Finding out you have some personal information available for sale on the dark web can be disturbing. How does this happen and is it serious?
The answer depends on how well you’ve followed best security practices.
Typically, your data ends up for sale because someone you trusted it with got compromised. This happens more than you probably realize, and a number of web sites are not very good at reporting an incident promptly. If at all.
Recently a client was notified by a monitoring firm that their data had been discovered on the dark web and wondered how that could be and what to do about it.
A quick search on haveibeenpwned [.] com showed the following:
So, not too surprising the data is for sale.
Should you be concerned?
Depends what info’s out there. In this case, since no account or credit card info was lost, if you don’t reuse passwords, have Multi Factor Authentication (MFA) turned on everywhere it’s available, and continue to maintain a high degree of vigilance, you've effectively reduced your risk of compromise and no additional actions are needed other than changing the password on the compromised site if they’ve not forced you to do that already. If your phone number was compromised, you will also want to make sure you’ve enabled all the extra precautions available from your carrier to prevent a SIM-Swapping attack.
Also keep in mind this information is in the wild so be on the lookout for criminals using phone, text and/or emails to impersonate the compromised organization and try to get you to do things not in your best interest.
If you’ve not been so good with your passwords or you are not sure if you used one that has been compromised in other places, change them immediately. You are in a race as there are plenty of cybercriminals taking that email address / password and stuffing it into every website they can think of to see if they can get in before you get it changed. This is known as a password stuffing attack. Having MFA enabled also makes it very difficult for a stuffing attack to succeed.
If credit card or other account information was lost, you’ll want to notify those institutions. You will also want to keep an eye on your credit report and consider freezing your credit.
Definitions
The dark web - a part of the internet that is not indexed by traditional search engines. It is a network of websites and online platforms that require specific software, configurations, or authorization to access. The dark web is known for its anonymity and is often associated with illegal activities, such as the sale of drugs, weapons, stolen data, and hacking services.
SIM swapping attack - also known as a SIM card swap scam or SIM hijacking, is a type of cyber-attack where an attacker fraudulently transfers a victim's phone number to a SIM card under their control. This attack typically involves social engineering techniques to convince a victim's mobile service provider to transfer the phone number to a new SIM card owned by the attacker. Once the attacker gains control of the victim's phone number, they can intercept calls and messages, bypass MFA, and gain unauthorized access to various online accounts
Credential stuffing - a process where malicious actors take stolen usernames and passwords from one site and use them to gain access to other accounts on other sites. The idea behind it is that if a user has reused their username and password combination on multiple sites, then a hacker can potentially gain access to those.
Source: Security Snapshot
Would you like a free, no-obligation Cybersecurity Benchmarking of your organization showing where you stand vs. industry-accepted practices? Click here to schedule a time with one of our associates.