What to Do When We Detect Your Information on the Dark Web

Information:

• Audience: End users (customers)
• Purpose: Explain what the alert means, what the risks are, and the steps you should take immediately.

1) What's happening?

We use a security monitoring service (Dark Web Monitoring) that looks for signs that email addresses, password, or business information may have been exposed in data breaches and is now being shared.

When we detect a match related to your account, we will contact you before this information can be misused. The helpdesk will proceed different steps below. The contact person of the company also get's these alerts and reports via the mail. If he or she takes action the following steps down below can be used.

Important to know is that seeing your information in a leak does not automatically mean your device is hacked or that someone is currently logged into your account. In many cases, the data comes from a breach at a third-party website or service you used in the past.

2) What does “on the dark web” mean?

The “dark web” is a part of the internet that is not indexed by normal search engines. Some areas are used for privacy, but it’s also commonly used for criminal marketplaces and forums where stolen data is traded.

Leaks often include:

• Email addresses
• Passwords (sometimes in plain text, sometimes “hashed”)
• Phone numbers
• Addresses
• Usernames
• Occasionally financial data or ID-related information (depending on the breach)

3) What to do (do these in order)

1) MFA (Multi‑Factor Authentication) adds a second verification step so a leaked password alone isn’t enough.

How to set it up (Work/School account):

1. Go to Security info: mysignins.microsoft.com/security-info
2. Sign in with your work account.
3. Select Add sign-in method.
4. Choose Microsoft Authenticator (recommended) and follow the prompts. For this step you can also follow this knowledge base article: https://kb.cloudconnected.nl/en/article/setup-2-factor-authentication-using-the-microsoft-authenticator-app-on-a-new-phone-353l9/

2) Change your Microsoft work password (most important)

Follow this knowledge base article that gives all the instructions on how to easily reset your password: https://kb.cloudconnected.nl/en/article/how-do-i-reset-my-password-18071nj/

3) Check “My Sign-ins” for unusual logins

This helps you confirm whether anyone has tried (or managed) to sign in.

How to check:

1. Open My Sign-ins: https://mysignins.microsoft.com/security-info
2. Click on Recent Activity.
3. Review the list and expand any entries you don’t recognize.
4. If you find something suspicious:
5. 1. Change your password immediately (again)
   2. Go back to Security info and ensure MFA methods are correct (no unknown phone numbers/devices).

Note: location can sometimes look “off” due to mobile networks, so also check the device/app details (browser, OS, app name).

4) Check Outlook rules & forwarding (quick but important)

A common tactic after account compromise is creating mailbox forwarding rules to silently copy your emails.

How to check (Outlook on the web):

1. Open Outlook on the web (your usual webmail).
2. Click Settings (⚙) → Mail → Rules
3. Look for rules that:
4. 1. Forward/redirect mail to an external address
   2. Move mail to strange folders
   3. Delete or hide messages. If you didn’t create it → disable or delete the rule.

Also check automatic forwarding:

• In Outlook settings, check Mail → Forwarding and ensure forwarding isn’t enabled without your knowledge (forwarding can be set in multiple ways).

4) If you get MFA prompts you didn’t start (very important)

If your phone asks you to approve a sign-in you didn’t initiate:

1. Tap Deny
2. Change your password
3. Contact IT Support immediately

Unexpected prompts can mean someone has your password and is attempting access, and MFA is blocking them.

Updated on: 04/03/2026