How Dark Web Monitoring Works and Why Small Businesses Should Care

What Is the Dark Web?

The internet has layers. The surface web is everything accessible through a normal browser — websites, news, social media. Below that is the deep web — databases, private intranets, email servers, and systems that are not indexed by search engines. Deeper still is the dark web: a part of the internet accessible only through specialised software, primarily used for anonymous communication.

The dark web has legitimate uses, but it is also where stolen data is bought and sold. When a company suffers a data breach and millions of usernames and passwords are stolen, those credentials typically end up on dark web marketplaces — sometimes within hours of the breach.

What Dark Web Monitoring Does

Dark web monitoring services continuously scan dark web marketplaces, forums, and criminal databases for credentials associated with your business domain. If an email address and password matching your domain (@yourbusiness.com.au) appears in a dark web dataset, the monitoring service alerts you.

This tells you that a credential — probably from a data breach at some other service where a staff member used their work email — is now in the hands of criminals. Without monitoring, you would not know this until the credential was used to access your accounts.

Why This Matters for Small Businesses

Credential stuffing is one of the most common account takeover methods. Criminals take lists of stolen username/password combinations and try them against common services — Microsoft 365, Google Workspace, Xero, banking portals. If a staff member used the same password for a gaming account, a shopping site, and their business email, and the gaming account was breached, their business email is now exposed.

Small businesses with no dark web monitoring have no visibility into this. They do not know their credentials have been stolen until an account is compromised.

What to Do When a Credential Is Found

Finding a credential in dark web monitoring is not a crisis — it is an early warning that allows you to act before an attacker does. The response is:

1. Reset the password for the affected account immediately
2. Verify the account has not already been accessed (check login history)
3. Ensure MFA is enabled on the account
4. Check whether the password was reused on other accounts and reset those too

Most credential findings can be addressed in under an hour when caught early. Account takeovers that go undetected can take days to clean up.

Is Dark Web Monitoring Enough on Its Own?

No. Dark web monitoring is one layer of a defence-in-depth security approach. It is most valuable when combined with:

• MFA on all accounts (makes stolen credentials alone insufficient for access)
• A password manager (prevents password reuse across services)
• Security awareness training (reduces the risk of credentials being stolen through phishing in the first place)

What Dark Web Monitoring Actually Detects

The term "dark web monitoring" sounds dramatic, but the practical function is straightforward: automated scanning of dark web marketplaces, paste sites, and criminal forums where stolen credentials and data are bought, sold, and shared.

When a credential database is breached — a website, an app, a service — the stolen usernames and passwords are typically sold or shared on these platforms within days or weeks of the breach. Dark web monitoring tools continuously scan these sources for credentials associated with your business domain. When a match is found, an alert is generated: "This email address and this password hash appeared in a breach associated with [platform name]."

What it does:

• Detect that credentials from your domain have been exposed in a breach
• Alert you to specific accounts that need password changes
• Provide context on what type of data was exposed and from which breach

• Prevent the breach from occurring
• Remove the credentials from the dark web (once exposed, they stay exposed)
• Guarantee detection of every breach (some data does not appear on monitored sources)
• Detect breaches that happened at services where your staff used personal email addresses for business

Why Business Domain Credentials Are Particularly Valuable

Your business domain — yourcompany.com.au — is a higher-value target than personal credentials for several reasons.

Attackers know business credentials access business systems. A credential for someone@yourcompany.com.au is likely linked to Microsoft 365, accounting software, banking, and other business-critical systems. Personal email credentials access far less valuable targets.

Business email provides social engineering opportunities. An attacker with access to a business email account can read correspondence, understand relationships, and craft highly credible phishing or fraud attempts using real context.

Credentials are combined across breaches. Attackers use "credential stuffing" — combining email addresses from one breach with passwords from another, or trying previously exposed passwords across multiple services. Staff who reuse passwords across personal and business accounts amplify the risk from any single breach.

What to Do When an Alert Fires

When dark web monitoring identifies an exposed credential, the response process should be immediate and systematic:

Step 1: Force a password change on the affected account. The exposed password is no longer safe to use anywhere.

Step 2: Check for signs of compromise. In Microsoft 365, review the sign-in log for the affected account (Admin Centre > Users > [user] > Sign-in logs). Look for logins from unfamiliar locations or at unusual times.

Step 3: Check for inbox rules. Attackers who gain access to business email often create forwarding rules that silently copy all incoming email to an attacker-controlled address. Check mail flow rules and inbox rules for the affected account.

Step 4: Confirm MFA is enabled. A compromised password with MFA in place cannot be exploited to log in. Confirm MFA status for the affected account — and for all accounts, since this is a good reminder to audit the whole estate.

Step 5: Check other accounts for password reuse. If the staff member used the same password on other business systems, those passwords need to change too.

The Broader Response: Moving Beyond Reactive

Dark web monitoring is a detection tool, not a prevention tool. The strategic response to exposure is to reduce the impact of future credential breaches:

Password manager adoption. When every account has a unique, randomly generated password, a breach of one service does not expose credentials for any other. Password managers (Bitwarden, 1Password, Keeper) make this practical for staff.

MFA on all accounts. Even if a password is exposed, MFA prevents login without the second factor.

Regular dark web monitoring as ongoing practice. Not a one-time exercise — continuous monitoring means you are alerted when new data appears rather than discovering breaches months or years later.

Netluma IT includes dark web monitoring in managed IT services for SE Queensland businesses. Call 1300 521 162 to discuss your current credential exposure.

Netluma IT includes dark web monitoring as part of managed IT for SE Queensland businesses. Call 1300 521 162 to discuss your current security posture.