My Personal Info Ended Up on the Dark Web. This Is What Happened Next.
A few months ago, while happily flipping through dog photos on Instagram, I got an email from my credit card provider; subject line: “We have urgent information about your account.” Assuming by “urgent” they meant, “your credit card is expiring in nine months and this is email 1 of 257,000 to remind you we’re sending you a new card,” I opened it and was greeted with this instead: “We found your personal information on the dark web.”
Well that escalated quickly.
The email went on to say that much of my personal information had been found on a routine dark web search and that I needed to call them immediately. Starting to assume this was some sort of elaborate phishing scheme, I dug out my credit card and called the number on the back instead of the one in the email and was feeling pretty cocky about busting this elaborate hoax when the representative confirmed that nope – that email was very real.
My information—including my full name, email address, and driver’s license—had been found on nine different dark web searches. The fraud expert assured me it could be much worse, gave me some basic instructions on how to check my credit report and update my security, and quickly got off the phone while I sat there trying to remember what little I knew about the dark web. Spoiler alert: not a lot.
So, what’s the dark web?
Turns out, what most of us spend our days on is just what’s known as the surface, or public, web. Comprised of stuff like news and social media sites, blogs, and online retailers, the surface web is everything that shows up in a Google search. But that isn’t even a fraction of the internet. As of 2017, the public web made up only 4 percent of what is available online, according to Experian.
The largest chunk of the internet-sphere is the deep web, which admittedly is a pretty intimidating name for something that is largely harmless. Making up 93 percent of what is available online, the deep web is typically just your private sites and databases like internal company websites, member-only sites, and pay-walled sites. In other words, despite what those memes your crazy aunt keeps sharing on Facebook says, the deep web is just all the normal everyday stuff that isn’t indexed by Google.
At the very bottom (figuratively), sits the dark web. The dark web is essentially a hidden network of websites you need a special resource to access. Dark web sites are often heavily encrypted and hosted on anonymous servers. To access the sites, users go through another anonymous resource like Tor (short for “the Onion Router,” a network of servers developed originally by the U.S. Navy that allows users to search anonymously.) Not everything on the dark web is bad, but that level of anonymity makes a host of illegal stuff possible. Rumor has it you can buy everything from assault rifles to heroin on the fly.
Selling identities in bulk
When it comes to personal information, you can buy anything from subscription service logins to passports on the dark web. And if your personal information makes it to the dark web, it can be bought on the cheap. In 2017, Experian found the going rates for some dark web sites:
Social Security number: $1
General login: $1
Credit card number with CV: $5
Debit card number with bank info: $15
Driver’s license: $20
Buyers can also pick up what’s known as a “Fullz,” basically a bundle deal that includes your full name, date of birth, Social Security number, account numbers, and a collection of other data for around $30 a pop. Just like any traditional supply and demand chain, data prices vary depending on the market, but it can also vary depending on the person. If we’re being honest, I hadn’t given identity theft a ton of thought because I didn’t think my comparatively meager savings and credit card limits would be of any real value. But there’s a buyer for every stolen Fullz. Experian found prices can increase for bundles that include higher account balances, but smaller time hackers can also pick up tons of average consumers’ personal info on the cheap, making up for the smaller account balances in bulk.
Stolen identities are quickly becoming big business. A report from IntSights, a cyber intelligence firm, found the number of hacked credit cards showing up on the dark web jumped 135 percent in the last six months of 2017—up to more than 4,000 credit cards per bank available for sale.
What happens next
Surprisingly, my credit card provider wasn’t that concerned some of my data had been found on the dark web—after all, they’re used to it. I was expecting them to tell me to shut off all my accounts, wait for new cards and numbers, and possibly pack up my belongings and head to the mountains to live the rest of my days off the grid, but that didn’t happen. It was up to me to decide how far I did and did not want to take my ensuing freak-out.
The first thing I did was to change all my passwords to new, unique passwords and lock those in a good-quality password manager. Not that a new mix of numbers, letters, and characters on my Petco.com account was going to prevent my identity from being sold on the dark web, but most experts and the credit bureaus agree you should update your passwords after every data hack you’re accidentally involved in.
From there, I ordered copies of my credit histories from Equifax, Experian, and TransUnion. (You can get these free once per year through annualcreditreport.com and, after a major breach like this, getting all three at once to check for any possible problem is a good idea.) I got lucky and nothing unusual showed up.
For people wanting an extra layer of security, a credit monitoring service can alert you to any change on your credit report—including new credit inquires—and that can save you a huge financial headache later if your information is stolen and used. Check with your credit card provider first, many (mine included) offer credit card monitoring free for customers. Otherwise, you can sign up through any of the credit bureaus. Fair warning though: expect to pay a fee and to be signed up for automatic, and difficult to cancel, monthly renewal if you order through the credit bureaus.
If I was really worried, or had found something suspicious, the credit bureaus recommended setting a freeze on my credit report. For a $3 to $10 per credit report fee, a freeze puts a hold on your credit. Lenders can’t pull it, even if someone signs up for a new credit card or service using your personal information. It sounds like a good idea at first, but there are some downsides. First, it doesn’t protect you from everything. If someone buys your credit card numbers from the dark web, they can still go out and charge up to your limit—a freeze can only prevent new accounts from being opened under your name. (Though you can freeze your credit cards if you’re worried about possible theft.) Second, if you need to do anything that requires a credit check—like open a new credit card, apply for a loan, or lease an apartment, you’ll have to pay to unfreeze your credit reports and then pay again if you want to lock things back down. Ultimately, I decided credit monitoring was enough.
What about those commercials?
Not long after I got the alert from my credit card company, I started seeing TV spots advertising Experian’s free dark web scan. It sounds like a pretty decent deal on the surface. You just need to give them your email and they’ll run a dark web scan for you, sort of how my credit card company had done automatically. Problem is, I always doubt the motivations of a “good deal.”
So did David Lazarus of The Los Angeles Times. After researching the 17,600-word novella terms of service, Lazarus found two particularly iffy clauses: one strips you of your right to sue Experian, and another signs you up for marketing offers. Hooray!
Ignoring that, Lazarus signed up anyway. His work email did turn up in a dark web search, but then hidden monthly fees started popping up left and right (as they so often do when you’re dealing with the credit bureaus.)
Experian wasn’t able to tell Lazarus anything else about the results of their dark web search, but he did say they had a solution:
“Experian was able to say that maybe more extensive searches, including for my Social Security number, driver's license number and credit card numbers, would turn up something more significant. It would be happy to do this and more… for just $9.99 a month.”
So far, a few months in to my scary alert email, nothing has really happened to my credit history and the strange charges on my cards are mostly due to my overzealous approach to the Amazon one-click button, but the whole experience has led to me doing the financial equivalent of always looking over my shoulder. I log in and check my credit monitoring at least once a week now, even if I don’t get any alerts, and I’m suddenly finding myself reading a lot more articles about financial security.