"The dark web" gets referenced in news stories about data breaches constantly, but most people don't know what it actually is or how to check if their information is there. Here's a clear explanation — without the hype.
What the Dark Web Actually Is
The internet has three layers. The surface web is what you access through Google — websites indexed by search engines. The deep web is everything not indexed: your email inbox, bank account pages, medical records portals. The dark web is a small portion of the deep web that requires special software (the Tor browser) to access, and is intentionally hidden from normal browsing.
The dark web hosts both legitimate uses (journalists in authoritarian countries, privacy-focused communication) and illegal markets. The illegal markets are where stolen personal data ends up after data breaches.
What Gets Sold on the Dark Web
After a company experiences a data breach, the stolen data — usernames, passwords, email addresses, credit card numbers, Social Security numbers — gets listed for sale on dark web marketplaces. Prices vary: email/password combinations sell for cents each in bulk; full identity packages (name, SSN, date of birth, address) sell for $10–$30 each; full financial profiles with account access sell for hundreds.
How to Check If Your Information Is There
You don't need to access the dark web yourself to check. These free tools monitor dark web marketplaces and breach databases:
Have I Been Pwned (haveibeenpwned.com) — the gold standard. Enter your email address and it shows every data breach it's been found in, with details on what was exposed. Free and maintained by security researcher Troy Hunt.
Google One Dark Web Report — if you have a Google account, go to one.google.com/dark-web-report. Google monitors dark web sources for your email address and phone number and alerts you to findings.
Firefox Monitor (monitor.firefox.com) — similar to Have I Been Pwned, operated by Mozilla. Free.
What to Do If Your Information Is on the Dark Web
You can't remove data from dark web marketplaces. But you can reduce the damage:
- Change the password for any account associated with the breach immediately. Use a unique password from a password manager.
- Enable two-factor authentication on the affected account.
- Freeze your credit if any financial information was exposed.
- Watch for targeted phishing — scammers who buy your data will use it to craft convincing emails and calls.
Prevention Going Forward
You can't prevent companies from getting breached. You can limit the damage each breach causes by using unique passwords (via a password manager), alias email addresses, and never giving out your real phone number or SSN unless absolutely required.