Incognito — September 2024: Dark Web Monitoring

Welcome to the September 2024 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Dark web monitoring. Is it worth looking for your data on the dark web? 
• Recommended reads, including “Dating Apps Let Stalkers Pinpoint User Locations Down to 2 Meters.
• Q&A: Can I report “dark patterns”? 

A breach at the background check company National Public Data (NPD) exposed billions of data records and left millions of people scrambling to find out if their data had been leaked on the dark web. 

The answer? Your data was (probably) already on the dark web before the NPD breach. 

Here’s what you need to know about the NPD breach, the dark web, and dark web monitoring. 

National Public Data Breach: A Quick Recap

National Public Data (NPD) said: “There appears to have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. “

What is the “leak” NPD is talking about? A cybercriminal tried to sell stolen data from NPD comprising 2.9 billion rows of records on the dark web. Partial copies of the data were leaked soon after; then, in August, another criminal posted most of the data for anyone to download for free. 

What information are we talking about? Names, email addresses, phone numbers, social security numbers, and mailing address(es). 

Who’s affected? Researchers at Atlas Data Privacy Corp. analyzed 5,000 addresses and phone numbers and discovered the records primarily relate to individuals born before January 1, 2002 (with some exceptions). They said the average age of the consumer in the leaked records is about 70, and about two million records belong to people who would be 120+ years old today. 

How bad is it? Even if you were affected (quite likely), Troy Hunt, founder of the HaveIBeenPwned website, says: “I wouldn’t lose sleep over it because I don’t think this is particularly different to what’s been happening for many years.” Also, according to Hunt, a lot of the information relating to him at least was incorrect.

How to check if you were impacted: There are a few online tools you can use, including npd.pentester.com (as reviewed briefly by ZDNet) and HaveIBeenPwned.com. 

What’s the Dark Web?

A section of the internet that is not indexed by traditional search engines like Google. 

Unlike the surface web, which includes websites easily accessible through standard browsers, visiting dark web websites requires special software, such as Tor (The Onion Router). 

Though the dark web can be used for legitimate reasons (for example, individuals living under oppressive regimes or whistleblowers who want to maintain privacy), it is the part of the internet most often associated with illegal activities, including drug trafficking, cybercrime services, and, of course, the sale of stolen data. 

What’s Dark Web Monitoring?

If your information is somewhere on the dark web, you’d probably want to know about it. 

That’s what dark web monitoring services do—they scan for your information on the dark web and send you an alert if they find your data.

Sounds great in theory, but there are a few problems: 

• The dark web is vast and constantly changing. New marketplaces, forums, and platforms emerge regularly, many of which are highly secretive and difficult to monitor. 
• Many dark web transactions happen through encrypted channels, private chats, or invitation-only groups that are nearly impossible to infiltrate. Much of the stolen data is also behind a paywall. 
• There is a delay between when your information is stolen and when it shows up on the dark web. By the time it’s detected and you receive an alert, the data might have already been sold or misused.

One of the biggest cons of dark web monitoring is that it is reactive, not proactive. In other words, it does not prevent your data from being stolen in the first place.

Also: Dark web monitoring can’t remove your information from the dark web, nor can it prevent the leaked data from being used. It just tells you your information is on the dark web—that’s it. 

So Is Dark Web Monitoring A Good Investment?

Depends on the cost. 

You don’t need to be subscribed to a dark web monitoring service to know that your data is on the dark web. It more than likely already is. 

At the same time, not everyone might realize this, so dark web monitoring services can help spread awareness and provide a list of steps to make yourself more secure. 

Many services offer dark web monitoring for free (and then do their best to upsell you, of course). Google also recently started offering dark web scans (for free). 

Security Best Practices > Dark Web Monitoring

If you’ve been on the internet for a while, it’s 99.9% likely that some of your data has been breached and leaked onto the dark web. 

The best thing you can do now is make it as difficult as possible for someone to misuse it.

