Dark web safety awareness

{{whyLabel}}: This is the industry-standard database for public data breaches and provides immediate visibility into known leaks.

{{howLabel}}:

• Navigate to haveibeenpwned.com.
• Enter your primary email address.
• Review the list of breaches to see what was leaked (e.g., passwords, IP addresses, physical addresses).

{{doneWhenLabel}}: You have a list of all services where your primary email was compromised.

{{whyLabel}}: Since Google discontinued its Dark Web Report in early 2026, Mozilla Monitor has become the most reliable free alternative for continuous monitoring.

{{howLabel}}:

• Visit monitor.mozilla.org.
• Sign in or enter your secondary email addresses.
• Check for 'unresolved' breaches that might not have appeared on other scanners.

{{doneWhenLabel}}: All secondary email accounts have been scanned and results documented.

{{whyLabel}}: Hackers use 'credential stuffing' to try leaked passwords on multiple sites; knowing if a password is 'pwned' is critical.

{{howLabel}}:

• Go to haveibeenpwned.com/Passwords.
• Enter a password you have used in the past (it is safe; they use k-Anonymity hashing).
• If it has been seen even once, it must never be used again.

{{doneWhenLabel}}: You know which of your password patterns are compromised.

{{whyLabel}}: Human-memorable passwords are weak; a manager allows for unique, 20+ character passwords for every site.

{{howLabel}}:

• Download Bitwarden (cloud-sync) or KeePassXC (local-only).
• Set a strong 'Master Password' that you have never used elsewhere.
• Install the browser extension for auto-fill capabilities.

{{doneWhenLabel}}: Password manager is installed and master vault is created.

{{whyLabel}}: Accounts identified as breached in Phase 1 are active targets for identity theft.

{{howLabel}}:

• Log into each compromised service.
• Use your password manager to generate a new, random password.
• Save the new credentials immediately in your vault.

{{doneWhenLabel}}: All breached accounts now have unique, high-entropy passwords.

{{whyLabel}}: 2FA ensures that even if a password is leaked on the dark web, hackers cannot enter without a physical token.

{{howLabel}}:

• Install an open-source authenticator like Aegis (Android) or Ente Auth (iOS/Android).
• Avoid SMS-based 2FA as it is vulnerable to SIM-swapping.
• Scan the QR codes in the 'Security' settings of your most important accounts (Email, Banking, Social Media).

{{doneWhenLabel}}: Your core accounts require a 6-digit code from your app to log in.

{{whyLabel}}: If you lose your phone, you will be locked out of 2FA-protected accounts unless you have these codes.

{{howLabel}}:

• When enabling 2FA, look for 'Backup Codes' or 'Recovery Codes'.
• Save them in an encrypted note within your password manager or print them and store them in a physical safe.

{{doneWhenLabel}}: Recovery codes are stored in a secure, accessible location.

{{whyLabel}}: Using your real email for every sign-up is the primary reason data ends up on the dark web.

{{howLabel}}:

• Create an account with SimpleLogin or Addy.io.
• Generate a unique alias for every new website (e.g., netflix.random123@simplelogin.com).
• If a site is breached, simply disable that specific alias.

{{doneWhenLabel}}: You have created your first alias for a non-critical service.

{{whyLabel}}: Standard browsers often leak 'fingerprinting' data that can be cross-referenced with dark web databases.

{{howLabel}}:

• Install Firefox or LibreWolf.
• Add the 'uBlock Origin' extension to block malicious scripts and trackers.
• Set 'Enhanced Tracking Protection' to 'Strict'.

{{doneWhenLabel}}: Browser is configured to minimize data leakage during daily use.

{{whyLabel}}: If you must access .onion sites for research, the Tor Browser is the only safe, encrypted gateway.

{{howLabel}}:

• Download ONLY from torproject.org.
• Set the Security Level to 'Safer' or 'Safest' to disable dangerous web features like JavaScript.
• Never maximize the window (to prevent screen-size fingerprinting).

{{doneWhenLabel}}: Tor Browser is installed and configured to 'Safest' mode.

{{whyLabel}}: New breaches occur daily; safety is a recurring process, not a one-time setup.

{{howLabel}}:

• Open your calendar app.
• Create a recurring event every 3 months.
• Task: 'Re-scan emails on HIBP and Mozilla Monitor; update Password Manager'.

{{doneWhenLabel}}: A recurring reminder is active in your calendar.