Maybe you got an email from a monitoring service, or a notification from your bank: Your personal data has been found on the dark web.
So was mine, if it helps. And the same goes for, well, almost everyone.
“Your data is on the dark web — period, the end,” said Eva Velasquez, CEO of the nonprofit Identity Theft Resource Center. By the time you get a notification about it, she added, “the vast majority of any potential harm has already been done.”
If you receive a notice about this, know that your data was probably leaked in a data breach earlier. Your first step should be to figure out what personal information is floating around out there. Plugging your email address(es) into services like Have I Been Pwned, which highlights the breaches in which your data has been found, are a good start.
Once you have a sense of how exposed you really are, it’s time to take action. Read through the following list and lock these things down as needed. (Lucky for us, many of these measures only need to be set up once.)
Your finances
Do this if: Your Social Security number was exposed.
First, scour your financial accounts for fishy activity. If you spot some, get on the horn with customer service and flag the fraud fast.
Once that’s done, or if you were luckily unaffected, it’s time to think about prevention. That means freezing your credit.
This is probably the most commonly shared advice for dealing with the fallout of a data breach, and for good reason: It works. Bad actors with your name and Social Security number basically have all they need to open new lines of credit you could be on the hook for.
Thankfully, the three main credit bureaus — Equifax, Experian and TransUnion — make freezing your credit reports fairly painless. For what it’s worth, I’d personally recommend keeping your credit frozen all the time by default unless you know you’ll have to apply for a credit card or loan soon.
If you manage these freezes online, the three credit agencies must lift the freeze within an hour — and it’s pretty trivial to refreeze your credit reports once you’re done applying for something.
To go above and beyond, consider locking down a few more things:
- Placing a security freeze on ChexSystems disclosures should make it more difficult for bad actors to open checking or savings accounts in your name.
- Creating an identity protection PIN with the IRS can reduce the risk of someone attempting to file a fraudulent tax return and make off with a refund.
Your phone number
Do this if: Your name, address and cellphone number were exposed.
It’s surprisingly easy to figure out what carrier a cellphone number is attached to. That, in tandem with your name and address, can give a bad actor all they need to take control of your phone number with a SIM-swap attack.
If that happens, it doesn’t just mean your phone is temporarily out of commission — someone could use your phone number to intercept authentication codes, or otherwise access accounts possibly tied to that number. Contact your wireless carrier and make sure you have a PIN set up, so no one can make changes to your account or phone lines without it.
Your online accounts
Do this if: Your email address and passwords were exposed.
If you’ve determined that login credentials for certain accounts were leaked as part of a data breach, the obvious first step is to change those passwords immediately.
The thing is, despite lots of expert advice, many of us still reuse passwords across different websites and services at least occasionally. That has to change, and fast.
I know: Keeping track of distinct passwords for every single thing can feel like a pain. Take it from me: It’s worth it, especially since password managers like Dashlane make it easy to generate, store, and fill in complex passwords when you need them.
You should also take a moment to think about how you’re proving your identity and services you rely on.
Receiving text messages to receive one-time confirmation codes for, say, your online banking is better than nothing, Velasquez says, but leaves you susceptible to the SIM-swap attacks we talked about earlier.
When possible, create passkeys for your online accounts, or opt into two-factor authentication that relies on codes generated by authenticator apps like Authy, LastPass, or Google Authenticator. As long as you still have control of your devices, you’ll be able to get into your accounts — and prevent others from doing the same.
Your past
Do this if: Your home address or phone numbers were exposed.
Information like old phone numbers and past addresses can be helpful to ne’er-do-wells who might try to open accounts in your name, or otherwise pose as you. Even worse, this information isn’t hard to come by even if you haven’t been caught up in a data breach — much of it is a quick Google search away.
There are loads of services that will, for a price, request “people search” sites from sharing your address and other identity info. They can help, but in a 2024 investigation, Consumer Reports found that they were still less effective than just handling things yourself.
That means sending a fair few emails and filling out lots of forms, but this frequently updated list of data brokers compiles the big sites from which to get your information scrubbed. If you have a Google account, you can use the company’s Results About You toolto see where else your personal information appears online, and in some cases, file a request to remove it with a few clicks.
One last note: Working through this checklist can help dial down the threat of identity theft, but don’t feel like you have to go it alone.
Take advantage of free credit monitoring and or removal offers that may be offered to you in the wake of a breach, and use services like the Identity Theft Resource Center’s free expert help line to help figure out your next moves.
The post Our personal data is all over the dark web. Here’s what you can do. appeared first on Washington Post.
