Your passwords have probably been stolen and sold on the dark web

Make sure you use a good mix of characters. Avoid your pet’s name. Most of all, never reuse a password. We all know the rules for ensuring that the keys to our digital kingdoms remain secure, and we probably all break them – and that is when hackers sweep in to make money from selling your data.

Marketplaces for stolen personal data thrive on the dark web, sites that lie beyond the borders of the regular internet and can only be accessed through software such as Tor, which was originally designed by US intelligence agencies for covert communications. Not everything there is nefarious – BBC News runs a dark web site for people living under oppressive surveillance, for instance – but a lot of it is.

To find out more, I turned to Rory Hattingh, an ethical hacker at a company called Evalian, who spends his time breaking into companies – legally – to test security. He tells me there is an “exceptionally small” chance that none of my private data has been leaked by hackers. I have written about technology for long enough to understand how prevalent data breaches are, but being confronted with the stark reality that this includes me is admittedly a bit of a wake-up call.

Hattingh begins by showing me a website called Have I Been Pwned (a slang term meaning that your data has been compromised), which compiles usernames and passwords shared on the dark web into a single searchable database. I entered my email address and, worryingly, found it had been caught up in 29 hacking attacks.

The most recent happened in 2024, when the Internet Archive was attacked and my email and password were leaked. My details had also been part of 122 gigabytes of user data scraped from thousands of Telegram channels, as well as a database called Naz.API that was originally posted to a hackers’ forum. Other attacks listed involved stolen postal addresses, job titles, phone numbers, IP addresses, password hints and dates of birth from services including Adobe, Dropbox and LinkedIn.

In theory, these leaks are of limited value: if LinkedIn, say, is hacked and your username and password are leaked, then that doesn’t affect your Facebook account. That’s unless, of course, you are one of the more than 60 per cent of people who use the same password over and over and over again. In that case, hackers can take these details and leap around the internet, using it anywhere they can think of – usually in a lightning-fast, automated way. Then, says Hattingh, “you’re in a lot of trouble”.

This could include online shopping with your stored payment details, PayPal account or cryptocurrency wallets. Getting access to one account can also help gain entry to others, with email being the jackpot. Once you can send and receive emails from an account, you can reset passwords and break into all manner of other websites, not to mention household billing accounts and perhaps even online banking. Hackers with access to social media or email accounts can also attempt to defraud friends and family with fake tales of emergencies that require a quick bank transfer. The fact that these are coming from a real account gives these tricks an air of plausibility that can be enough to overcome suspicion until it is too late.

To make matters worse, although some companies that suffer hacks are swift to inform people and urge them to change their passwords, others can be more sluggish, leaving people vulnerable for months or even years. Hattingh says that in a previous job, for unnamed clients, he would see ransomware attacks that came and went with little panic. These attacks see the victim’s data being encrypted and held to ransom, rendered useless unless you pay the hacker for the password – but increasingly, some companies just see this as the cost of doing business.

“These companies would get hacked two, three times a year,” says Hattingh. “They’ve got a slush fund for when things go wrong. They pay up and carry on with life. And this is happening all over the world, all the time.”

As concerning as it was to see my personal data out in the open like this, records on Have I Been Pwned are akin to the mechanically reclaimed meat you might find in chicken nuggets. Hattingh says the premium steak of personal data comes when sophisticated hackers first breach a website and steal a fresh haul to sell on to others, who profit from exploiting it. Once those first buyers have extracted what they can, the data will be sold on again and again. Once the most profitable bits of data have been picked out, the rest may end up being released for free on a hackers’ forum, Telegram channel or some other dark corner of the web, where Have I Been Pwned also picks it up.

Working my way up the food chain, Hattingh then showed me a paid-for service called DeHashed that offers not only a broad description of breaches like Have I Been Pwned does, but also their actual contents, including passwords. The name of the service refers to the common security process of “hashing”, or obscuring a password to stop it being copied. Dehashing, of course, strips this away. What I thought was the worst case, but I now realise is actually the norm, turns out to be true: at least one of the passwords listed alongside my email address is both familiar and current. In theory, there had been nothing to stop hackers – or anyone with a passing interest – logging into at least one of my online accounts.

DeHashed is a paid service, costing $219.99 a year, which purports to be for “law enforcement agencies and Fortune 500 companies”. I contacted the company to ask if they are concerned that their tool, which admittedly only collates details leaked elsewhere, could be useful for hackers as well as security workers. I received no response.

I decided I had to go deeper into the dark web. I spoke to Anish Chauhan at Equilibrium Security Services, who showed me the results of a search performed by his team’s bespoke software, which crawls even wider and deeper than the commercial tools I had seen so far. He had found 24 passwords linked to my online accounts.

“Users might say, ‘I’ve got a 200-character password, no one’s ever gonna brute force that’,” says Chauhan. “But say they then use that on every single website they use. It kind of makes it irrelevant really, because it’ll eventually get breached. As humans, we just take the path of least resistance, you know?”

Chauhan says the solution is relatively simple and that we have all heard it before: use a different password for every single account. Having seen how my details have been widely shared, it becomes starkly clear why this is important.

The thing is, the tools to make this easy are already there – most modern devices and internet browsers should come with a password manager that generates random strong passwords and remembers them all for you. If you are concerned that your passwords have already leaked, it might be worth checking out Have I Been Pwned or paying for more extensive services that scour the nefarious regions of the internet for evidence of a leak.

In recent years, I have used a password manager to generate strong passwords and organise them for me, but I realise that some services I have used for a long time have been allowed to fester with old and hacked logins. I spend an evening rectifying that, not least because I want to be prepared before this article is published.

But I’m not beating myself up too much. Faced with endless demands to come up with new login details, it is no wonder we sometimes take the easy way out. I am certainly not alone in doing so.

“I’m a pretty tech savvy person, and I barely change my passwords,” says Hattingh. “For work, I change it, but in my personal life, I’m a little bit more lazy.”