| Dark web monitoring is the continuous scanning of criminal marketplaces, hacking forums, data dumps, and infostealer channels for your business’s exposed credentials, email addresses, and sensitive data. When a match is found, you are alerted immediately — giving you the window to act before an attacker uses what they have already stolen. |
Your credentials could be for sale on the dark web right now. You would not know unless someone was actively looking.
This is not a hypothetical. In 2025, researchers processed over 27.9 billion identity records from breaches, data leaks, and infostealer packages — a 135% increase on the previous year. The same research identified 24.8 million unique infected devices contributing credentials to criminal marketplaces. For NZ businesses, this is not a distant threat. It is the environment your staff are operating in every time they log in to email, cloud platforms, or accounting software from a device that may have been compromised.
What makes the 2026 dark web threat fundamentally different from previous years is not volume alone. It is speed. Stolen credentials are now being exploited within 14 minutes of theft. The window between a credential appearing on a criminal marketplace and an attacker using it to access your systems has collapsed. Without dark web monitoring, you will typically find out a credential has been compromised only after the damage has been done. Our phishing scams guide covers how credential theft often begins — most stolen credentials start their journey as a phishing click or an infostealer infection.
| 2026 research: 27.9 billion identity records processed from breaches and infostealer packages — 135% year-over-year increase. 51.7 million infostealer packages identified — 72% increase. Stolen credentials exploited within 14 minutes of theft in documented cases. Account compromise incidents surged 389% year-over-year in 2025. Attackers with legitimate credentials bypass perimeter defences with 85% intrusion success. |
What the Dark Web Is and How Stolen Credentials End Up There
The dark web is a part of the internet accessible only through specialised software that conceals the identity of users and servers. It is where criminal marketplaces operate openly — buying and selling stolen data, malware tools, and access to compromised systems.
Your business credentials end up on the dark web through several pathways, and most of them have nothing to do with a direct attack on your systems.
Infostealer malware
Infostealer malware is the fastest-growing threat category in 2026. It infects devices through phishing links, malicious attachments, pirated software, and compromised websites, then silently harvests saved passwords, session cookies, autofill data, and browser credentials from the infected device.
A single infected workstation can yield dozens of credentials — email accounts, cloud platforms, banking portals, and internal systems — all extracted and sent to attacker-controlled servers within minutes of infection. Infostealer cases increased 30% in 2025 with 14% more variants detected. The harvested data appears on criminal marketplaces within hours.
Third-party breaches
Your staff use corporate email addresses across dozens of external services — LinkedIn, industry forums, supplier portals, training platforms. When any of those services is breached, the credentials your staff used there are exposed. If those credentials are reused across other accounts — which research consistently shows happens with roughly half of all passwords — the blast radius extends well beyond the breached service.
Large database compilations
Cybercriminals compile and resell massive datasets combining credentials from multiple previous breaches. One 2025 compilation contained 16 billion login records. Anyone whose credentials appeared in any historical breach remains at risk if passwords have been reused, because these compilations are actively used by automated credential-stuffing tools that test stolen credentials across thousands of services simultaneously.
Shadow IT and personal device credential exposure
The NCSC issued a specific warning in March 2026 about NZ organisations whose staff use work credentials for personal services and shadow IT applications — platforms accessed outside IT oversight. When those personal or shadow services are breached, the work credentials used to access them are exposed. This is a growing risk as AI tools, collaboration platforms, and productivity apps proliferate without formal IT approval. Our employee security awareness guide covers how to build staff habits that reduce this exposure.
Why the 2026 Threat Is Categorically Different
Dark web credential theft is not new. What is new in 2026 is the speed, scale, and sophistication of how stolen credentials are weaponised.
The 14-minute exploitation window
Stolen credentials are now being exploited within 14 minutes of theft in documented cases. This is not the time from when the data appears on a criminal marketplace — it is from the moment of theft. Automated credential-stuffing tools test stolen logins across hundreds of services simultaneously at machine speed. The window for detection and response before an attacker gains access has become extremely narrow.
For NZ businesses, this means that waiting until a breach is confirmed before acting is not a viable strategy. Dark web monitoring that identifies exposure within hours — not days or weeks — is the only way to close the gap between credential theft and credential use.
Session cookie hijacking bypasses MFA entirely
Traditional dark web monitoring focused on stolen passwords. In 2026, the most dangerous items in infostealer packages are not passwords — they are session cookies. Active session tokens extracted from an infected browser allow an attacker to import them into their own browser and access your accounts without needing a password or completing MFA. The session is already authenticated.
