Our passwords were found on the dark web - what should we do?

Getting the notification that your company’s credentials have been found on the dark web is alarming. Maybe your IT provider flagged it. Maybe a dark web monitoring service sent an alert. Maybe you checked Have I Been Pwned and found your business email addresses listed.

Whatever triggered it, your first question is: what do we do right now?

Let’s walk through exactly what this means and the steps you need to take - immediately and long-term.

How Passwords End Up on the Dark Web

Before we get to the action plan, it helps to understand how your credentials got there. It’s usually not because someone hacked your company directly.

Third-Party Data Breaches

This is the most common source. A service your employees use - LinkedIn, Dropbox, Adobe, a hotel booking site, an industry forum - gets breached. The attackers steal the entire user database, including email addresses and passwords. That database gets sold or posted on the dark web.

Why it matters for your business

If an employee used their work email to sign up for LinkedIn and used the same password (or a similar one) for their work account, attackers now have a credential that might work on your systems.

Phishing Attacks

An employee enters their credentials on a fake login page. The attacker captures the username and password in real time and often adds them to dark web marketplaces for resale.

Infostealer Malware

Malware on an employee’s computer (sometimes even a personal device) can harvest saved passwords from browsers, email clients, and other applications. These credential dumps are sold in bulk on the dark web.

Password Reuse

This is the amplifier. One breach becomes ten because people reuse passwords across services. Attackers know this, which is why they immediately try stolen credentials against other platforms.

Immediate Steps (Do These Now)

Time matters. Stolen credentials are actively exploited - often within hours of appearing on dark web marketplaces.

1. Reset All Affected Passwords

Identify which accounts are compromised and reset those passwords immediately.

Key points

• Reset the compromised passwords first, but also reset any accounts where the same or similar password was used
• Use strong, unique passwords for each account (at least 16 characters)
• Don’t just add a number to the end of the old password - attackers know that trick
• If you don’t know which specific accounts are affected, prioritize email, VPN, and admin accounts

2. Enable MFA on Everything

If you haven’t already, this is your wake-up call. Multi-factor authentication is the single most effective defense against stolen credentials.

Priority order for MFA deployment

1. Email (Microsoft 365, Google Workspace)
2. VPN and remote access
3. Administrative accounts
4. Cloud services and SaaS platforms
5. Financial systems
6. All remaining accounts

Why MFA changes everything

Even if an attacker has a valid password, MFA requires a second verification - a push notification, authenticator code, or hardware key. The stolen password becomes useless on its own.

3. Check for Unauthorized Access

Compromised credentials may have already been used. Look for signs of unauthorized access.

What to review

• Sign-in logs - Check Microsoft 365 or Google Workspace for logins from unusual locations, IP addresses, or times
• Email forwarding rules - Attackers often create hidden forwarding rules to silently copy emails to external addresses
• Sent items - Were any emails sent from compromised accounts that the employee didn’t send?
• Account changes - Look for new admin accounts, modified permissions, or changed settings
• Financial activity - Review bank accounts and payment systems for unauthorized transactions
• File access logs - Check if sensitive files or databases were accessed abnormally

If you find unauthorized access

This is now an active breach. Contact your IT provider or security team immediately. Don’t try to clean it up yourself - you could destroy evidence needed for investigation.

4. Notify Affected Employees

Let your team know what happened and what they need to do:

• Which accounts were compromised
• That passwords have been reset (and they’ll need to create new ones)
• That they should change any personal accounts where they used the same password
• How to spot phishing attempts that may follow (attackers sometimes use stolen data to craft targeted phishing)

Understanding Credential Stuffing Attacks

Here’s why exposed passwords are dangerous even if the breached service isn’t important to your business.

What credential stuffing is

Attackers take stolen username/password combinations and automatically try them against hundreds of services - Microsoft 365, Google, VPNs, banking sites, everything. This is called credential stuffing.

