What Is Dark Web Monitoring?
Dark web monitoring is a service that continuously scans dark web forums, criminal marketplaces, data breach repositories, and paste sites for your organization's email addresses, passwords, and other sensitive data. When your credentials or data appear, you're alerted immediately — giving you the opportunity to reset compromised passwords before attackers use them to access your systems. For Canadian businesses, dark web monitoring is a critical early-warning layer against credential-based attacks like ransomware and business email compromise.
What is the dark web?
The dark web is a part of the internet accessible only through specialized browsers (Tor) that anonymize users. It hosts:
- Criminal marketplaces — selling stolen credentials, credit card data, corporate VPN access, and malware-as-a-service
- Data breach repositories — databases of username/password combinations from major breaches (LinkedIn, Adobe, etc.) sold in bulk
- Hacker forums — where attackers share tools, techniques, and discuss targets
- Ransomware leak sites — where ransomware groups publish stolen data from victims who don't pay
What data appears on the dark web after a breach?
After a data breach at any website or service your employees use, the following may appear for sale or free on the dark web:
- Email addresses and plaintext or hashed passwords
- Names, phone numbers, and addresses
- Corporate email domains matched with cracked passwords (most dangerous for business)
- Active session tokens and cookies (allowing attackers to impersonate users without needing a password)
- Corporate VPN credentials purchased from initial access brokers
Personal dark web check vs. business dark web monitoring
- Personal check: haveibeenpwned.com (free) checks if your email has appeared in known data breaches; useful for employees to check personal accounts
- Business dark web monitoring: continuous scanning services (SpyCloud, Constella Intelligence, built-in to Microsoft 365 Defender) that monitor your entire email domain 24/7, including new breaches as they're discovered, and alert your IT team when credentials are found
What to do when credentials appear on the dark web
- Immediate password reset — change the compromised password on all accounts where that password was used (password reuse makes this especially important)
- Check for active compromise — review Azure AD sign-in logs for suspicious access using the compromised credential; look for unusual locations, times, and devices
- Enable MFA if not already active — compromised credentials are useless against MFA
- Check for email forwarding rules — attackers often add email forwarding rules after compromising an account to maintain access; audit all mailbox rules
- Notify affected individuals — if the breach involved customer or employee personal information, PIPEDA breach notification obligations may apply
Dark web monitoring and Canadian businesses
Outsource IT Canada includes dark web monitoring for all client email domains as part of managed security services. When credentials for your domain appear in dark web databases, we alert your team within hours — before attackers can use them. This is included in our cybersecurity service at no additional cost.
Related glossary terms
- Ransomware
- MFA — Multi-Factor Authentication
- EDR — Endpoint Detection and Response
- MDR — Managed Detection and Response
- PIPEDA — Federal privacy law
How Outsource IT Canada can help
- Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
- Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
- PIPEDA Compliance — privacy impact assessments and breach notification procedures
- Get a free assessment — call (416) 623-9677
Ready to transform your IT? Call (416) 623-9677 for a free assessment.