The recent implementation of the NIS2 directive has changed the rules for management boards EU-wide. As a director, you are personally liable for adequate cybersecurity within your organization. This means you must not only ensure the technology, organization and personnel are in order, but also actively identify external threats. A crucial but often overlooked component of this is dark web scanning.
What is the dark web and how does our data end up there?
The dark web is the hidden part of the internet that is not accessible through regular search engines like Google. It requires special software like Tor to access it. While the dark web has legitimate applications (such as privacy protection for journalists and activists), it also functions as a digital black market where criminals trade stolen data.
Your company data can end up on the dark web in several ways:
Through external data breaches: When a major service provider gets hacked (think British Airways, Adobe, or Yahoo), millions of login credentials are stolen and subsequently sold or shared on the dark web. Many employees use the same passwords for both personal and business accounts, making these compromised credentials a direct risk to your organization.
Through targeted attacks: Criminals specifically target your organization with phishing, malware or social engineering (=deceiving employees). The stolen data is then offered for sale or shared with other cybercriminals.
Through supply chain compromises: A supplier or partner of your organization gets hacked, and your data is stolen as part of their systems.
The reality is more serious than you might think. Databases with leaked data now contain more than billions of records worldwide. These aren’t just email addresses and passwords, but also API keys, credit card details, medical records and confidential business information.
Lupasafe itself has more than 20 billion records in its database in Limburg (Germany).
Dark web scanning versus Have I Been Pwned
Many organizations think they’re sufficiently protected by occasionally checking Have I Been Pwned (HIBP), the well-known website by security researcher Troy Hunt. HIBP is a valuable tool, but it only tells part of the story.
Have I Been Pwned provides access to publicly known data breaches. It’s an excellent free service for individual users to check if their email address appears in known databases. However, the service is limited to publicly reported breaches and doesn’t offer continuous monitoring or company-wide analyses.
Professional dark web scanning goes much further. It combines multiple data sources:
- Active searches on dark web forums, Telegram groups and paste sites like PasteBin (=copying data between systems)
- Access to torrent networks where large datasets are shared
- Proprietary databases with more than 20 billion records (like Lupasafe’s)
- Integration with services like HIBP for maximum coverage
- Continuous monitoring and automatic alerts
The difference lies in proactivity and completeness. Where HIBP lets you check “have I ever been breached?”, dark web scanning monitors continuously and alerts you immediately: “your organization has an active risk right now.”
Why is this a critical risk?
Compromised login credentials are the front door for cybercriminals. Research shows that more than 80% of data security incidents start with stolen or weak passwords. This risk manifests itself in various ways:
Credential stuffing attacks: Criminals use automated tools to try millions of combinations of usernames and passwords on your systems. If one of your employees uses the same password for LinkedIn (leaked in 2021) as for your company VPN or email, attackers have access within minutes.
Targeted spear phishing: With knowledge of leaked data, criminals can compose highly convincing phishing emails. They not only know your email address, but often also which services you use, your job title, and even personal preferences, address details from when you ordered a Porsche.
Reputation damage: Imagine a competitor or journalist discovers that your organization has been unprotected for months via a simple login while employee credentials are circulating on the dark web. The damage to reputation is potentially greater than the direct financial impact.
NIS2 compliance risk: If regulators can demonstrate that you knew (or should have known) about external threats but took no action, this can lead to fines of up to 10 million euros or 2% of global annual turnover.
How does dark web scanning work?
An effective dark web scanning solution works according to a systematic approach:
- Asset identification: First, all domains, email addresses and digital assets of your organization are mapped. This includes not only @yourcompany.nl addresses, but also subdomains, cloud services and derived email addresses.
- Continuous monitoring: Specialized software scans the dark web 24/7, including forums, marketplaces, paste sites and Telegram channels. This is done through automated crawlers that search billions of records.
- Data analysis: Found data is analyzed for relevance and risk. Not every old data breach is equally dangerous – a password from 2015 that has been changed five times since then weighs less heavily than credentials leaked last week.
- Risk assessment: Advanced systems evaluate:
- Password strength of compromised credentials
- How recent the leak is
- Whether the password is still actively being used
- The severity according to HIBP classifications
- The number of times the same credentials have been leaked
- Reporting and alerts: The findings are translated into action-oriented reports for different stakeholders – from technical details for IT teams to executive summaries for management.