How it works

1. Attacker buys a database of stolen credentials from the dark web
2. Automated tools try each credential against dozens of popular services
3. Because people reuse passwords, a significant percentage of attempts succeed
4. Compromised accounts are used for further attacks, data theft, or sold again

The scale

Credential stuffing attacks generate billions of login attempts per year globally. It’s completely automated - attackers don’t manually type in passwords. They run software that tests thousands of credentials per minute.

Why your “unimportant” accounts matter

That old forum account your employee created with their work email? If they used the same password for work email, that breach just gave attackers the keys to your Microsoft 365 environment.

Long-Term Protections

Resetting passwords and enabling MFA handles the immediate crisis. Here’s how to prevent this from happening again.

Deploy a Business Password Manager

Password managers solve the root cause of credential exposure: password reuse.

What a password manager does

• Generates unique, complex passwords for every account
• Stores them securely in an encrypted vault
• Auto-fills login forms so employees don’t need to remember passwords
• Alerts when passwords appear in known breaches
• Enables secure password sharing for team accounts

Popular business options

• 1Password Business
• Bitwarden (open source, very affordable)
• Keeper Business
• Dashlane Business

What it costs

$3-$8 per user per month. A tiny investment compared to the cost of a credential-based breach.

Key point

A password manager means every account has a unique, random password. When one service gets breached, no other account is affected.

Set Up Dark Web Monitoring

Dark web monitoring continuously scans dark web marketplaces, forums, and data dumps for your company’s credentials.

How it works

• You provide the email domains you want monitored (e.g., @yourcompany.com)
• The monitoring service scans dark web sources continuously
• When a match is found, you get an alert with details about the exposure
• You can take immediate action before attackers exploit the credentials

What good monitoring provides

• Real-time alerts when credentials appear
• Details about the source breach
• Which specific accounts are affected
• Historical monitoring to catch old exposures

Your IT provider or managed security service should include dark web monitoring as part of their offering. If they don’t, ask why.

Implement Conditional Access Policies

Go beyond just MFA. Conditional access policies let you control how and where people can log in.

Examples

• Block logins from countries where you don’t do business
• Require MFA for any login outside the office network
• Block logins from unmanaged devices
• Require device compliance (up-to-date OS, active security software) before granting access
• Automatically flag and block impossible travel (login from New York and then London 30 minutes later)

Regular Credential Audits

Make credential hygiene an ongoing practice:

• Quarterly: Review dark web monitoring reports
• Semi-annually: Audit password manager adoption (are all employees using it?)
• Annually: Conduct a password security assessment
• Ongoing: Monitor for failed login attempts that could indicate credential stuffing

Employee Security Training

Teach your team about:

• Why password reuse is dangerous
• How phishing attacks steal credentials
• How to use the password manager effectively
• What to do if they suspect their credentials are compromised
• Why personal and work passwords should never overlap

What If the Damage Is Already Done?

If you discover that stolen credentials were used to access your systems, the situation escalates from password management to incident response.

Signs that credentials were already exploited

• Unauthorized sign-ins in your logs
• Suspicious email forwarding rules
• Missing or modified data
• Unexpected account changes
• Reports from customers or partners about suspicious communications from your organization

What to do

1. Engage your IT provider or incident response team - This needs professional handling
2. Preserve evidence - Don’t delete logs or wipe systems
3. Assess the scope - What was accessed? What was stolen?
4. Notify your cyber insurance carrier - If you have a policy, report the incident
5. Consult legal counsel - If personal data was exposed, you may have notification obligations
6. Communicate transparently - If clients or partners are affected, notify them

The Bottom Line

Finding your passwords on the dark web is serious, but it’s manageable if you respond quickly. The immediate priority is resetting passwords and enabling MFA. The long-term fix is eliminating password reuse with a password manager and implementing continuous dark web monitoring.

The real danger isn’t that passwords were exposed - it’s that exposed passwords were the only thing protecting your accounts. MFA ensures that a stolen password alone is never enough to compromise your business.

---

Concerned about exposed credentials? Contact us for a dark web scan and credential security assessment. We’ll show you what’s exposed and help you lock it down.