You just received an alert: your company's data is on the dark web. Your employees' credentials are being sold in a breach dump. This moment defines whether this becomes a manageable incident or a catastrophic breach. The next 72 hours are everything. Here's exactly what to do.
First 15 Minutes — Immediate Triage
The panic is natural. Resist it.
Your first actions are purely mechanical: gather facts, document everything, and activate the incident response machinery.
Do this now:
- Screenshot everything. Capture the alert, the source, the timestamp, the URL. You'll need this for forensics and regulatory filings.
- Identify the scope. How many records are exposed? What data types? Employee passwords? Customer PII? Payment card data? Intellectual property? This determines whether you're making a GDPR notification or a multi-country emergency.
- Determine freshness. Is this a brand-new breach that happened last week, or old data from an incident you already patched three years ago? The timeline matters for investigation priority.
- Ask: Are we actively compromised right now? A dark web listing could be stale data. Or it could signal an active intruder still in your network. This is the question your CISO needs answered immediately.
- Escalate. Call your CISO, IT director, General Counsel, and DPO (if you have one). If you have a documented incident response plan, activate it now. If you don't, flag that as an action item for after the crisis.
Hours 1–4 — Contain and Assess
Speed matters here, but precision matters more. Your goal is to stop the bleeding before you fully understand the wound.
Immediate containment:
- Force password resets for all affected accounts. Yes, all of them. Yes, immediately. This is the only action that instantly devalues the compromised credentials on the dark web. Attackers are likely running credential stuffing attacks against your network right now, trying to use the exposed passwords before employees change them.
- Revoke active sessions. Log out everyone. Force re-authentication. If an attacker already has valid sessions open, this kills them.
- Check your SIEM and security logs. Search for signs of active compromise:
- Unusual login patterns (off-hours, unusual geographies, failed attempts)
- Lateral movement (one compromised account pivoting through the network)
- Data exfiltration (large file transfers, email forwarding rules, cloud storage uploads)
- Persistence mechanisms (new scheduled tasks, new admin accounts, VPN rules)
Assessment questions:
- Is the breach ongoing, or historical? (Affects urgency and scope)
- Which systems were actually affected? (Breach notification rules differ for customer data vs employee data)
- Is customer data included? (Triggers regulatory notification in almost every jurisdiction)
- Is partner/third-party data included? (Additional liability and notification requirements)
If you don't have the forensic expertise in-house, bring in an external Incident Response firm now. They can preserve evidence correctly, conduct attribution, and guide you through regulatory notification. This is not a cost to avoid.
The 72-Hour GDPR/NIS2 Regulatory Clock
This is not optional.
Under GDPR Article 33, you must notify your supervisory authority within 72 hours of becoming aware of a personal data breach. Missing this deadline is not forgivable—it triggers additional penalties on top of the primary breach fine.
Under NIS2 (for operators of essential services), the timeline is tighter still: early warning within 24 hours, full notification within 72 hours.
DORA (for financial institutions) requires immediate notification to regulators.
The penalties are real:
- GDPR: up to €10 million or 2% of global annual revenue, whichever is higher, just for late notification
- Missing your supervisory authority notification by even a few hours compounds your liability
Critical insight: You don't need to have your investigation complete to file a compliant notification. The law expects you to notify based on what you know at the 72-hour mark. You can file a follow-up notification with additional details as the investigation progresses.
| Regulation | First Notification | To Whom | Deadline | Penalty for Missing Deadline |
|---|---|---|---|---|
| GDPR | Supervisory Authority | National data protection regulator | 72 hours from awareness | +€10M or 2% global turnover |
| NIS2 | Competent Authority | National critical infrastructure body | Early warning 24h, full notification 72h | Significant fines |
| DORA | Financial regulators | ECB/national regulator | Immediately | Fines + operational restrictions |
| UK GDPR | ICO | UK Information Commissioner's Office | 72 hours from awareness | £17.5M or 4% turnover |
| HIPAA (US) | HHS + Affected Individuals | Department of Health & Human Services | 60 days from discovery | $100-$50,000 per violation |
| PCI DSS | Card Issuer + Acquiring Bank | Payment processors | Immediate | Fines + card brand restrictions |
Hours 4–24 — Notify and Document
Legal and compliance:
- Notify your DPO and General Counsel immediately. They need to be involved in every downstream decision.
- Notify your supervisory authority. For EU companies, this is your national data protection authority (in Germany: BfDI; France: CNIL; Spain: AEPD; Italy: Garante per la Protezione dei Dati Personali; Portugal: CNPD).
- Your notification should include:
- Date and time of discovery
- Description of the breach (what data, how many records, affected categories of individuals)
- Likely consequences
- Measures you're taking (remediation, investigation, containment)
- Contact details for follow-up
- Note that the investigation is ongoing and you'll provide updates
- Your notification should include:
- Assess Article 34 data subject notification risk. If the breach poses high risk to individuals (sensitive data, no encryption, already being used in scams), you must notify affected individuals directly. This is separate from authority notification and happens in parallel.
- Notify your cyber insurance carrier immediately. Many policies have strict notice requirements. Delaying this costs you coverage.
- Preserve all evidence in forensic format. Don't let your IT team delete logs or "clean up" evidence. Everything is evidence now. Chain of custody matters for both investigation and potential litigation.
- Create a detailed incident timeline. When was the data actually stolen vs when you became aware? This distinction matters for regulatory calculations and liability.
Days 1–14 — Remediate and Recover
Now that immediate actions are in place, move toward full containment and recovery.
Credentials and access:
- Force password resets company-wide if not already done. Don't just reset affected accounts—assume your password vault is compromised.
- Implement or strengthen MFA on all critical systems. Any credential an attacker bought from the dark web becomes nearly worthless if MFA is enabled.
