How To Check If Your Email Has Been Sold On The Dark Web For Free

in , ,  

How To Check If Your Email Has Been Sold On The Dark Web For Free

Your Email Is Probably Already Out There. Here's How to Find Out for Free.

A friend of mine got a call from her bank last year. Someone had tried to open a credit card in her name using an email address she hadn't touched in six years. An old Hotmail account from college. She'd completely forgotten it existed. The person trying to steal her identity hadn't.

That old account had been sitting in at least three data breaches — a gaming site, a coupon app, and a forum she signed up for once in 2011 and never visited again. Her email, password, and in one case her date of birth, had been packaged up and sold multiple times on dark web marketplaces. She had no idea until the fraud attempt.

This happens more than people realize, and the scary part isn't the big breach you hear about on the news. It's the small ones from sites you forgot you ever used.

Start Here: Have I Been Pwned

The single most useful free tool for this is Have I Been Pwned, built by security researcher Troy Hunt. You type in your email address, and it cross-references it against a database of over 13 billion compromised accounts pulled from known breaches.

It takes about four seconds. No account required. No email confirmation loop. Just type your address and see.

What you get back is a list of specific breaches — the name of the site, when it happened, and what data was exposed. Not vague categories. Actual specifics: "your password was exposed," "your phone number was exposed," "your physical address was exposed." That specificity matters because it tells you how bad each one actually was.

According to Have I Been Pwned, the site is run as a free public service and has been used to notify millions of people about their compromised credentials. It's regularly cited by government agencies and law enforcement as a legitimate resource.

Check every email address you've ever used. That includes the embarrassing one from high school, the one you made for a free trial, and the work address from a job you left four years ago. Old addresses don't stop being vulnerable just because you stopped logging in.

The Counterintuitive Part Most Articles Skip

Here's what almost no one tells you: finding your email in a breach database is not actually the emergency. The real emergency already happened — possibly years ago. The breach is in the past. What you're doing now is damage assessment.

This matters because people see a breach notification and panic about the wrong thing. They rush to change the password on the breached site, which is fine, but they don't check whether they used that same password anywhere else. That's where the actual damage gets done.

Attackers don't manually try your stolen credentials on one site. They use automated tools that test username/password combinations across hundreds of sites simultaneously — a technique called credential stuffing. According to CISA, credential stuffing is one of the most common causes of account takeovers, and it works precisely because people reuse passwords.

So if your email and password from a 2016 forum breach are sitting in a criminal's list, they've almost certainly already been tested against your bank, your email provider, and your Amazon account. The question isn't whether the breach happened. It's whether you've closed the doors it opened.

What to Actually Do After You Find a Breach

If Have I Been Pwned shows results, here's the order of operations:

First, identify which password was exposed. If you can't remember, assume it's one you've reused elsewhere. Change that password everywhere you've used it — not just on the breached site.

Second, check whether the breached service still exists. If it does, log in and delete your account. There's no reason to leave your data sitting on a platform that's already proven it can't protect it.

Third, turn on two-factor authentication on any account that matters — your email provider especially, since email is the master key to every other account. Even a basic SMS-based 2FA is better than nothing, though an authenticator app is significantly harder to bypass.

Attackers who acquire breached credentials often try password reset flows next, targeting security questions whose answers are frequently guessable from public social media profiles. Change your security questions on important accounts if the breach exposed personal data like your birth date or hometown.

Other Free Tools Worth Using

Google has a built-in password checkup at passwords.google.com that will flag any saved credentials that appear in known breaches. If you use Chrome and let it save passwords, this is worth running.

Firefox Monitor, at monitor.firefox.com, does essentially the same thing as Have I Been Pwned and actually pulls from the same underlying data. It's useful if you prefer a slightly more visual interface, and it offers breach alerts going forward.

Neither of these tools shows you the dark web marketplace listings themselves — they show you the breach source data. That's an important distinction. Services charging you $20/month to "scan the dark web" are mostly showing you the same breach datasets, wrapped in alarming language.

The Honest Limitation

These tools only show breaches that have been discovered and reported. Private sales between criminal actors, fresh breaches that haven't surfaced yet, and data from smaller regional leaks that never made it into public datasets — none of that shows up.

A clean result from Have I Been Pwned doesn't mean your data is safe. It means your data hasn't been found in any breach that's been publicly documented. Those are very different things. Treat it as useful information, not a clean bill of health. 

Sources:

  • Have I Been Pwned 
  • CISA 
Share: