In this article:
Data breaches are so commonplace that there's a good chance some of your personal information has already found its way onto the dark web. This might include your:
- Name, address and phone number
- Social Security number
- Emails, usernames and passwords
- Medical records and account numbers
- Financial account numbers and details
- Driver's license and passport information
Criminals can use this information in a variety of ways, such as impersonating you, creating a fake identity, opening credit accounts in your name or getting a medical procedure using your insurance.
You can check to see if and what information is out there with a free dark web scan. And while there might not be a simple way to get your information removed from the dark web, you can take measures to protect your accounts and identity. Here's what to do if your information is found on the dark web.
1. Change Your Passwords or Set Up Passkeys
One of the first things you can do is change any potentially compromised passwords to help keep people from taking over your accounts. If you use the same password—or similar password variations—for multiple accounts, you may want to change the other accounts' passwords as well.
Create a new strong password that meets the following criteria:
- Is unique to the website
- Doesn't contain common words
- Doesn't share characteristics with your other passwords
- Is longer than the website's minimum allowed character count
Consider using a password manager to create and store complex passwords. You then only need to remember one complex password to access your password manager. Many of these apps can also automatically fill in your passwords after you log in.
Additionally, you might be able to use a password manager to create a passkey for your accounts. These are an alternative to passwords that may be more secure.
2. Enable Multifactor Authentication on All Your Accounts
Multifactor authentication (MFA) requires you to use two or more forms of authentication to access your account. Your username and password are usually the first form, and the second might require you to:
- Scan your fingerprint or face
- Enter a code that you receive by text or email
- Enter a code from an authentication app or security key
- Answer security questions
- Respond to a push notification from an app
- Plug in or tap a security key
Using MFA can help keep others out of your account even if your username and password are leaked on the dark web—or elsewhere.
You can sometimes opt in and out of MFA in your account settings. If you have the option to turn it on, you also might be able to choose your additional form of authentication. In general, text message and email MFA are the least secure options, but they're still better than nothing.
3. Try to Add SIM-Swapping Protection to Your Phone
SIM swapping is when someone temporarily takes over your phone line using the same SIM swapping procedure that you'd use to activate a new phone. Criminals do this by tricking or paying off mobile phone carriers' employees. Alternatively, they might port your number to a phone they control at a different carrier.
Once they take control of your number, they can have your text message MFA codes sent to a phone they control. The potential for porting and SIM swapping is why SMS-based MFA can be less secure than other options.
However, mobile phone carriers now offer extra security measures that can help protect you from SIM swapping attacks. Look online or contact your carrier to find out what you need to do to enable them.
4. Monitor Your Accounts
Keep an eye on your bank, investment, crypto and credit card accounts for any unusual activity.
You generally aren't liable for unauthorized credit or debit purchases, but you may need to act quickly and call the financial institution to dispute the transactions. If you notice a new account was opened in your name, the company can also help you close the account.
In some situations, your liability could depend on how long you take to report the fraud. You could be liable for up to $50 if you take up to two business days, or up to $500 if you wait longer. If more than 60 days go by, you could be responsible for the full amount of new unauthorized transactions.
You may also want to monitor other accounts that criminals could break into and monetize; for example, ecommerce accounts where you store credit or payment information, or even loyalty travel programs that criminals take over to book hotels and flights.
Your rights and protections can depend on how the fraudsters get into your accounts and what they steal. Some organizations might reimburse you, but you won't always have legal recourse if they don't.
5. Report the Theft of Your Personal and Account Information
Reporting unauthorized transactions and other types of fraud to financial institutions and other affected organizations is important. Additionally, you can report the theft or fraud to:
- The Federal Trade Commission (FTC): Follow the instructions on IdentityTheft.gov to report that your information was exposed in a data breach or that someone has your information and you're worried about identity theft. The FTC can create a personalized recovery plan for you and an FTC Identity Theft Report that you can use when reaching out to other organizations.
- Local police departments: You may want to report identity theft or fraud to your local police department. The police report might be helpful when you're dealing with other organizations, and some police departments have been able to track down and prosecute fraudsters.
- Credit bureaus: You have the right to dispute the items on your credit report. If fraudulent activity led to new accounts or negative marks in your credit reports, you can submit a dispute to address the erroneous information.
- Identity theft protection services: If you have an identity theft protection service, you may have access to identity theft resolution professionals who can help you contact organizations, get your documents in order and manage the restoration process. You may also have identity theft insurance, which can help cover costs related to resolving all these issues.
6. Freeze Your Credit
You also have the right to add a security freeze to your credit reports from Experian, TransUnion and Equifax. This is also called freezing your credit, and it can be a simple and free way to keep someone from opening new credit accounts in your name.
You have to freeze your reports separately at each credit bureau, which you can do online, over the phone or by mail.
How to Freeze Your Credit With All 3 Credit Bureaus | ||
---|---|---|
Experian | TransUnion | Equifax |
Experian Security Freeze | TransUnion | Equifax Information Services LLC |
Freezing your credit reports limits access to your reports and keeps creditors from checking your credit in response to a new application. As a result, creditors may deny applications in your name while a freeze is in place.
However, your report can still be accessed for other reasons, such as if your current creditor wants to review your report or if you want to check your own credit. You'll also want to remember to unfreeze or temporarily "thaw" your reports when you legitimately apply for a new credit card or loan.
7. Add a Fraud Alert
You also have the right to add a fraud alert to your credit reports. When there's a fraud alert on your report, creditors can see that you might be the victim of identity theft and are instructed to verify your identity or contact you before extending credit in your name.
Unlike with credit freezes, you only need to contact one bureau to add a fraud alert—it will forward your request to the other two bureaus. You can start the process online at Experian's Fraud Alert Center, and have the option to request one of three types of alerts, depending on eligibility: initial, extended and active-duty alerts.
Types of Fraud Alerts | |||
---|---|---|---|
Initial Fraud Alert | Extended Fraud Alert | Active-Duty Alert | |
Cost | Free | Free | Free |
When to use | You suspect you've been or may become a victim of identity theft | You've filed an FTC identity theft report or a police report | You're an active-duty service member and want to protect your credit file |
Duration | 1 year | 7 years | 1 year |
Removed from prescreened credit and insurance offers | For 6 months | For 5 years | For 2 years |
8. Beware of Scammers
Having safety measures in place can help protect you from identity theft or fraud regardless of how someone gets your information. But you may also want to be extra careful of scammers and fraudsters.
Unlike when someone uses your information to trick a company, if a scammer tricks you into sending them money, you might not be able to get it back. And scammers who gather information about you from the dark web and elsewhere might be able to trick you more easily.
For example, they might be able to figure out who your family members are and where you have accounts. They can use this information when they pretend to be an employee at a company or government agency.
One rule of thumb: Never share personal information or security codes with someone who contacts you out of the blue, even if it looks like they're calling, texting, emailing or messaging from a legitimate company. It's best to ignore these messages, look up the organization's information and then initiate the conversation.
Find Out What Personal Information May be Accessible Online
You can use several tools to find out if your information is on the dark web, was compromised in a data breach or is easily accessible on the open internet. Two free options are Experian's dark web scan, which can look for your email address, phone number and Social Security number, and Experian's personal privacy scan, which searches for your information on people finder sites.