This means:

• Using unique passwords for every online account–or at least, every important account.
• Setting up two-factor authentication where possible.
• Regularly checking your bank account statements and credit reports for anything unusual. 
• Freezing your credit file. As Brian Krebs says, “Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information. The main reason I recommend the freeze is that all of the information ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people. […] Meaning, if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.”

Readers Tips

Once in a while, we’ll also share tips from our readers. 

Last month, one of our readers, Linda Formichelli, shared an amazing resource she put together: DISENGAGE: Opting Out—and Finding New Options—to Reclaim the Internet from Spammers, Scammers, Intrusive Marketers and Big Tech.

She says, “The guide is about reclaiming our attention, our content, our homes, our dollars, our data, and our permission from those who would abuse them. It’s free to download in PDF or EPUB versions, and the entire text is also on that web page for those who want to read it online. There are also downloadable worksheets to help readers on their own journey of disengaging. I don’t ask for personal information or track downloads.”

Check it out. It’s truly one of the best and most thorough privacy resources I have ever seen. 

We’d Love to Hear Your Privacy Stories, Advice and Requests

Do you have any privacy stories you’d like to share or ideas on what you’d like to see in Incognito going forward? 

Don’t keep them private!

We’d really love to hear from you this year. Drop me a line at laura.martisiute@joindeleteme.com.  

I’m also keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

Illinois Governor Signs Business-Friendly BIPA Amendment Into Law

Illinois Governor J.B. Pritzker signed a bill amending the state’s Biometric Information Privacy Act (BIPA). Under the new law, companies can now be held liable for only a single violation per person rather than multiple violations for each alleged misuse of biometric data. It’s unclear whether the amendment will apply retroactively. 

Dating Apps Let Stalkers Pinpoint User Locations Down to 2 Meters

Vulnerabilities in dating apps like Bumble, Hinge, and Grindr let attackers pinpoint users’ locations within 2 meters by exploiting precise location data used for filtering features. While most apps have since implemented fixes, concerns remain, particularly in low-density areas where even a 111-meter margin can still pose risks. 

Google to Remove uBlock Origin Extension 

If you use uBlock Origin on Chrome, consider switching browsers or finding an alternative. Chrome’s upcoming update will disable the ad blocker used by 30 million people. A simplified version called uBlock Origin Lite was released, but it requires users to manually allow or block permissions per site. The original still works on Firefox and other browsers.

Texas AG Sues GM for Allegedly Selling Drivers’ Data Without Consent

The Texas Attorney General sued General Motors for allegedly collecting and selling drivers’ data without consent. The lawsuit seeks up to $10,000 per offense, impacting 1.8 million Texas customers, and demands deletion of the data. It targets GM vehicles sold since 2015 that required activating data-collecting features for safety systems.

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Is there a way to report “dark patterns” behaviors that impact privacy (e.g., make disabling cookies hard)? 

A: Yes! 

If it’s just a dark pattern that really annoys you but you don’t think it breaks the law, you can report it to the Dark Patterns Tip Line (run by Consumer Reports) here: https://darkpatternstipline.org/report/.

To raise awareness of the dark pattern generally, post a screenshot of it on the Dark Patterns subreddit: https://www.reddit.com/r/darkpatterns/ 

You can also complain to the FTC here: https://reportfraud.ftc.gov/assistant (dark patterns would fall under “Something else”). Mention the company, the specific dark practice you encountered, and how it affected your experience. It’s helpful to include screenshots or URLs. 

While the FTC may not respond to each individual complaint, the data collected helps inform investigations, enforcement actions, and public policy.

You could also file a complaint with your state’s attorney general’s office. 

Q: How did a company I visited but didn’t buy from send me an email even though I didn’t share it with them?

A: Great question.

More than likely, the website matched your browsing activity (tracked through cookies) to a profile in a database that already has your email from other sites or services. This process is done invisibly through data-sharing networks and tracking technology.

Q: Is there a way to keep on top of privacy class action lawsuits?

A: Besides following news outlets and legal and privacy advocacy groups like the Electronic Frontier Foundation (EFF), the following two sites are helpful:

• https://www.classaction.org/list-of-lawsuits 
• https://topclassactions.com/ 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.