- Patch the root cause vulnerability that allowed the breach. This is your primary remediation item. Vulnerability + stolen credentials = active compromise. Patch + stolen credentials = historical incident.
Investigation and attribution:
Is your company exposed on the dark web right now?
Scan dark web forums, breach dumps, stealer logs & 50,000+ threat sources. Results in seconds, completely free.
- Engage external forensics for root cause analysis. You need to know: How did they get in? When? Through what system? Did they exfiltrate data, or only view it? Did they install persistence? This informs both your remediation and your insurance claim.
- Search your network for lateral movement. If attackers had valid credentials, they likely didn't just steal data—they moved through your network. Find what they touched.
Operational hardening:
- Audit all third-party access. Data breaches are often traced back to compromised third-party vendors or suppliers. Who has access to your systems? Do they still need it? Are they using it?
- Review and improve MFA coverage. If MFA had been in place, this breach would have been orders of magnitude less damaging. Make it mandatory for all remote access, all privileged accounts, and all cloud services.
- Review and update your incident response plan. Now that you've lived through this, write down what worked, what didn't, what was missing. Update your contact list, your escalation procedures, your forensics vendor relationships.
Communication and monitoring:
- Prepare customer communications if needed. If customer data was compromised, you'll need transparent, factual communications. Start drafting now, but don't send until you've consulted legal and assessed your notification obligations.
- Monitor the dark web for continued exposure of your data. Attackers sometimes re-sell the same data multiple times. Set up alerts for your company domain, executive email addresses, and employee names. DarkVault provides automated monitoring to catch follow-on exposure.
Setting Up Continuous Monitoring After a Breach
One breach signals vulnerability. And attackers are efficient—they resell access, credentials, and data multiple times across different criminal forums.
If your company data made it to the dark web once, you need continuous monitoring to detect whether it's being re-sold, leveraged for follow-on attacks, or bundled with other breaches.
Set up dark web alerts for:
- Your company domain name (for corporate credentials, internal tools, business email)
- Executive names and personal email addresses (for targeted spear-phishing)
- Key product names or trade secrets (for IP theft or competitive intelligence)
- Your industry vertical + company size (attackers profile targets by sector)
Don't wait for the next breach to start monitoring. Every company your size is being targeted. Start monitoring the dark web now to detect exposure before it's weaponised. DarkVault provides continuous dark web scanning and real-time alerts so you know immediately when your data surfaces.
Post-Incident Review and Board Reporting
Once the immediate crisis is contained, your board and stakeholders will want answers.
Root cause analysis:
- What actually happened? What vulnerability was exploited? Was it a known, patched vulnerability that hadn't been deployed to production? Was it a zero-day? Was it social engineering or credential compromise?
- Could this have been prevented? (Determines shareholder liability and cyber insurance coverage)
Timeline reconstruction:
- When was the data actually taken?
- When did you become aware?
- How did you become aware? (Internal detection, external alert, dark web monitoring?)
- This timeline is critical for regulatory compliance and insurance claims.
Regulatory and financial lessons:
- What did notification cost you? (Legal hours, PR, forensics)
- Did you meet all regulatory deadlines?
- What coverage did your cyber insurance provide?
- What won't be covered due to negligence clauses?
Board presentation template:
Your board will ask three questions: What happened? How much did it cost? How do we prevent it next time? Structure your presentation around those three questions.
- What happened: One paragraph. No jargon. Facts only.
- Impact: Data compromised (types, volume), systems affected, customers impacted, regulatory notifications required.
- Response: Timeline of actions taken, cost of incident response, regulatory fines/penalties, reputational damage estimate.
- Prevention: What changes you're making to prevent recurrence. Budget required.
FAQ
How long does company data stay on the dark web?
Indefinitely. Once data is on the dark web, assume it's permanently available. It gets resold, bundled into new datasets, and shared across forums. The dark web is essentially a permanent archive. Your remediation strategy must assume your data is compromised forever—focus on minimising the damage through credential rotation, MFA, and monitoring.
Can I get my data removed from the dark web?
Practically speaking, no. Some vendors will claim they can, but they're essentially paying a forum operator to delist your data—and there's no guarantee another copy isn't already circulating. Your energy is better spent on defence (MFA, monitoring, access controls) than on removal.
Does finding my data on the dark web mean I've definitely been breached?
Finding employee credentials on the dark web means those credentials are compromised. Whether that represents an active breach of your systems depends on how the credentials were exposed. They could be old data from an unrelated incident, or they could signal an active intrusion right now. That's why the forensics investigation is critical—it determines whether you're dealing with historical exposure or present danger.
Is your company exposed on the dark web right now?
Scan dark web forums, breach dumps, stealer logs & 50,000+ threat sources. Results in seconds, completely free.
Get Your Free Dark Web Exposure Report
Find exposed credentials, mentions, and risky chatter tied to your brand — fast.
- Email & domain exposure insights
- Threat actors & forums mentioning your brand
- Practical next steps to mitigate risk
No credit card required. Quick turnaround. Trusted by security teams worldwide.
Related Articles
Remote Work and Dark Web Exposure — Protecting Distributed Teams
Remote work tripled your attack surface. Learn how to detect credential theft on the dark web and protect distributed teams from VPN and email compromise.
Read more
PCI DSS and Dark Web Monitoring — What Merchants and Payment Processors Must Know
PCI DSS v4.0 makes dark web monitoring essential for payment security. Learn how threat intelligence addresses compliance requirements and protects cardholde...
Read more
How Much Does Stolen Company Data Cost on the Dark Web?
Everything you've ever typed into a browser has a price on the dark web. From credit card numbers to healthcare records to executive dossiers, here's what yo...
Read more