Dark web monitoring — what it scans, what it misses, and what to do with an alert

Dark web monitoring is bundled with several password managers, described variously as 'monitoring the dark web for your stolen data,' 'scanning breach databases,' or 'protecting your identity.' These descriptions are all approximately correct and collectively imprecise in ways that matter for understanding what the feature actually does and doesn't do.

The dark web monitoring provided by password managers is not continuous surveillance of criminal forums. It is, more specifically, periodic scanning of known breach databases — compilations of username and password pairs from documented security incidents — compared against your vault's email addresses. When a match is found, you receive an alert.

Understanding the mechanism resolves both the overselling ('protect yourself from the dark web') and the underselling ('it's just Have I Been Pwned'). It is a useful feature that reduces detection lag for known credential breaches; it is not comprehensive threat monitoring.

The assumption 'dark web monitoring will tell me if my passwords are being used by attackers' conflates monitoring with detection. Dark web monitoring tells you that credential data appeared in a breach database — a historical collection of data from a documented incident. It does not monitor whether your specific credentials are being actively used, whether your accounts are being accessed, or whether an attacker is testing your credentials in real time. Active account monitoring (login alerts, unusual location alerts) from the affected services is the mechanism for that.

A second assumption is that an alert means your account has been compromised. An alert means your email address and an associated password appeared in a breach dataset. The password in the dataset may be: the correct current password for that account (urgent action needed); an old password no longer in use (lower urgency); a password from a different account that you haven't rotated (action needed, lower urgency); or a false positive from a synthetic or test dataset (no action needed). Understanding which case applies requires checking whether the account is still using the exposed password.

A third assumption is that a negative result (no alerts) means your credentials are safe. Breach databases are historical collections, not comprehensive real-time feeds. New breaches enter databases with a lag that can be weeks or months. No alert means no match in the databases scanned as of the last check; it does not mean your credentials haven't appeared in a breach that hasn't been catalogued yet.

The monitoring mechanism: services like Have I Been Pwned and commercial breach intelligence providers aggregate data from disclosed security incidents. Password manager dark web monitoring queries these databases with your email addresses (using k-anonymity or similar privacy-preserving techniques that don't expose the full email address). Dashlane claims 20 billion records; Bitwarden uses Have I Been Pwned's 13+ billion record dataset. The practical coverage difference between major databases is less significant than the lag between when a breach occurs and when it appears in any database.

What to do when you receive an alert: identify which password appeared in the breach (the alert should tell you). Check whether that password is still in use anywhere. If it is, change it immediately on all services where it was used. If it's an old password no longer in use, no immediate action is needed but updating the compromised record in the vault is good hygiene.

The feature's real value is reducing detection lag. Before breach monitoring was available, users would hear about credential exposure months after a breach, if at all. Breach monitoring reduces this to days or weeks for catalogued incidents. That reduction in lag matters because credential stuffing attacks begin almost immediately after breach data becomes available.

Dark web monitoring covers email-credential pairs that appear in breach databases. It does not cover: real-time account access monitoring; personally identifiable information (SSN, passport numbers, financial data) in breach datasets (some services monitor these separately); credentials that were exposed but not yet catalogued in any database; or attack vectors that don't involve credential theft.