Is Your Business Data on the Dark Web? How to Check and Respond

Back to Blog

Somewhere right now, a criminal forum is selling a list of email addresses and passwords. Some of those addresses end in your domain. The passwords are real — pulled from a breach at a SaaS vendor you use, a phishing campaign that caught one of your employees, or malware that ran silently on a workstation for weeks before anyone noticed. The sellers on these markets don't know your company's name. They don't care. They're selling bulk access: thousands of credentials for a few hundred dollars, and buyers will automate the login attempts against every service they can think of.

This is the reality of credential theft in 2026, and it plays out thousands of times a day across businesses of every size. The terrifying part is that most companies don't find out for months — or until something visibly breaks. An account gets drained. A client gets targeted with a phishing email that appears to come from your CEO. A ransomware attack launches from credentials that were sitting on a dark web forum for six months before someone finally bought and used them.

Dark web monitoring exists to close that gap: to find your credentials before the attackers use them, and to give you the warning you need to act. This article explains what the dark web actually is, how your business data ends up there, what's being sold, how monitoring works, and — most importantly — what to do when an alert comes in.

What the Dark Web Actually Is

The term "dark web" gets used loosely, and the confusion is worth clearing up because it affects how you think about the risk.

The internet has three layers. The surface web is everything indexed by search engines — news sites, company websites, social media, anything Google can find. The deep web is content that exists online but isn't indexed: your online banking portal, your company's internal HR system, private cloud storage, webmail when you're logged in. Despite the ominous name, most of the deep web is completely legitimate. It's just not public.

The dark web is a subset of the deep web that requires specific software to access — most commonly Tor, the Onion Router. Tor anonymizes internet traffic by routing it through a chain of volunteer-operated servers around the world, encrypting it at each hop so no single node knows both the origin and the destination. Websites on the Tor network use .onion addresses — long, randomized strings like zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6otjiycgwqbym2qad.onion — that are only accessible through the Tor browser.

Not everything on the dark web is criminal. Journalists in authoritarian countries use Tor to communicate with sources. Privacy-conscious individuals use it to browse without surveillance. The BBC and The New York Times maintain .onion mirrors of their sites. But the anonymity that makes Tor valuable for press freedom also makes it the infrastructure of choice for criminal markets, and those markets are real, active, and extraordinarily well-organized.

The Markets Where Your Data Gets Sold

Dark web criminal markets look, from the inside, disturbingly like legitimate e-commerce platforms. They have storefronts, product listings, seller ratings, customer reviews, dispute resolution processes, and bulk discount pricing. The sophistication of these operations has grown dramatically over the past decade.

The major categories of data marketplaces include:

• Credential markets — Collections of username/password combinations, usually organized by the service they belong to (Microsoft 365, QuickBooks Online, banking portals, VPN logins). Sold individually or in bulk.
• Fullz markets — "Fullz" is criminal slang for complete identity packages: name, Social Security number, date of birth, address, and often credit card data. Used for identity fraud and account takeover.
• Card shops — Stolen credit and debit card numbers, often with CVV and billing address, organized by card type, issuing bank, and country. Freshness (time since theft) directly affects price.
• Access brokers — Sellers who specialize in initial access: compromised VPN credentials, Remote Desktop Protocol (RDP) access, active sessions inside corporate networks. These listings sell for thousands of dollars and are purchased by ransomware groups who then deploy their payloads.
• Paste sites and dump forums — Less organized venues where stolen data gets posted publicly, sometimes for free, sometimes for small fees. Sites like Pastebin and dedicated dark web forums see enormous volumes of credential dumps.

How Business Credentials End Up on the Dark Web

There are three primary pathways through which your business email addresses and passwords arrive on dark web markets. Understanding each one matters because the remediation steps are different.

Third-Party Data Breaches

This is the most common source, and it's one of the most frustrating because it's completely outside your control. When a vendor you use — a SaaS platform, an industry association portal, an online ordering system, a professional services directory — suffers a breach, the email addresses and passwords of every customer in their database become available to the attackers.

If your employees use the same password for that third-party service as they use for your company's Microsoft 365 account, the attacker now has your Microsoft 365 credentials without ever touching your systems. This is why password reuse is so dangerous, and it's why even companies with strong internal security get exposed through their vendors.

Major third-party breaches that have produced billions of exposed credentials include LinkedIn (2012, 165 million accounts), Adobe (2013, 153 million), and thousands of smaller platforms that never made national news. These databases circulate on dark web forums for years after the original breach.

