, or extortion. This incident highlights why medical organizations are such frequent targets for cybercriminals.

How to find out if your information is on the dark web

Wondering if your personal details have ended up on the dark web? Using dark web monitoring tools is the best way to scan for dark web exposure and spot trouble early. While no tool can cover 100% of the dark web (since it's designed to be hidden), the good ones focus on the places where illegal data trading is most common.

A popular and free option is Have I Been Pwned, which lets you search your email address to see if it’s already in a database of known hacked accounts. It tells you if that email has appeared in past data breaches and if any associated passwords were leaked. However, it doesn’t cover other sensitive data.

If you want broader protection than a simple email check, consider ID Alerts, part of ExpressVPN’s Identity Defender (available to U.S. users). It acts as an advanced breach detection tool, monitoring various records and public platforms for suspicious activity involving your personal information. ID Alerts includes dark web monitoring to scan hidden, unsearchable parts of the internet for your data (like your name and address) and alerts you if it appears for sale.

It also provides Social Security number monitoring to notify you if your SSN is used for loans, payments, or employment, and change of address monitoring to detect unauthorized mail redirection. If any suspicious events involving your SSN or home address are found, you'll get real-time alerts so you can act quickly to protect yourself.

Warning signs to look out for

Even without specialized tools, you can watch for certain red flags that your personal information has been leaked and might be circulating on the dark web (or elsewhere):

• Unauthorized credit activity: Criminals who buy stolen financial data on the dark web may try to open loans, create new credit lines, or make fraudulent purchases in your name. Keep an eye on your credit report and bank statements for anything you don’t recognize. If you're in the U.S., ExpressVPN’s Credit Scanner makes this easier by letting you track your credit score and activity right in the app. So, you can catch signs of identity theft early and take action quickly.
• Account activity notification: You might get alerts about unusual login attempts, password changes you didn’t make, or unapproved transactions. These are classic signs someone has your credentials.
• Passwords not working: If you find yourself frequently locked out of your accounts or having to reset passwords without a clear reason, it might indicate someone unauthorized is trying to take over your accounts by changing passwords.

What to do if your information is on the dark web

If you discover that your information is on the dark web, don’t panic, but do act quickly. Here are some practical steps you can take right now to help protect your identity, secure your accounts, and limit any potential damage.

1. Freeze your credit reports

Freezing your credit is one of the most effective ways to stop identity thieves from opening new credit accounts in your name. When you freeze your credit report, lenders generally can’t run a credit check for new applications, making it much harder for criminals to take out loans or open credit cards in your name.

Even with a freeze in place, you can still check your own credit report whenever you need to, and any lenders you already do business with can continue to access it for things like managing your existing accounts.

2. Change your passwords and enable MFA

If your credentials have leaked onto the dark web, there’s a good chance someone has or will try to log into your accounts. Changing your passwords immediately cuts off that access.

This time, make sure each password is complex and unique. Don’t reuse old passwords or variations of them. Attackers often succeed by guessing reused passwords or using them in credential stuffing attacks.

Also, turn on two-factor authentication wherever it’s available. 2FA requires you to confirm your identity in another way (like a code from an app or text), making it much harder for anyone to break in even if they have your password.

If you want to make this process easier, consider using ExpressVPN Keys. It’s a secure password manager that can:

• Generate strong, unique passwords for you
• Store them safely in an encrypted vault
• Autofill them on your trusted devices
• Support 2FA through its built-in authenticator app

3. Contact your bank and financial institutions

If you see any suspicious or unauthorized activity on your accounts, don’t wait; call your bank or credit card issuer immediately. Many credit card companies will cover fraudulent transactions, but you typically need to report them quickly.

Even if you don’t see any fraud yet, it’s wise to give your bank a heads-up if you know your personal data has been exposed. They may place extra monitoring or alerts on your accounts.

4. Report identity theft to authorities

If you know your identity has been stolen, it’s important to officially report it. Doing so can help protect you from being held liable for crimes or debts committed in your name, and it can help investigators track down the perpetrators.

