Dark Web ID Data Integrity

What is the Dark Web?

The Dark Web is a hidden universe within the Deep Web. It defines as a sublayer of the Internet hidden from conventional search engines. Search engines like Google, BING, and Yahoo only search .04% of the indexed or surface Internet. The other 99.96% of the Web consists of databases, private academic and government networks, and the Dark Web. The Dark Web is estimated at 550 times larger than the surface Web and growing. Because you can operate anonymously, the Dark Web holds a wealth of stolen data and illegal activity.

How does Dark Web ID help protect my organization?

Our service is designed to help both public and private sector organizations detect and mitigate cyber threats that leverage stolen email addresses and passwords. Dark Web ID leverages a combination of human and artificial intelligence that scours botnets, criminal chat rooms, blogs, Websites and bulletin boards, Peer to Peer networks, forums, private networks, and other black-market sites 24/7, 365 days a year to identify stolen credentials and other personally identifiable information (PII).

How are the stolen or exposed credentials found on the Dark Web ID?

Dark Web ID focuses on cyber threats specific to our client’s environments. We monitor the Dark Web and the criminal hacker underground for exposure of our client’s credentials to malicious individuals.
We accomplish this by looking specifically for our clients’ top-level email domains. When a credential is identified, we collect it. While we collect data from typical hacker sites like Pastebin, a lot of our data originates from sites that require credibility or a membership within the hacker community to enter. To that end, we monitor over 500 distinct Internet relay chatroom (IRC) channels, 600,000 private Websites, and 600 Twitter feeds, and execute 10,000 refined queries daily.

Where do we find data?

Data source locations & descriptions:

• Dark Web Chatroom: compromised data discovered in a hidden IRC (Internet Relay Chat).
• Hacking Site: compromised data exposed on a hacked Website or data dump site.
• Hidden Theft Forum: compromised data published within a hacking forum or community.
• P2P File Leak: compromised data leaked from a Peer-to-Peer file sharing program or network.
• Social Media Post: compromised data posted on a social media platform.
• C2 Server/Malware: compromised data harvested through botnets or on a command and control (C2) server.

Why do I see more breaches in other products?

Dark Web ID is focused on the quality of the data not the volume of credentials we track. We do not add any breach unless we have validated it at least twice.
• Data is scrubbed to remove any compromises that contain no meaningful data in it. An example is if there is not at least a PII value or password found in compromise these are ignored.
• Please wait up to 24-48 hours when you add a domain for monitoring for the compromise results to populate.
• For Ticketing Integration users, consider not enabling your respective Ticket Integration during the first 24-48 hours, as all compromises found during this initial scan will create a ticket.
Note: If an initial scan finds 1,000 compromises - you will receive 1,000 tickets.

Questions on Data and Reporting within Dark Web ID

Why is X recent breach not included in my compromises?

There are a couple reasons a specific breach may not be included in Dark Web ID.
Like all dark web monitoring solutions, Dark Web ID utilizes a combination of sources both internal and external for our compromise data. As such, we are only able to provide what we can and do find. The dark web is a vast network of forums and sites, and it is impossible for us to detect every dumped set of credential data. This is not unique to our solution. All solutions currently on the market, whether that be Dark Web ID, or a competitor, inevitably miss breaches that other solutions may find.
Beyond that, another primary reason a breach may not appear in Dark Web ID is that this breach has not been posted for resale or reuse on the dark web. Often times, a company that has been the target of a cyber attack or data breach will disclose that for transparency and their users safety. When this occurs, that breach becomes a “known data breach” (and typically information pertaining to that breach will be uploaded to our breach catalogue, https://secure.darkwebid.com/breaches). However, this does NOT automatically guarantee that the data stolen in said breach has been posted for “public” consumption. As such, we cannot collect and provide data that we do not have access to. It is not uncommon for cyber criminals to keep the stolen data for themselves and use it in future attacks and targeted phishing campaigns.
Why can I not see what forum my compromise was posted on when the source says “ID Theft Forum” ?
For security and user safety purposes, Dark Web ID does not and will not share WHERE a compromise was found. Firstly, we do not want to promote users taking matters into their own hands and accessing these ID theft forums, inadvertently making themselves targets for nefarious actors who frequent those spaces. Secondly, we do not want to indirectly give access to compromised credentials that do not pertain to you or your client organizations. And lastly, resharing those forums and directing people to them would be a violation of several regulatory frameworks in regions where we actively do business.

Why am I getting duplicate compromises?

In short, you are not. There are two likely reasons you are seeing a compromise as a duplicate, the first, which is easily checkable by the end user is that there are different values for one or more PII fields. Please click into the compromise and check the PII values for each “duplicate.”

The second is that another field in the database is different between the two compromises. Dark Web ID collects and consumes a very high number of fields with each compromise. To make the solution easily readable and user friendly, we have chosen to hide many of these lower priority fields.

We are continuously looking into these and identifying trends that could indicate we should display a particular field for user clarity. This is an ongoing project.
Please only open a support ticket to report this as a bug if this occurs across multiple orgs for multiple users over and you have checked PII.

Why are my compromises usernames and passwords mixed up?

This issue occurs when we import compromises through combo-list type. Due to the nature of combo-list dumps, data is often jumbled, sometimes intentionally to disrupt solutions like Dark Web ID and other good actors. If you see a trend of mixed up passwords and usernames this can typically be disregarded.
Enabling our active user filtering feature should help reduce noise and eliminate these from your feed.
Why am I getting compromises for users who have been fired or are no longer at this company?
Dark Web ID imports ALL compromises found for a domain/user email. With the exception of deduplication, we do not stop compromises from being imported as even old compromises could pose a threat if best practices have not been fully followed.
Enabling our active user filtering feature can eliminate these from your feed and notifications.

Why is there a discrepancy between Live Data Search and the full Compromise monitoring?

Simply put, Live Data Search, or LDS, provides a sample of the most recent compromises for a domain / user email. This is designed primarily as a tool for our MSP partners to demonstrate value and risk to their clients and open up the conversation about security. Accordingly, LDS will very often have a lower compromise count than the full monitoring. Additionally, its important to keep in mind that LDS is a static snapshot while monitoring is a 24/7 continual process.

Why have I not received my monthly / quarterly report yet?

Dark Web ID can take up to 4 days to complete our report generation. On rare occurrences, we may experience a larger than normal month of compromises and as a result take some time to deliver all reports. We get internal notification about failed-to-generate reports so please allow a couple days after the 4 day window before opening a ticket. If you have still not received your report in portal a week after the start of the month then please contact support.

Why do I need to create an SMB user for them to access the monthly/quarterly report?

We require authenticated login for automated report delivery and access for two reasons.

  • Firstly, this is a security issue. We do not want these reports accidentally being delivered to the wrong hands, particularly because they typically contain full text passwords. Having an authenticated user helps protect us all.
  • Secondly, by delivering the report via secure link, we are able to ensure deliverability. At present, we have no way of ensuring delivery if the generated PDF is too large and fails to send – thus, if we send a PDF and it does not reach its intended target and we would not receive a notification letting us know and the user would not get their report.

What does X term mean?

Have more questions?

Contact us

Was this article helpful?
1 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section