Phishing and Social Engineering

Phishing attacks directly harvest credentials by tricking employees into entering their login information on fake websites that look identical to legitimate services. A convincing Microsoft 365 login page, a fake QuickBooks billing notice, a spoofed bank portal — the visual quality of phishing pages has improved to the point where trained employees regularly get fooled.

Business email compromise phishing campaigns are often highly targeted. Attackers research LinkedIn, your company website, and your social media presence to construct emails that reference real projects, real names, and real context. A project manager getting an email about "the invoice from Tuesday's meeting" from what appears to be a known subcontractor is operating in a high-pressure, high-volume work environment where scrutinizing every email link isn't realistic without training and tooling.

Malware and Infostealer Infections

Information-stealing malware — commonly called infostealers — runs silently in the background of a compromised machine, harvesting credentials saved in browsers, email clients, and application configurations. Modern infostealers like Raccoon Stealer, RedLine, and Vidar can extract passwords from Chrome, Firefox, Edge, and every major browser's saved password store within seconds of execution.

The stolen data gets packaged into "logs" — compressed archives containing every credential, cookie, and autofill entry harvested from the machine — and automatically exfiltrated to the attacker's infrastructure. These logs are then sold on dedicated Telegram channels and dark web forums, often within hours of collection.

What Types of Business Data Are Traded

When we conduct dark web scans for prospective clients at IT Center, here is what we're actually finding in the data:

How Dark Web Monitoring Works

Professional dark web monitoring is significantly more sophisticated than running a search engine query. The monitoring ecosystem involves several technical approaches working in parallel.

Breach Database Indexing

When major data breaches occur, the stolen datasets eventually surface on dark web forums, hacker communities, and file-sharing networks. Security research firms — and the services built on their infrastructure — index these datasets continuously. When a new breach database appears, it gets processed and cross-referenced against monitored domains. If your company's email addresses appear in the dataset, you get an alert.

This is the technology behind services like Have I Been Pwned (HIBP), created by security researcher Troy Hunt. HIBP has indexed over 14 billion breached accounts across hundreds of known breach datasets and makes basic lookups available for free. It's an excellent starting point for individuals, and it provides an API that IT Center and other security providers use as one component of a broader monitoring program.

Paste Site Scanning

Credential dumps frequently appear on paste sites — web services designed for sharing text — before they migrate to more established forums. Paste sites like Pastebin, Ghostbin, and dozens of dark web equivalents are scanned continuously by monitoring services, with automated systems extracting and indexing email addresses and credential pairs as they appear. The window between a credential dump being posted and it being indexed can be as short as minutes.

Tor Network Intelligence

Enterprise-grade dark web monitoring platforms maintain dedicated infrastructure for navigating Tor network markets and forums. This involves automated crawlers that index marketplace listings, forum posts, and chat logs, as well as human intelligence analysts who maintain access to communities that require trust-building and reputation over time. These platforms monitor for mentions of specific company names, domains, IP ranges, and data types that would indicate your organization is being specifically targeted or discussed.

Threat Actor Tracking

Advanced monitoring goes beyond looking for your data after it's been stolen. It tracks the threat actors themselves — known ransomware groups, access brokers, and credential sellers — monitoring their activity patterns, their new listings, and their communications for signals that your sector or your company specifically may be in their crosshairs. This intelligence is what allows managed security providers to get ahead of an attack rather than responding after the fact.

Free Tools vs. Professional Monitoring: An Honest Comparison

The bottom line: Have I Been Pwned is a valuable free resource and every business owner should check their domain at haveibeenpwned.com right now. But it's a starting point, not a monitoring program. Professional monitoring covers the channels — fresh infostealer logs, private forums, access broker listings — that free tools don't reach.

What to Do When You Get a Dark Web Alert

An alert from IT Center's dark web monitoring isn't cause for panic — it's exactly the intelligence you need to act before the credential gets used against you. Here is the response protocol we walk every client through.

Step 1: Immediately Reset the Affected Account Password

The compromised password should be changed within minutes of receiving an alert, not hours. Use a strong, unique password generated by a password manager — not a variation of the previous password, and not a password used on any other service. If the same employee reused that password on other systems, those passwords need to change too.

Step 2: Revoke Active Sessions

Changing a password doesn't automatically invalidate existing authenticated sessions. An attacker who already used the credential to establish an active session in Microsoft 365, Google Workspace, or another platform remains logged in even after the password changes. In Microsoft 365, this means running the "Sign out of all sessions" command from the admin center. In Google Workspace, the equivalent is revoking all active sessions from the admin console. This step is frequently missed and leaves organizations exposed even after they've changed the password.

