Google to offer dark web monitoring for free. But your data is possibly already there — and vulnerable

Your personal data, whether it's passwords, credit card numbers and other online account information, is quite possibly available on the dark web, just waiting to be exploited — if it hasn't been already. 

You likely wouldn't even realize it until it's too late and one of your email or social media accounts is compromised or your credit card is scammed.

In an effort to help its users, Google, one of the world's largest tech companies, will begin offering all users its dark web monitoring reports free of charge later this month.

It's a service that was primarily available to paid subscribers of Google One, its enhanced security and storage service, and on a limited basis to users of its email platform, Gmail. It will be available in at least 46 countries and territories, including Canada, where it's already offered to Google One and Gmail users.

Cybersecurity experts applaud it as a step toward helping people safeguard themselves online, although they warn there's a lot more that individual users and tech companies need to do in order to protect personal information. 

The dark web is a haven for people looking to exploit your personal information. Terry Cutler, an ethical hacker, explains what the dark web is and just how little cybercriminals might pay for your hacked data.

The threats to privacy and misuse of personal information are only growing more widespread, said Ann Cavoukian, Ontario's former privacy commissioner. 

But she said Google offering free dark web monitoring will offer a "huge advantage" to individual users to help prevent their data from being stolen or abused.

"Once it's in the wrong hands, it can come back to haunt you," she said. "It can be used in ways that you can't even imagine."

Here's what you need to know about dark web monitoring and just how vulnerable most of us are to privacy breaches. 

What is the dark web? 

The dark web is a term you have undoubtedly heard in the news whenever a major company or website is hacked. 

It's the "criminal underbelly of the internet," said Terry Cutler, an ethical hacker — someone whom companies hire to break into their systems and find security flaws and weaknesses. 

He said that while the dark web is not easily accessible to everyone — it requires the use of special software known as a Tor browser that, ironically, protects your internet privacy — it's where cybercriminals can buy and sell troves of stolen data (along with guns, drugs and plenty of other illicit materials). 

How often does stolen data show up on the dark web?

Cutler said that hackers can be working inside servers unnoticed for weeks — even months — slowly siphoning millions of email addresses, passwords and other data before a company becomes aware and alerts its customers. 

There have been several major cybersecurity incidents this year in which stolen personal information has ended up on the dark web.

Ticketmaster is encouraging customers to take action after another security breach compromised personal information. The company says people who bought tickets between April 2 and May 18 are likely impacted.

Ticketmaster notified Canadian customers this week that their personal and credit card information may have been stolen in a major breach and offered one year of credit monitoring services. A hacker group had previously claimed to have stolen and leaked information from more than 500 million Ticketmaster accounts worldwide.

Retailer London Drugs shut down its 79 stores across western Canada in the spring after it fell victim to a ransomware attack. Hackers stole electronic files from the company's corporate offices and released some employee data on the dark web in a bid to force the company to pay a $25-million ransom. 

Earlier this month, cybersecurity researchers with the website Cybernews uncovered what is believed to be the largest single compilation of leaked passwords — nearly 10 billion unique passwords from a series of new and old breaches. 

Roger Gale, industrial network cybersecurity program head at BCIT, discusses the implications of the London Drugs ransomware attack that the company says may have compromised some employee information. The retail chain closed its 79 stores for a week due to the attack.

Most people, Cutler said, either have weak passwords and/or use the same password for multiple accounts, meaning hackers and cybercriminals have little trouble trying to figure out how to get into accounts on other platforms — and possibly access even more sensitive information like a social insurance number or other identification that can be used to set up fraudulent credit cards or access bank accounts.  

How does dark web monitoring work? 

Cutler's company, Cyology Labs, provides dark web monitoring. During an interview with CBC News, he demonstrated how it works using the email suffix @cbc.ca.

Within moments, a scan of leaked password databases on the dark web turned up more than 1,000 exposed passwords linked to current and former CBC employee email addresses. The passwords were not fully visible to CBC News. 

"It doesn't mean CBC got hacked. It means that a database somehow where you used cbc.ca as an email was breached," he said.

As for Google's dark web monitoring, it will allow Google account users to check if their personal Gmail address, name, mailing address, phone number or username show up in a data breach that has appeared on the dark web. 

CBC News tested Google's dark web monitor using a personal Gmail account. The scan found that the email address turned up in 11 breaches between 2016 and 2023, two of which contained passwords for other accounts associated with that email. 

Once Google's dark monitoring reports are widely available, account users can set up alerts to be notified, via email or pop-up message, when their private information has been exposed and be directed to recommendations to improve security, such as changing passwords and setting up two-step verification. 

What more can be done? 

Generally, Cutler said, the average person doesn't think they're important enough to have their information stolen. But that's exactly who hackers are preying upon, he said, and why they should be taking proper precautions with their online accounts, like creating difficult passwords that they regularly change. 

Cavoukian, however, said it's up to companies — be it a tech company, a major retailer or your employer — to take greater responsibility for the personal data they are meant to protect.  

"I think to expect the average user to know what happens to their personal information once they're online, that's asking too much. It's very intricate," she said. 

Once your data is in the wrong hands, it can come back to haunt you, says former Ontario privacy commissioner Ann Cavoukian. She explains why companies need to do more to protect users' personal information — and why privacy isn't something we should give up on.

She hopes other major companies will follow Google's example and offer services such as free dark web monitoring to their users and customers.

People who have already had their personal information exposed, she said, should contact the company that was hacked — some will offer support services free of charge for a period of time — but also consider filing complaints with a provincial or federal privacy commissioner. 

Cavoukian said it's paramount to attract as much attention as possible to potential fraud and unauthorized use of our personal information.

 "We don't want to give up on privacy," she said.