What personal data do scammers buy on the dark web and what do they do with it?
Dark web markets sell full identity packages (name, SSN, DOB, address), banking credentials, credit card numbers, and email-password combos — each enabling a different type of fraud.
Last reviewed: 10 June 2026
Explanation
The dark web hosts marketplaces where stolen personal data is traded, often at surprisingly low prices. Understanding what is available and how it is used helps you prioritise which defences matter most.
Full identity packages (called 'fullz') contain name, date of birth, Social Security Number, address, and sometimes driver's license or passport numbers. These enable full identity theft — opening credit accounts, filing tax returns, or applying for government benefits in your name. A fullz can sell for as little as a few dollars for older, less-verified data, or significantly more for verified, recently active profiles.
Banking credentials (username, password, and sometimes account number and routing number for a specific institution) are sold separately and used to drain accounts, authorise ACH transfers, or sell access to money mule networks. The price typically correlates with the balance in the account.
Credit card dumps (card number, expiry, CVV) are used for card-not-present online fraud or cloned physical cards for in-store use before the card is reported. Email-and-password combos from breaches are used in credential stuffing attacks against other platforms.
The presence of your data on the dark web does not mean fraud is inevitable, but it does mean you should act as though your credentials could be tested at any moment: use unique passwords, enable 2FA, and monitor your credit report and accounts regularly.
Common red flags
- haveibeenpwned.com shows your email in a data breach — your credentials may be in circulation
- Credit accounts appear on your report that you didn't open
- You receive targeted phishing messages that include your real name and partial personal details
- Your bank alerts you to login attempts from unusual locations
- You receive tax rejection notices or benefit denial letters
What to do now
- Check haveibeenpwned.com for your email addresses and change exposed passwords immediately
- Use unique passwords for every account — a password manager makes this practical
- Enable two-factor authentication on all key accounts
- Place a credit freeze if you believe fullz data with your SSN is in circulation
- Set up credit monitoring alerts to catch new account openings early
- Check your IRS transcript and Social Security earnings record for signs of tax or employment fraud
Frequently asked questions
Should I pay a service to scan the dark web for my data?
Free tools like haveibeenpwned.com cover most known breach databases well. Paid dark web monitoring services vary in quality. Taking protective actions (2FA, unique passwords, credit freeze) is more valuable than monitoring alone.
If my data is on the dark web, can it be removed?
Once data is distributed on the dark web, it cannot practically be removed — copies proliferate across multiple servers. Focus on changing the exposed credentials and securing your accounts rather than attempting removal.