We Found Our Personal Data On The Dark Web. Is Yours There, Too?
The little drips of personal data leaked from every major data breach—your name, email, phone number and mailing address—pool in a murky corner of the internet known as the dark web.
Some of these leaks might seem relatively insignificant, but criminals exploit your personal data for profit and to help other criminal operations prosper. The dark web is where these transactions happen.
The spectrum of threat actors operating on the dark web is broad, ranging from lone wolf hacktivists to nation-states and organised criminal operations. What they have in common, however, is a lust for personal data.
The recent Gnosticplayers hack, for example, obtained nearly 840 million records from 32 companies. And according to cybersecurity experts, while unique records sell for cheap—a portion of the trove was listed for 1.2431 bitcoin, or about $4,940—in aggregate our personal details help enrich these nefarious operators.
Navigating the dark web
Like the traditional internet that we use every day, the dark web is a network of websites. But unlike our traditional internet, the dark web requires special security software to encrypt browsing activity and hide a user's location and identifiable details.
There are countless legitimate uses for the dark web. Political activists living in totalitarian states use the encrypted web to share mission-critical information, and reporters in conflict regions often use the dark web to communicate with sources. But the dark web's discreet nature is also exploited by hackers and criminals to trade in weapons, drugs, stolen data, and other illicit goods and services.
Hacked personal data may seem benign relative to other harmful material for sale on the dark web, but according to Emily Wilson, the vice president of research at cybersecurity firm Terbium Labs, in the hands of criminal actors your personal data can have serious and potentially dangerous consequences.
"Data is transmitted very quickly. There's no ship time. Criminals buy it, they get it instantly, and they can cash it out," said Wilson.
"Data is often good for a long time. If somebody uses your credit card, you get a fraud alert, and get a new credit card number. That's a loss to you and that's annoying. But what about your Social [Security number], what about your name, what about your address or your driver's license numbers?
"These are data points that can be exploited for decades or for a lifetime. And once it's out it's nearly impossible to get it back."
We asked Terbium Labs to do a deep dive into the dark web and search for any information about us that had been leaked as a result of hack. What they found was disturbing.
Our personal information was mixed in with wholesale data dumps of information about thousands of people. The building blocks to not only replicate our own identities online, but everyone else packaged along with us.
"Identity theft and other scams often rely on incomplete information," wrote Wilson, in the report she prepared for us. "These scams exploit and bypass systems designed to reduce user friction first and provide security second."