You receive a letter: "I am writing to inform you that we recently became aware of a cybersecurity incident that may have exposed your personal information."
About 104,000 Energy Department employees and 800,000 Postal Service workers opened one, warning about identity theft. Federal employees who swiped credit cards at Target, Home Depot or one of the retailers hacked in recent years got similar messages.
If you are one of these victims, your personal data might already be in the walled-off webpages of the secretive online black market known as the "Dark Web."
Although unlikely, it's also possible Chinese cyberspies allegedly responsible for snaring 21.5 million Office of Personnel Management records could sell or lose your information to the digital underground, data security experts say.
The online black market traffics in data, drugs and computer viruses, along with other illicit goods and services that contribute to an estimated more than $500 billion in cyber theft annually.
But take some comfort in knowing there are ways to cut the chances of ID thieves, terrorists or spies hurting anyone with your personal data.
Without further ado, an introduction to the Dark Web and protecting yourself from its inhabitants:
Above all, know the Dark Web is not a place data breach victims should visit, unless they are eager to be hacked again.
"It would be the same as you walking into one of the toughest neighborhoods in St. Petersburg into the apartment building that's being run by the local godfather of the Russian mafia," says Tom Kellermann, chief cybersecurity officer of threat intelligence firm Trend Micro, who consults the FBI. "They will hunt you because they know you are not good at cybersecurity on your own.”
Dark Web dwellers can wrap their tentacles around you on the public Internet, too, using malware that records your keystrokes. Trend Micro has been assisting the FBI on an international mission to dismantle a black market operation that has cribbed financial account passwords from the infected computers of unknowing citizens. The bank robbers raked in $10 million in the United States alone while working under the cover of the Dark Web – until the bureau and the U.K. largely disrupted the machinery, the FBI and Trend Micro announced this week.
The Dark Web is situated in the "Deep Web," comprising 70 percent of the Internet locations that do not carry a dot-com or other Web domain address. Not all of the Deep Web fuels malicious activity. Smart meters, networked tire pressure gauges, and channels for secure communications -- to escape censorship, all are tethered to Deep Web addresses.
You can't use Google to find forums underground. To get inside, you need a special browser tool that can hide your tracks, like Tor. Some Dark Web tenants are not interested in your money, but rather your secrets. For example, part of open source intelligence collection for counter surveillance takes place in the Dark Web, says Matthew Wong, director of intelligence at Flashpoint, a firm that scours the digital underground on behalf of government agencies and concerned companies.
On the flip side, foreign adversaries can exploit personal information netted during one of the many recent commercial hacks.
“Nation states are likely to look for vulnerable government employees that are exposed through the Ashley Madison breach, which was not a nation state-sponsored activity to begin with," Wong says. "It's more of someone taking advantage of the exposure left by someone else."
Spies can correlate subtle details in such data dumps with other public information to capture insights into federal operations.
Take the Anthem health insurance data breach that affected millions of current and former federal employees. Alex Holden, who consults private sector firms and tracks underground data, says as far as he knows, there is no evidence medical information was abused for financial gain, but merely coverage details could be telling. For instance, a man in his 40s who only has a year of medical history might not be the individual he claims to be. Instead, he could be a double agent, Holden says.
Purloined receipts can come in handy for tailoring spearphishing emails to deceive targets.
"If I know that every day you buy a coffee at Starbucks, I can send you a fake survey -- 'Get a $10 Starbucks Card' -- and then you are more likely to fill that out" and in so doing divulge contact information, says Holden, who founded Hold Security.
Nation states also can pay for secrets on U.S. government officials from financially-savvy underground denizens.
"Hackers may not have government affiliation but they may know that if they steal enough pertinent information they can sell it to agents of those groups," he says.
Right now, profit is the motivator behind most transactions, rather than foreign espionage, the experts say.
It's a serious business. U.S. citizenship documents retail for $5,900 inside. The assassination of a celebrity or politician can cost $180,000. Login passwords for banks around the world sell for between $200 and $500.
However, the price of your privacy is dropping. The gargantuan data breaches have flooded the market, driving up supply levels and causing fees to drop. Now, a few bucks is all an ID thief needs for your name, full address, date of birth, and Social Security number.
There are World Wide Web dot-com sites that let people find out whether they have been hacked, by checking their email address against data scraped from the Dark Web. But going to these sites is not advised, either.
The irony is that “most of these search services have crappy security of their own,” Kellermann says. “If you put your personal information into a search service that's trying to help -- you are exposing yourself to other criminals.”
Those sites include HaveIBeenPwned.com and ShouldIChangeMyPassword.com, he says.
"They are dangerous not because the people are malevolent but because the people who are providing the service don't invest in cybersecurity themselves,” Kellermann adds.
Holden has a different concern about these victim-verification sites.
"They create a false sense of security as they cover only a small fraction of the stolen data," he says.
Here are 8 ways to fight bad guys in the Dark Web, if you have been affected by a data breach:
- Put a free 90-day lock on your credit to make it difficult for criminals to open an account in your name.
- Make sure the "return-path" in an email header matches the "reply-to" -- to see if you are dealing with an impersonator.
- Don't immediately click on the link in an email or open an attachment, and cut and paste the source into another browser to make sure the two names match.
- Update your operating systems and frequently used software programs, like Adobe Flash, every Tuesday night. That is the day many software vendors have agreed to patch security holes in their programs, Kellermann says.
- "When your computer says there is critical update waiting for you, see it as an imperative -- no matter what you are doing, just save it and immediately update," Kellermann says. The alert means "a secret passageway into your computers has been discovered by criminals and the software vendor is trying to plug that hole."
- Make sure your anti-malware security is activated, even on Apple devices.
- Don't use the same passwords for multiple accounts. If you use the same credentials for your personal webmail and your work email -- and one account is hacked -- consider the other one breached too.
- Hire a security firm to help you safely navigate the Dark Web. "If you make an assumption that your information is compromised -- before someone actually gets a chance to use it, you can proactively shut that down," Wong says. His company's technology allows customers to essentially surf the Dark Web in a virtual-reality-like environment that minimizes risks.
Correction: An earlier version of this story misstated the name of a popular Adobe software.