Ivan Pantic / GettyImages

What to do if your personal information lands on the dark web

You can minimize risk if your credit card, passport or other information is on the internet’s black market


While a number of services can alert you if your personal data appears on the dark web, it’s up to you to take action to avoid becoming the victim of fraud or identity theft. Here’s what you need to do if your information falls in the wrong hands.

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

Chances are you’ve heard some of the creepy stories about the dark web – the secretive part of the internet that you need special software to access.

Because one can traverse the dark web in anonymity, it’s a haven for criminal activity, including the buying and selling of financial data. While a number of services can alert you if your personal data appears on the dark web, it’s up to you to take action to avoid becoming the victim of fraud or identity theft.

It’s almost impossible to completely avoid the dangers of the dark web, experts say. There were 1,244 data breaches in 2018, according to a report by the Identity Theft Resource Center.

“Given the prevalence of data breaches and other data compromises, the likelihood that your data is available on the dark web is probable,” says Eva Velasquez, CEO of the Identity Theft Resource Center.

Sales of information on the dark web can yield anywhere from $5 to $100-plus for credit card account info and more than $1,000 for passports and medical records, according to Experian. Here’s what you need to do if your information falls in the wrong hands.

See related:  Capital One data breach exposes personal information of 106 million consumers

Separating myth from fact

A number of companies have unveiled dark web monitoring services to alert you when your information shows up there.

For example, Experian offers IdentityWorks, a suite of free and premium services ranging from dark web surveillance to credit monitoring. Some credit card issuers, such as Discover, are adding dark web monitoring to their fraud protection services.

However, learning your information is on the dark web is just the first step. A Consumer Federation of America survey found 36 percent of people who saw dark web monitoring ads thought such services removed their information from the dark web. Another 37 percent thought such services could prevent their information on the dark web from being used. Neither of those beliefs is true.

“If your information is on the dark web, it’s already being sold and resold, most likely multiple times over,” says Brian Stack, vice president of Dark Web Intelligence at Experian. “Once it’s out there you’re not going to be able to stop the spread of it.”

Even if your information was stolen years ago, some cyberthieves repackage old breached data to sell again. But that doesn’t mean you’re helpless. You simply have to be smart.

See related:  Equifax reaches $671 million settlement related to 2017 data breach

Taking pre-emptive steps

The type of information found on the dark web plays a role in what steps you should take.

  • If you find your credit card or bank account numbers on the dark web, let your card issuer or lender know so they can help you close the account and open a new one.
  • If your driver’s license or passport is found, contact your Department of Motor Vehicles or the U.S. State Department, respectively.
  • If your Social Security number is on the dark web, report it to the Social Security Administration and the Internal Revenue Service.
  • If one of your passwords is on the dark web, change it on all of the accounts where you use it. As an added precaution, change the security questions on your accounts as well.

While some might think an email address showing up on the dark web isn’t a big deal, that’s not the case, says Henry Bagdasarian, founder of Identity Management Institute, an organization that promotes identity risk awareness.

With access to your email address, a hacker can not only get into your email account where sensitive information may be, but he or she can spoof your account so others think they’re receiving messages from you.

Many people use their email addresses as user identifications on some of their online accounts, Bagdasarian says. Contact your email provider if you notice spoofed emails coming from your address. Also, if your email address serves as your user ID for any online accounts, consider changing the user IDs or at least changing your passwords.

See related:  What happens if you report a legitimate card transaction as fraud?

Keep an eye on your credit report and card accounts

There are other steps you should take regardless of the type of information found on the dark web.

  • Automate credit report monitoring. If your information is posted somewhere on the dark web, it’s not enough to check your credit report annually. Consider buying some type of identity protection monitoring service such as LifeLock or Experian IdentityWorks so you can be alerted to changes to your credit report.
  • Monitor your credit card accounts. Even if you’re monitoring your credit reports, you wouldn’t know if someone was accessing your current credit cards unless a payment was late, Bagdasarian points out. However, if you check your credit card bills regularly, you can identify charges you didn’t make as soon as they occur. If you know your information is on the dark web you may also want to have text alerts sent to you whenever your cards are used.
  • Put a security freeze on your credit report. With that in place, a scammer can’t open a credit account in your name unless you lift the freeze.

If cyberthieves use your personal information to commit fraud, first contact any companies where the fraud took place.

They’ll freeze the accounts so no further damage can be done. Also, change all of your passwords and PINs used to access your accounts.

Report the incident to the Federal Trade Commission so they can track it and file a report with your local police department.

Your financial institutions may also provide other support if you’ve been victimized, says Laks Vasudevan, vice president at Discover.

“If a Discover cardmember who has signed up for our Social Security alerts is notified that their information has appeared on the dark web, we ask them to call us so we can provide them with what steps they need to take to inform the credit bureaus and reduce the risk of future fraudulent activity,” she said.

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Education

Prequalified vs. preapproved: What’s the difference?

Got an offer in the mail saying you’re “prequalified” or “preapproved” for a credit card? Great! But what does that mean for your credit and actual approval odds? Read on to learn more about the main differences – and similarities – between prequalification and preapproval.

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more