What does Lupasafe specifically do?
Lupasafe offers a dark web scanning solution that goes beyond standard monitoring:
- Extensive database: Access to more than 20 billion records with leaked data, stored in Limburg (Germany) for EU privacy compliance. The database is continuously expanded with new findings.
- Multi-source scanning: Combination of proprietary dark web crawling, HIBP integration, torrent monitoring, and analysis of PasteBin and Telegram groups. This ensures maximum coverage of public and less accessible data sources.
- Privacy-first approach: For security reasons, Lupasafe never stores complete passwords. Instead, masked versions are shown (for example “pas****123”), sufficient to assess the risk without unnecessary exposure.
- GDPR-compliant: All processing complies with European privacy legislation. Personally identifiable information (PII) is only visible in the secured portal with two-factor authentication, not in shared dashboards.
- Automatic monitoring: Immediately after domains or employees are added, the first scan starts. This is followed by automatic repetitions every 7 working days. This means new leaks are quickly detected.
- Action-oriented reporting: The platform doesn’t just give alerts, but offers concrete recommendations. For each identified risk, you immediately see which employee is involved, what the severity is, and what action is needed.
Inventory: what did we find?
In practice, Lupasafe finds leaked data for about one-third of employees, although this varies greatly per organization and sector. A typical inventory for a medium-sized company (50-200 employees) often reveals:
Multiple compromised accounts: 15-30% of employees have credentials that appear in at least one data breach. Sometimes these are old accounts from former employers or personal services, but passwords are often reused.
Varying password strength: The leaked passwords range from “Password123” to complex but reused passphrases. The problem isn’t always the strength, but the reuse across multiple services. Encryption isn’t always the solution, simple encryption is quickly broken (see also table with possible passwords).
Multiple leaks per person: Some employees appear in 5+ different data breaches, indicating widespread credential reuse or prolonged exposure without password changes.
Administrative accounts: Particularly concerning is when credentials of IT administrators or directors are leaked, as they often have elevated access rights.
The solution lies in a three-track policy:
Immediate action: Forced reset of compromised passwords
Prevention: Implementation of password managers to guarantee unique, strong passwords
Extra security: Multi-factor authentication (MFA) on all critical systems
With MFA, even a leaked password becomes useless to attackers, because they don’t have the second authentication factor (such as an SMS code or authenticator app).
We see in our phishing tests that 40% share a password, and of those 10% share the second factor. So out of 100 employees, 40 share a password and another 4 of those share their MFA.
The relationship with NIS2 compliance
The NIS2 directive marks a fundamental shift in cybersecurity responsibility. As management, you are personally liable from October 2024 for adequate security. Dark web scanning helps you comply with multiple specific requirements within QM20/30:
Article 20 – Management responsibility: you must demonstrably have insight into your organization’s security risks, including external threats. Dark web scanning documents that you actively monitor which credentials are potentially compromised.
Article 21 – Risk management: The directive requires you to not only assess risks internally, but also identify and mitigate external threats. Evidence of continuous dark web monitoring shows that you act proactively.
Article 21.2.d – Human risk management: You must take measures to increase employee security awareness. Concrete data about compromised accounts makes this more tangible and action-oriented than general training.
Audit-proof documentation: During an audit or after an incident, you can demonstrate that your organization actively monitored external threats and took appropriate measures. This can mean the difference between a warning and a million-euro fine.
It’s important to note that dark web scanning isn’t a box you can check once. It requires continuous monitoring and regular action based on new findings – exactly what NIS2 intends.
Who is this relevant for?
Dark web scanning is essential for various parties:
Accountants and auditors: If you conduct IT audits, dark web scanning offers an external risk layer that traditional audits often miss. You can advise clients about specific, documented risks instead of generic security recommendations.
Managed service providers (MSPs): For MSPs, proactive security is an important differentiator. By offering dark web monitoring, you protect customers before problems arise, resulting in fewer incidents, higher customer satisfaction and lower support costs.
SME management: If you lead an organization with 10-500 employees, you combine personal liability under NIS2 with often limited security resources. Dark web scanning automates a critical security layer without major investments in personnel or infrastructure.
Industries with high compliance requirements: Organizations in healthcare, financial services, and critical infrastructure have increased risks and stricter regulations. For these sectors, dark web monitoring is often not an option but a requirement.
Read more https://lupasafe.com/en/leaked-data
