How Much of Your Company, Employee and Customer Data is on the Dark Web?

The dark web is the cybercriminal’s playground. Learn what technology you need to ensure your sensitive data isn’t there.

Check Your Exposure

See whether your corporate or personal credentials are available to criminals.

What is the Dark Web?

The dark web is a formidable term we don’t like to think about because honestly, it’s a scary place.

Not to be confused with the “deep web” which hosts primarily intranet and private websites, the dark web is where the criminals think they can hide. The dark web makes up only a small percentage of the internet, but it’s a hotbed for cybercriminals who navigate it with greater anonymity than is possible on the clearnet (the web we all know and love). With their IP addresses, and therefore identities and locations, masked by specialized software, they have free rein to buy and sell stolen information, or so they think.

The online underground market for identities, credentials and personally identifiable information (PII) is growing exponentially. Anyone with a computer, a bitcoin wallet and internet access can easily buy (or sell) access to stolen credentials and PII. It’s not uncommon to see threat actors making the rounds on underground sites trying to sell data shortly after a target site or commercial web application has been breached.

Often referred to as “fullz” in threat-actor communities, this stolen information can sometimes include full “packages” of information that can be used to empty a victim’s bank account or be leveraged in credit card fraud operations. Fullz usually include physical addresses, credit information, dates of birth, social security numbers and additional sensitive information belonging to the victim. Credential harvesting is lucrative—and business is booming.


SpyCloud security researchers are embedded in the criminal underground, and we’re seeing darknet markets dedicated exclusively to selling user account access and even browser fingerprints (which can enable criminals to bypass the login process altogether using stored cookies). Once a threat actor has successfully compromised an online account, he can usually get a decent return on his investment. Hacked accounts that have cash account balances, linked credit cards, or travel/gift points typically demand respectively higher prices in underground markets.

The dark web isn’t always that bad, however. It can and does have legitimate purposes. Journalists, for instance, often use the dark web to engage in protected conversations with secret sources. Undercover law enforcement leverages the dark web to track criminal behavior, particularly related to child abuse, terrorism rings and the sale of illegal goods.

What companies and people want to avoid, however, is having their personal, private data sink into the dark web without their permission or knowledge. Here are some technologies to consider to protect your user accounts and the sensitive data they contain.

Dark Web Monitoring

You don’t know what you don’t know.

How sure are you that your employee, customer or corporate data isn’t already on the dark web, being sold to the highest bidders, if you aren’t actively checking it on a regular basis? You don’t want to learn the hard way, via a public breach that damages your brand’s reputation and costs your company millions of dollars in fines, legal fees, and lost business.

Many companies turn to automated dark web monitoring technologies, such as web scanners, forum scrapers and web crawlers to locate stolen credentials. While the intent is good, the execution is not. Dark web monitoring services do enable you to keep a constant eye out for breached credentials, but this is often too late. 

Effective account takeover prevention hinges on one critical capability: finding stolen credentials before they’ve hit the dark web. Once most automated technologies find breached credentials on the dark web, those assets have already been sold to bad actors for use in credential stuffing attacks. The key is to detect vulnerabilities early in the account takeover timeline, before those assets have been pushed into the more commercialized dark web.

The earlier breaches are flagged, the sooner action can be taken to force a password reset. The sooner the password is changed to a stronger, uncompromised one, the less of a chance threat actors can scale their breach to impact more accounts or sell their stolen goods to communities of cybercriminals on the dark web. Finding these breaches early, however, requires more than scanners, scrapers and crawlers alone.

Dark Web Credentials API

The dark web isn’t a place where you can simply search and find stolen credentials.

First, stolen credentials aren’t sprinkled throughout the dark web for people to discover. Cybercriminals post only a few bits of their stolen credentials to entice buyers. Only when they have sealed their deal do they release the entirety of their assets.

A dark web monitoring API enables developers, product teams and security teams to rapidly integrate with actual breach data – data that has already been collected, sorted and analyzed for consumption by an ATO prevention company. The dark web API helps companies take proactive measures to protect employee and consumer accounts automatically while giving fraud investigators the data they need for their investigations.

It’s important to note that not all breach data is the same. Some companies populate their data set with incomplete, encrypted or inaccurate data. In order to leverage the power of the dark web API, be sure the database to which the API connects is current, comprehensive and accurate. Compromised passwords should be presented in plaintext format so security and fraud teams can more easily find matches. The cleaner the data, the faster more vulnerabilities can be found.

Learn more about integrating SpyCloud breach data

Dark Web Password Protection

The first step to prevent account takeover is to enforce better password selection.

Weak passwords provide a highway to the dark web. People are prone to using the same passwords across multiple accounts and reusing them even when a company implements a 90-day password rotation policy. Bad actors know this. They count on it. They use technology to crack passwords and once they do, perform credential stuffing techniques to test those passwords against multiple accounts at scale.

NIST’s latest guidelines for password protection means employees should choose passwords they can remember but are difficult to guess. By using a dark web credentials API, companies have access to a dark web password database against which they can compare their employee and/or consumer passwords against a dark web database of breached passwords. If there is a match, the user is forced to choose a stronger, uncompromised password before they can register their account.

Employee education should be at the top of any security team’s list. Oftentimes, employees do not appreciate the risk they bring into the company with the use of simple, easily-guessable and/or reused passwords. They don’t always understand how using passwords across multiple accounts puts all of their accounts and those companies at risk. Dark web password protection begins with education and ends with technology to enforce company standards.

Automate password resets with SpyCloud

Human Intelligence and Technology

If the automated collection of stolen credentials is not sufficient, then what is? While AI and machine learning technologies may be where everything is moving, humans still hold an advantage in many ways. Humans can develop relationships with underground actors to obtain information no automated technology can match.

Only by using human intelligence (HUMINT) and technology can account takeover be discovered and mitigated early on, before the stolen credentials have been sold to the masses. Humans have to actually get into the minds of the cybercriminals, covertly establish relationships with them, gain access to private sources, and then report their intel back. Combine that with a comprehensive data cleansing and analysis process that makes sense of all the data, and you have the recipe for effective account takeover prevention.

Dark Web Scanners and Similar Automated Tools

Open sources, pastes, Tor hidden sources, dark web markets and private forums are all discoverable by automated collection tools. Scanners, scrapers and crawlers constantly monitor the dark web for suspicious activity. Stolen credentials can be found this way, even if it’s later in the ATO cycle.

The smartest way to use these automated tools is to combine them with human intelligence. By doing so, every crevice of the dark web is brought to light. While no technology or human input can protect every account, the combination of the two gives companies a much better chance to prevent ATO from the start or at the very least, minimize the damage when a breach is discovered.

Dark Web Cleansing and Analysis

It would be nice if all of this discovered data came in a neat little box with a bow wrapped around it. In reality, the data is often “dirty,” containing duplicates, encrypted data, old data and inaccurate data that can be in multiple formats. Not all of the data is valuable or usable. The best technologies can clean it up for analysis so it can be used immediately to inform decisions or take action.

There is sophisticated cleansing technology available that does all of the hard work so security leaders can take action quickly. This includes the complicated processes of parsing, normalizing, removing duplicates, validating and enriching the data. All five of these steps are critical in making the data understandable, usable and actionable.

Learn about SpyCloud’s data cleansing process

Join the hundreds of companies using SpyCloud to protect their accounts from ATO