Here’s who to contact:

• The Federal Trade Commission (FTC): They have an easy-to-use site for reporting identity theft and creating a recovery plan.
• Your local police: Filing a police report gives you documented legal evidence, which can be helpful when dealing with creditors or disputing fraudulent accounts.
• Credit bureau: Besides freezing your credit, let them know about any fraud. You can also ask them to place a fraud alert on your file, signaling lenders to verify your identity before opening new credit in your name.

5. Monitor all accounts

Keep a close eye on all your accounts (not just financial ones) for signs of suspicious activity. Here’s a helpful checklist:

• Review your bank and credit card statements for charges you don’t recognize.
• Inspect your financial accounts for new or unauthorized beneficiaries.
• Look at your social media direct messages for anything you didn’t send.
• Check your social media stories and posts for anything strange.
• Make sure your online accounts haven’t been changed or modified without your knowledge.

Don’t forget about work accounts or other less obvious services you use regularly. Staying vigilant is key to catching fraud early.

6. Check your devices for malware

Even if you change passwords and lock down accounts, it won’t help much if malware is still stealing your information in the background. That’s why it’s essential to scan all your devices for malware.

Invest in a reputable anti-malware tool that’s regularly updated to catch the latest threats. These tools can identify and remove malicious software that may be logging your keystrokes or harvesting your files.

It’s also a good idea to go through your device manually:

• Look for any apps you don’t remember installing.
• Remove anything you no longer use or recognize.
• Be especially wary of anything with strange permissions or behavior, as it could be spyware.

How to prevent future exposure

You’ve dealt with the immediate problem; now it’s time to think ahead. Protecting yourself from future leaks is just as important. Here’s how you can make your online life much safer going forward:

Use a trusted VPN to secure your internet traffic

A VPN (virtual private network) is one of the simplest and most effective ways to protect your online privacy. When you use a top-notch service like ExpressVPN, it encrypts your internet traffic, making it unreadable to anyone who tries to intercept it.

This is especially important when you’re on public Wi-Fi, like in coffee shops, airports, or hotels, where cybercriminals often lurk to steal data. Without a VPN, it’s surprisingly easy for attackers on the same network to spy on what you’re doing.

A VPN also masks your IP address, making it harder for websites, advertisers, and even your internet service provider to track your browsing activity. By routing your connection through secure servers, it helps keep your online activities private and secure, no matter where you are.

Set up account activity alerts and dark web monitoring

Make sure you’ve turned on account activity alerts for your important accounts. Many banking and social media apps can notify you about new logins, password changes, or suspicious attempts, so you can act quickly if anything seems off.For broader protection, use a dark web monitoring service that continuously checks for your personal data in known breaches. This is better than doing one-time scans, since it can alert you automatically if your information shows up for sale.

You can also create a monitoring profile with services like Google’s dark web report. It checks if your email or other personal info appears in known breaches and will email or notify you if anything is found so you can take action quickly to protect yourself.

Be cautious of suspicious links and attachments

Phishing is still one of the easiest ways for cybercriminals to steal your data. Be extra cautious with unexpected links or attachments in emails, texts, or DMs, even if they seem to come from someone you know.

Keep in mind that friends or family members might have had their accounts hacked, and attackers count on you trusting them. If something feels off or you’re not sure, it’s always safer not to click. To avoid falling victim, learn to recognize phishing email red flags.

Create and use a temporary email account

Using temporary or alternate email accounts is a simple way to protect your main inbox if there’s ever a breach. Many of us sign up for everything using the same email address, which keeps things convenient but also ties a lot of sensitive details to one place.

That’s why it’s smart to create a throwaway email address for things like online registrations, newsletters, or contests. If that address ever gets leaked on the dark web, you can just stop using it without affecting your primary accounts.

Another helpful option is email masking, which lets you create unique, private email aliases that forward to your main inbox. It’s a great way to keep your real email address hidden from sites you don’t fully trust.