FAQ

Have you received a Dark Web alert?

If you have received an email from us saying that an email address or password has been found on the Dark Web, it is completely natural to feel concerned. However, in many cases, a Dark Web alert does not mean that your company has currently been hacked, or that there is necessarily an active email account with the address mentioned.

Your security matters — let us support you!

The alert means that our monitoring has found information linked to your domain in a data breach, a combination list, a forum, a data dump, or a similar source. This may be recent information, but it may also be old data, previously used addresses, or information collected from several different breaches over time. Dark Web ID categorizes findings, for example, as a Combolist, where email/password combinations may have been collected from websites, forums, or previously compromised datasets, and where the source cannot always be linked to one specific data breach.

A Dark Web alert typically means that:

What should you do now?

If the password is shown in the alert, make sure to change it everywhere it is being used.

In that case, there is usually no need for action. You are welcome to keep the alert for documentation, but it is typically not a sign of a current issue.

Change the password immediately, including on any other services where the same password may have been used.

Contact ITGuy, and we will help assess the finding.

FAQ: Dark Web alerts from ITGuy Guy

What does it mean that my email address has been found on the Dark Web?

It means that our monitoring has detected an email address, IP address, or other information that can be linked to your domain in data that has previously been leaked, shared, or sold online.

This could be information from:

  • a data breach at an external service
  • a combination list containing email addresses and passwords
  • a forum or data dump
  • old databases with previously compromised information
  • automated lists where addresses have been collected or generated

It does not necessarily mean that your current email account or Microsoft 365 environment has been compromised.

Does it mean that we have been hacked?

Not necessarily.

A Dark Web finding means that information related to your domain has been found somewhere where compromised data is shared, collected, or sold. It may come from a completely different service that an employee previously used with their work email address.

For example:

An employee may have used their work email to create an account on an external website. If that website is later affected by a data breach, the email address -and possibly a password – may appear in a leaked database, even though your Microsoft 365 account has not been compromised.

Why do we receive an alert for an email address that does not exist?

This happens quite often.

Our Dark Web monitoring sends an alert if an email address using your domain appears in leaked data, combolists, or similar sources. This does not necessarily mean that there is an active mailbox in your company with that address.

It may be:

  • a former employee’s email address
  • an old alias
  • an address that existed in a previous mail system
  • an address used for testing or sign-ups
  • an address that has been guessed or generated automatically
  • an address that has never been active but still appears on a list

If the email address does not exist in your Microsoft 365 environment, and there are no signs of misuse, there is usually no need for further action.

What if the employee no longer works with us?

If the user has been properly removed and the account is no longer active, this is normally not an urgent issue.

However, we still recommend checking whether:

  • the address still exists as an alias
  • emails are being forwarded from the address
  • the user still has access to external systems
  • the password has been used elsewhere

If the account has been closed, the license removed, and access has been disabled, the risk is usually limited.

What if the user never existed?

Then the finding is most likely related to an address that was generated, collected, guessed, or added to a list without ever being a real active account.

This can happen because lists of compromised data often contain mixed information. Some data is real, while other data may be old, duplicated, misspelled, automatically generated, or linked to previous systems.

If the address does not exist in your environment, and we cannot see any signs of activity in Microsoft 365, everything is generally fine.

What is a “combination list” or “combolist”?

A combination list — often called a combolist — is a list of usernames/email addresses and passwords that has typically been compiled from several different data breaches, forums, paste sites, or previously compromised datasets.

This means the list does not necessarily come from one specific attack against your company.

In many cases, combolists contain reused credentials from older exposures or other leaked datasets.

Why does the alert say “Leak source: Not disclosed”?

Sometimes the source of a finding cannot be disclosed or identified.

This may be because:

  • the original source is not known
  • the data has been collected from several different breaches
  • the leak cannot be publicly linked to one specific service
  • the affected organization has not publicly confirmed the incident
  • there is not enough metadata to determine the source

In other words, “Not disclosed” does not automatically mean that the finding is more serious. It often simply means that the original source cannot be confirmed.

What do the dates in the alert mean?

The alert may include two different dates:

“Found on the Dark Web”

This is the date when the information appears to have been found or registered in a leaked source.

“Added to the DWID platform”

This is the date when the finding was added to the monitoring platform and became visible to us.

This means that a finding can be old, even if the alert has only just been sent.

What should I do if the password is still being used?

If the password mentioned in the alert is still being used anywhere, it should be changed immediately.

This applies to:

  • Microsoft 365
  • private services
  • social media
  • webshops
  • industry portals
  • internal systems
  • any other accounts where the same password may have been used

Never use the same password across multiple services.

We also recommend enabling multi-factor authentication wherever possible.

What if the password is old and no longer used?

If the password is no longer used anywhere, there is usually no need for urgent action.

However, we still recommend that you:

  • keep an eye out for suspicious login attempts
  • stay alert to phishing emails
  • avoid reusing old passwords
  • use strong and unique passwords
  • enable multi-factor authentication on important accounts

Old passwords can still be useful to attackers if they try to guess password patterns or attempt access to other services.

Do we need to reply to the Dark Web alert?

You do not necessarily need to reply if:

  • the email address mentioned does not exist
  • the account has been closed
  • the password is no longer used
  • you do not see any signs of suspicious activity

If you are unsure, you are always welcome to contact us.

It is especially relevant to contact us if:

  • the address is still active
  • the password is still being used
  • you see suspicious login attempts
  • the user receives unusual emails
  • there are signs of forwarding rules or account changes
  • you are not sure whether the account still exists
Can ITGuy check whether the account exists in Microsoft 365?

Yes.

If you contact us, we can help check whether the email address exists in your Microsoft 365 environment and whether there are any signs of suspicious activity.

We can check, for example:

  • whether the account exists
  • whether it is active or disabled
  • whether any aliases exist
  • whether there have been unusual login attempts
  • whether there are suspicious forwarding rules
  • whether multi-factor authentication is enabled
  • whether the user has permissions that should be reviewed
Why does ITGuy send these alerts?

We send these alerts to help you react quickly if information related to your domain appears in leaked datasets.

The purpose is not to cause unnecessary worry, but to give you the opportunity to take action if the information is still relevant.

In many cases, everything is fine  especially if the address is old, the account has been closed, or the password is no longer used. But if the information is still active, a quick response can make a big difference.

What can we do to reduce the risk in the future?

As a minimum, we recommend that you:

  • use unique passwords for all services
  • use a password manager
  • enable multi-factor authentication
  • remove old users and aliases
  • review access permissions regularly
  • stay alert to phishing emails
  • avoid using work email addresses for private or irrelevant services
  • contact ITGuy if you are unsure about a finding

Cybersecurity is rarely about one single solution. It is about reducing risk over time and responding quickly when something needs attention.

Contact us

We are always happy to hear from you. All questions are welcome.