Every week, somewhere in the world, a company suffers a data breach. Customer databases are stolen, hashed passwords are cracked, email addresses are sold on underground forums. In 2025, over 5 billion records were exposed in publicly disclosed breaches — a figure that excludes the many incidents that are never reported or discovered.
Most people find out their data has been breached months or years after the fact, if they find out at all. By the time you receive a notification, the damage is often already done: your password has been used in credential stuffing attacks, your email address has been added to spam lists, and your personal details may have been combined with data from other breaches to create a more complete profile.
Dark web monitoring is a technique for finding out earlier — sometimes within days of a breach being published on criminal forums.
The dark web is the part of the internet accessible only through specialised software, most commonly the Tor browser. It is not indexed by search engines and is not accessible through a regular browser. While the dark web has legitimate uses — it is widely used by journalists, activists, and citizens in repressive countries — it also hosts criminal marketplaces where stolen data is bought and sold.
When a company is breached, attackers typically extract the customer database and either use it directly for fraud or sell it on dark web forums and marketplaces. These databases contain combinations of email addresses, usernames, passwords (hashed or plaintext), names, physical addresses, phone numbers, and sometimes financial information.
The time between a breach occurring and the data appearing for sale on dark web forums varies widely. Some attackers sell data immediately. Others use it for months before selling. In some cases, data sits in criminal hands for years before appearing publicly.
Dark web monitoring services continuously scan known criminal forums, paste sites (where stolen data is often posted publicly), and underground marketplaces for email addresses and other personal identifiers. When a new breach database is published — whether for sale or for free — monitoring services attempt to collect and index it.
The most widely used free tool is Have I Been Pwned (haveibeenpwned.com), created by security researcher Troy Hunt. It indexes billions of records from thousands of breaches and lets you check whether your email address appears in any known breach. It is free, does not require an account, and is widely trusted by security professionals.
Paid dark web monitoring services — offered by companies including Experian, Norton, and various identity protection providers — claim to go further, scanning forums and marketplaces that require membership to access and providing real-time alerts. The quality varies significantly. Some are genuinely useful; others are largely marketing exercises that monitor the same publicly available data as free services.
Finding your email address in a breach database is alarming but manageable. The appropriate response depends on what type of data was exposed.
If only your email address was exposed: Expect an increase in phishing emails and spam. Update your spam filters. Be more sceptical of unexpected emails claiming to be from services you use.
If your password was exposed:
If financial information was exposed: Contact your bank or card issuer immediately. Request new card numbers. Review recent transactions for unauthorised charges. Place a credit freeze with the major credit bureaus if names and addresses were also exposed.
If your address and identity documents were exposed: This is the most serious scenario. Consider placing a fraud alert or credit freeze with credit reporting agencies. Monitor for identity theft — new accounts opened in your name, unexpected credit inquiries, or unfamiliar correspondence.
The most effective way to limit the damage from a data breach is to ensure that your passwords are unique to each service. If every account has a different password, a breach at one service cannot be used to access your accounts elsewhere.
A password manager — 1Password, Bitwarden, or the built-in manager in your browser — makes this practical. You only need to remember one master password; the password manager generates and stores a unique, complex password for every site.
Common mistake: Using variations of the same password across multiple sites (e.g., "email2024", "email2025") is nearly as risky as using identical passwords. Automated credential stuffing tools test common variations automatically.
Using a privacy-focused email provider that does not sell your address to third parties also reduces your exposure. Your email address cannot appear in advertising-related data sales if your email provider does not share it. Services like Tobava Mail and Proton Mail do not monetise your data.
Once data is published on criminal forums, it circulates indefinitely. Breach databases from 2012 are still in use today in credential stuffing campaigns. Data does not expire. A password you used ten years ago on a site that was subsequently breached may still be tested against your current accounts if you have ever reused it.
This is why security professionals recommend checking Have I Been Pwned periodically, not just after you hear about a specific breach. Breaches are often discovered and published long after they occur.
Australian residents affected by data breaches have specific rights under the Privacy Act 1988 and the Notifiable Data Breaches scheme. Organisations covered by the Privacy Act are legally required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a breach is likely to cause serious harm.
If you believe an Australian organisation has mishandled your data following a breach, you can lodge a complaint with the OAIC at oaic.gov.au. For cybercrime reporting, use ReportCyber.gov.au operated by the Australian Federal Police and the Australian Cyber Security Centre.
Tobava Mail includes built-in breach alert notifications. We monitor known breach databases and notify you if your Tobava address appears. Learn more →