Importance Score: 75 / 100 🔴
Ensure you create strong, unique passwords by using a combination of characters and avoid using easily guessable information like a pet’s name. Most importantly, never reuse a password across multiple sites. While the rules for safeguarding your digital information seem straightforward, many people neglect these practices, creating opportunities for hackers to profit from selling compromised data.
The Dark Web Marketplace for Stolen Data
Marketplaces for pilfered personal data flourish on the dark web, clandestine networks hidden from the regular internet and accessible only through specialized software like Tor. While not everything on the dark web is malicious – some news organizations operate sites to provide information to individuals in censored regions – a significant portion of it is dedicated to illicit activities.
To gain insights into this digital underworld, I consulted Rory Hattingh, a certified ethical hacker at Evalian, whose job involves legally penetrating company systems to assess their security. According to him, the probability that none of my private information has been compromised is “exceptionally small.” Having covered technology for an extended period, I am aware of the prevalence of data breaches, but acknowledging its personal impact served as a stark reminder.
LONZERUI2024 New Mens Smart Watch with a 420Mah Large Battery, 1.96-Inch Ultra HD Screen, Wireless Calling, Flashlight Feature,, Suitable for Android And Ios Outdoor Use
Price: $0.62
Mens Gothic Hoodie - Fashion Hoodies with Retro Lace Up Design, Casual Graphic Print, Streetwear Style for Winter Fall, Great Gift Idea
Price: $1.79
[Anti-Slip Basketball Shoes] Anti-Slip Durable Mens High-Top Basketball Shoes | Fashion Training Sneakers for Sports and Casual Wear
🎉 Exclusive deal [Price: $9.19]
Discovering Breached Data
Hattingh initiated the process by introducing me to Have I Been Pwned, a website that aggregates usernames and passwords exposed on the dark web into a searchable database. Upon entering my email address, I was alarmed to discover it had been implicated in 29 hacking incidents.
The most recent occurred in 2024 when the Internet Archive was breached, leaking my email and password. Additionally, my data was included in a 122-gigabyte collection of user information scraped from Telegram channels and a database known as Naz.API, initially posted on a hacker forum. Other breaches exposed postal addresses, job titles, phone numbers, IP addresses, password hints, and dates of birth from platforms like Adobe, Dropbox, and LinkedIn.
The Domino Effect of Password Reuse
Theoretically, these individual leaks have limited repercussions. If, for instance, LinkedIn is compromised and your username and password are leaked, it should not affect your Facebook account. However, this assumes you do not reuse the same password, a practice employed by over 60% of individuals. In such cases, hackers can leverage compromised credentials to access various online accounts automatically and rapidly.
As Hattingh explains, this can lead to significant trouble, including unauthorized online shopping using stored payment information, PayPal accounts, or cryptocurrency wallets. Gaining access to one account can also facilitate access to others, with email accounts being the ultimate prize. Compromised email accounts allow hackers to reset passwords, infiltrate other websites, access billing accounts, and potentially even gain control of online banking accounts. Furthermore, access to social media or email accounts enables hackers to perpetrate fraudulent schemes, deceiving friends and family with fabricated emergencies requiring urgent financial assistance. The authenticity of the compromised account lends credibility to these scams, increasing their likelihood of success.
The Delays in Breach Notification
Adding to the complexity, while some companies promptly notify affected users and urge password changes after a breach, others respond slowly, leaving users vulnerable for extended periods. Hattingh noted that in certain prior roles, he observed frequent ransomware attacks on clients that were treated as a normal cost of doing business. These attacks involve encrypting the victim’s data and demanding ransom for the decryption key. Increasingly, some companies simply factor such incidents into their operational budget.
“These companies would get hacked two, three times a year,” Hattingh stated. “They’ve have allocated funds for damages following the breaches. They pay the ransom and carry on with day to day tasks. And this is happening globally, consistently.”
The Hierarchy of Stolen Data Value
Although discovering my personal data exposed online was unsettling, Hattingh clarified that records on Have I Been Pwned represent the lowest tier of compromised information. The highest-value data is acquired when cyber criminals initially breach a website and steal a fresh set of user information, which they then sell to others for exploitation. After the initial buyers extract maximum value, the remaining data is resold repeatedly. Eventually, less valuable data may be released freely on hacker forums, Telegram channels, or other dark web locations, where Have I Been Pwned eventually collects it.
DeHashed: A Deep Dive into Breached Data
Advancing up the information value chain, Hattingh demonstrated DeHashed, a paid service that provides detailed breach information, including passwords, unlike the broad descriptions offered by Have I Been Pwned. The service’s name alludes to “dehashing,” the process of reversing password “hashing,” a security measure designed to prevent password copying. Revealingly, at least one of the passwords associated with my email address on DeHashed was both familiar and current, meaning that in theory, cyber criminals – or anyone interested – could have accessed at least one of my online accounts.
DeHashed, a subscription service priced at $219.99 annually, claims to serve “law enforcement agencies and Fortune 500 companies.” When contacted, the firm offered no comments or insight regarding potential abuse of the tool.
Exploring the Dark Web’s Depths
Intrigued, I delved deeper into the dark web with the assistance of Anish Chauhan from Equilibrium Security Services. Chauhan demonstrated his team’s proprietary software, which probes data wider and deeper. It uncovered 24 passwords associated with my online accounts.
“Users might say, ‘I’ve got a 200-character password; no one’s ever gonna brute force that’,” said Chauhan. “But say they then use that on every single website they use. It kind of makes it irrelevant really because it’ll eventually get breached. As humans, we just take the path of least resistance, you know?”
Simple solutions
Chauhan offered a recommendation that we’ve all heard before–create a unique password. After seeing my data in the open, the importance of this has become very clear.
- Create stronger, more unique passwords
- Use password manager
- Monitor the online presence by using “Have I Been Pwned”
The means to do this are readily available. Many digital devices have password managers built in that can auto-generate, store, and recall passwords. Furthermore, if there are suspicions that our data is breached, there are tools that search the world wide web for indications that this has occurred.
Taking Remedial Action
In recent years, I’ve started using a password manager. However, in doing this, there are older accounts across the internet for which I have not updated my credentials. And so, in preparation for this article, I’ve since spent much time rectifying this.
Facing constant requests for new credentials, it is easy to see why one decides to go the easier route. I know that I’m not alone in this.
“I’m a pretty tech-savvy person, and I barely change my passwords,” says Hattingh. “For work, I change it, but in my personal life, I’m a little bit more lazy.”