Your Email Is Likely on the Dark Web. Here's What to Do.

Your email address is probably on the dark web

If a service has alerted you that your email was found on the dark web, you’re not alone. This is a common consequence of the frequent data breaches that hit companies and third-party services.

The dark web is a private, anonymous subsection of the internet that requires specific software like the Tor Browser to access. While it hosts legitimate activities like journalism in censored countries, its privacy also makes it a hub for selling stolen data.

How your email got there

Your email address likely landed on the dark web because a company you shared it with was hacked. Data breaches are a constant threat, and attackers often sell the stolen information anonymously on these hidden marketplaces.

It’s almost impossible to guarantee any service you use won’t be breached eventually. The exposure is usually the result of a hack on a company’s systems or a vendor it shares data with.

What hackers can do with it

A hacker who purchases your email will typically try a few tactics. Their first move is often to attempt logging into your other accounts using that address, especially if associated passwords were also leaked in the breach.

If direct login fails, they will likely target you with phishing emails. These can be sophisticated scams pretending to be security alerts, password change requests, or fake warnings about login attempts.

Hackers may also try to impersonate you. They might create a similar-looking email address to contact your friends, family, or colleagues to trick them.

• Attempt credential-stuffing attacks on your accounts.
• Deploy targeted phishing campaigns to your inbox.
• Impersonate you to scam your contacts.

Immediate steps to take

Do not panic. Email exposure is widespread and manageable. Your first action should be to change your passwords, starting with your email account itself.

If you know which service was breached, change that password immediately. Crucially, you must use a strong and unique password for every account to prevent a single breach from compromising multiple services.

Next, enable two-factor authentication (2FA) on every account that offers it. This adds a critical layer of security by requiring access to a physical device, like your phone, to log in.

You should also consider using passkeys where available. Passkeys replace passwords with biometrics or a PIN, offering the security of 2FA without a password to steal.

Can you remove it?

You cannot reliably remove your email from the dark web. The space is vast and unregulated; once data is there, it’s effectively out in the wild.

Some data removal services may request takedowns, but hosts are not obligated to comply. If the exposure deeply concerns you, your most effective option is to create a new primary email address.

How to prevent future exposure

The best defense is to stop giving out your real email address. Use an email alias service, which creates unique forwarding addresses for every sign-up.

Services like Apple’s Hide My Email or Proton Mail’s aliases let you generate a new alias each time. If that alias is exposed in a breach, you can simply disable it without affecting your main inbox.

Consider using a data monitoring service to get alerts if your information appears online. While they can’t scrub the dark web, they can notify you so you can retire compromised aliases.