Step 3: Enable or Verify MFA Is Active

Multi-factor authentication is the single most effective control against credential-based attacks. Even if an attacker has a valid username and password, MFA requires a second factor — a code from an authenticator app, a hardware security key — that the attacker doesn't possess. If the affected account didn't have MFA enabled, enable it immediately. If it did, verify that the MFA configuration is correct and that no unauthorized authenticator devices have been added to the account.

Step 4: Audit Recent Login Activity

Before concluding the response, review the login history for the affected account to determine whether the credential was used before you received the alert. In Microsoft 365, the sign-in logs are available in the Entra ID admin center and show every authentication attempt, including successes from unexpected locations. In Google Workspace, review the account activity at myaccount.google.com. Look for logins from unfamiliar IP addresses, unusual geographic locations, or access at unexpected times.

Step 5: Assess the Scope

A single exposed credential is a contained incident. Multiple exposed credentials from the same source, or evidence that the original breach included more than just email/password pairs, warrants a broader investigation. IT Center will help you determine whether the exposure is isolated or part of a pattern that requires more extensive remediation — such as a malware scan of the affected employee's workstation if an infostealer infection is suspected.

How IT Center Monitors Client Credentials

Dark web monitoring is a standard component of IT Center's managed security program. When you come aboard as a client, we configure monitoring for your email domain — every address under your company's domain is added to our monitoring scope. Our platform aggregates data from breach databases, paste site scanners, dark web crawlers, and threat intelligence feeds, correlating new findings against your domain in near real-time.

When a match is found, our security team reviews it before alerting you. We distinguish between stale data from old breaches that may already be handled and fresh exposures that require immediate action. Every alert we send includes the specific email address affected, the source of the exposure (breach name, dark web market, paste site), the type of data exposed, a severity classification, and the specific remediation steps your team needs to take.

We don't just send alerts and move on. Our team is available to walk through the response with you, execute the remediation steps in your Microsoft 365 or Google Workspace environment, and document the incident for compliance purposes — particularly important for businesses subject to California's data breach notification requirements under the CCPA or sector-specific regulations.

Beyond reactive monitoring, we integrate dark web intelligence with your broader security posture. An alert for an employee's credentials, combined with an anomalous login in your Microsoft 365 sign-in logs and an endpoint detection event on their workstation, paints a very different picture than an isolated credential alert from a three-year-old breach. That correlation is where managed security delivers value that a standalone monitoring tool cannot.

Post-Discovery Action Steps: The Complete Checklist

Whether the alert comes from IT Center, from Have I Been Pwned, or from your own investigation, here is the complete post-discovery protocol:

• Reset the exposed password immediately to a strong, unique credential generated by a password manager.
• Audit for password reuse — check whether the same password was used on any other business or personal service and change those as well.
• Revoke all active sessions for the affected account across all platforms (Microsoft 365, Google Workspace, VPN, banking portals).
• Enable MFA on the affected account if not already active, using an authenticator app rather than SMS where possible.
• Review sign-in logs for the past 30 to 90 days for any unauthorized access, unusual locations, or suspicious forwarding rules set up by an attacker.
• Check email rules and forwarding — attackers who access email accounts frequently set up forwarding rules to a secondary address, allowing them to continue reading communications even after the password is changed.
• Scan the employee's workstation for infostealer malware if the credential exposure appears to be from a fresh infostealer log rather than a historical breach database.
• Notify affected clients or partners if there is evidence the attacker used the compromised account to send phishing emails or make fraudulent requests.
• Document the incident with timeline, affected accounts, and remediation steps taken — required under CCPA and useful for any insurance claims.
• Brief your team on what happened and how to recognize similar threats going forward.

The Bigger Picture: Credential Security as Business Continuity

Dark web monitoring is not a luxury security control reserved for enterprises with dedicated security operations centers. For any business that relies on email, cloud applications, and digital financial systems — which is every business in 2026 — credential exposure is a direct path to operational disruption, financial loss, and reputational damage.

The businesses that handle credential exposures well are the ones that find out about them quickly, respond through a practiced process, and use each incident as input for improving their broader security posture. The businesses that get blindsided are the ones that assumed their vendors were handling data security, that their employees weren't reusing passwords, and that basic antivirus was sufficient protection against credential theft.

IT Center has monitored Southern California businesses since 2012. Our flat-rate managed security program includes dark web monitoring as a standard component — not an add-on, not a premium tier. We believe every business deserves to know when their credentials are exposed, and we believe the response to that knowledge should be fast, methodical, and supported by people who understand both the technical remediation and the business context.