What is the dark web, exactly?

The dark web is a part of the internet that isn't indexed by search engines and can only be accessed using specialist software. It's a legitimate technology — used by journalists, activists, and privacy-conscious individuals — but it's also home to criminal marketplaces where stolen data is bought and sold. That includes usernames, passwords, email addresses, and payment card details.

When a company suffers a data breach, the stolen records often end up on these markets within days. From there, other criminals purchase them and use them to attack the businesses whose employees held those credentials.

How do credentials end up on the dark web?

There are a few common routes, and most of them don't require your own systems to be targeted directly:

  • Third-party data breaches. Your staff sign up for a service — a supplier portal, an industry platform, a conference registration system — using their work email address. That service suffers a breach. Your credentials are now in the wild, through no fault of your own.
  • Phishing attacks. A convincing fake login page harvests usernames and passwords directly. The attacker doesn't need to breach anything — your staff unknowingly hand the credentials over.
  • Password reuse. Someone uses the same password at work and for a personal account. The personal service gets breached. The attacker then tries the same credentials on Microsoft 365, your VPN, or your business banking.
  • Malware on devices. Info-stealing malware silently captures login credentials from browsers and apps, then sends them to the attacker. This happens on personal devices used for work just as readily as on business machines.

None of these require your core systems to be compromised directly. The exposure comes from elsewhere — which is why most businesses don't spot it until something has already gone wrong.

Why this is a business problem, not just a personal one

Individuals worry about their personal email or bank account. For businesses, the stakes are considerably higher.

Attackers use stolen credentials to gain entry to business systems — Microsoft 365 accounts, remote desktop connections, VPNs, cloud storage. Once inside, they can read emails, steal data, divert payments, or deploy ransomware. And they often don't rush. Many attackers sit quietly inside a network for weeks or months before doing anything obvious, mapping out systems and waiting for the right moment.

The National Cyber Security Centre (NCSC) consistently identifies credential compromise as one of the most common initial access methods in UK cyber incidents. For SMBs, this is particularly concerning. Smaller organisations often lack the monitoring tools to detect an intruder who's already logged in legitimately.

Attackers don't always break in. Often, they simply log in — using credentials your staff didn't even know had been compromised.

What dark web monitoring actually does

Dark web monitoring services continuously scan criminal forums, markets, and data dumps for email addresses and credentials associated with your business domain. When a match is found, you receive an alert.

The alert typically tells you which email address was compromised, which third-party breach the data likely came from (if known), and what type of data was exposed. That gives you something actionable: reset the password immediately, check for suspicious activity on that account, and review any other systems where that credential may have been reused.

Monitoring won't prevent the initial breach — that's beyond your control. But it dramatically shortens the window between a credential being compromised and you doing something about it. Without monitoring, the average organisation finds out about a breach from a third party, often months after the fact, and often because damage has already been done.

What to do if your credentials are found

If a dark web scan identifies that credentials linked to your domain have been exposed, the response should be prompt but measured:

  1. Reset the compromised password immediately. Don't just update it on the service where it was detected. If the same password was used anywhere else, reset it there too.
  2. Enable multi-factor authentication. If MFA isn't already in place for the affected account, get it activated now. A stolen password is far less useful to an attacker when they also need a second factor to proceed.
  3. Check for suspicious activity. Review login logs for the affected account. Unusual sign-ins from unfamiliar locations or devices may indicate the credentials have already been used. Your IT provider can help with this investigation.
  4. Assess what the account had access to. If the compromised account could reach sensitive data, financial systems, or administrative controls, treat the situation as a potential breach and investigate accordingly.
  5. Use it as a constructive prompt. Remind staff — without blame — why unique passwords and a password manager matter. A real-world incident makes the message land far better than an abstract policy document.

Practical steps for UK SMBs

You don't need an enterprise security budget to reduce your exposure to this threat. These measures make an immediate, practical difference:

  • Dark web monitoring as part of your IT support. Many managed IT providers include this as a standard service. If yours doesn't offer it, ask whether it's available — or whether it's time to find a provider who takes this more seriously.
  • Multi-factor authentication on all key systems. Particularly email, VPN, and any cloud services. MFA is the single most effective control against credential-based attacks and should be non-negotiable.
  • A business password manager. Shared passwords on sticky notes or in spreadsheets are a liability. A business password manager — such as 1Password, Bitwarden, or Keeper — makes unique, complex passwords practical for every member of staff.
  • Regular offboarding of leavers. Dormant accounts attached to old credentials are a soft target. Remove access promptly when staff leave, and audit active accounts periodically.
  • Basic phishing awareness for your team. Phishing remains the most common delivery mechanism for credential theft. A short, practical session is more effective than a lengthy policy document.

The reality most businesses don't want to sit with

There's a reasonable chance that at least one set of credentials linked to your business domain has already appeared on the dark web. That's not a statement designed to alarm — it's the statistical reality for most organisations that have been operating for more than a few years and whose staff use their work email addresses for external services.

What matters is whether you know about it, and whether you've acted. Dark web monitoring won't solve every cybersecurity problem your business faces. But it closes a gap that most SMBs don't even realise they have — and it gives you the information you need to respond before an attacker takes advantage of it.