This is why invalidating active sessions — not just resetting passwords — is now a critical step in responding to an infostealer alert. A password reset that leaves active sessions intact does not stop an attacker who already has your session cookie.
AI-powered credential weaponisation at scale
Constella’s 2026 Identity Breach Report found that nearly 70% of compromised credentials are found in plaintext in infostealer packages. AI systems now process these at machine speed, automatically testing credentials across thousands of services, correlating identity data across multiple breaches to build complete profiles, and prioritising high-value targets — executives, finance staff, and IT administrators — for immediate exploitation.
The result is that credential exposure that previously gave you days or weeks to respond now gives you minutes. Dark web monitoring that generates alerts in near-real time is no longer a premium option — it is the minimum viable response to the current threat. This connects directly to broader identity compromise risk covered in our cyber resilience guide.
What Dark Web Monitoring Detects and What to Do When It Alerts
Understanding what monitoring covers — and what each alert type requires — ensures that alerts translate into action rather than just awareness.
| Alert Type | What It Means | Urgency |
| Employee credentials in stealer logs | An employee device was infected with infostealer malware. Saved passwords and session cookies have been extracted and are for sale. These are fresh, likely still valid credentials. | Critical — act within hours |
| Corporate domain in breach dump | A service your staff use has been breached and employee credentials from that service are exposed. Often surfaces before the vendor discloses the breach publicly. | High — act within 24 hours |
| Session tokens for sale | Active session cookies for corporate accounts are being sold. Password resets alone will not solve this — active sessions must be invalidated immediately. | Critical — act within hours |
| Executive credentials exposed | Senior staff credentials carry higher value and face faster, more targeted exploitation. Executive and finance staff accounts are primary targets for BEC and account takeover. | Critical — act within hours |
| Historical breach match | Credentials from an older breach have resurfaced in a new compilation. Risk depends on whether passwords have been changed and whether credentials were unique or reused. | Medium — act within 48 hours |
| Shadow IT credential exposure | Work credentials used on an unofficial or personal platform have been exposed. Risk extends to any system where the same password is in use. | High — audit all shared passwords |
The Correct Response When Dark Web Monitoring Alerts
An alert from dark web monitoring is only valuable if it triggers the right response. Here is the protocol that closes the window between exposure and exploitation.
Step 1: Treat every stealer log alert as an active compromise
Do not wait to confirm the breach before acting. Stealer log alerts mean credentials and session cookies have already been harvested. The question is whether they have been used yet, not whether the theft occurred. Immediate action reduces the exploitation window.
Step 2: Reset credentials and invalidate all active sessions
Force a password reset on the affected account and invalidate all active sessions simultaneously. A password reset that leaves existing session tokens active does not stop an attacker who is already authenticated. Both steps must happen together.
Step 3: Audit access logs for the compromised account
Review access logs for the affected account covering the period from when the credentials may have been compromised. Look for logins from unfamiliar locations or devices, unusual data access patterns, changes to account settings or forwarding rules, and any actions inconsistent with normal user behaviour.
Step 4: Investigate the infected device
If the alert originated from an infostealer infection, the device itself must be investigated and cleaned. Resetting the password without addressing the infostealer means the replacement credentials will be harvested too. In serious cases, the device should be reimaged rather than cleaned.
Step 5: Enforce MFA and review access controls
If the compromised account did not have phishing-resistant MFA enforced, apply it immediately. Standard MFA can be bypassed by session cookie theft, so hardware security keys or device-bound authentication should be the standard for high-value accounts. Review whether the compromised account had access to systems beyond what its role required. Our managed IT services include MFA deployment and access control reviews as standard.
What to Look for in a Dark Web Monitoring Service
Not all dark web monitoring services are equal. The gap between a basic monitoring tool and a service that provides genuine early warning is significant. The single most important question to ask any provider is whether they monitor infostealer logs and session tokens — not just breach databases. Most basic tools do not, which means they will miss the most urgent and most common category of credential exposure in 2026.
- Real-time infostealer log monitoring — stealer log alerts within hours, not days or weeks after credentials appear for sale
- Session cookie monitoring — not just passwords. A service that does not monitor for session tokens is missing the most dangerous category
- Executive and high-privilege account prioritisation — alerts for senior staff and accounts with financial or administrative access should be treated as highest urgency
- Contextual alerts with source information — knowing whether a credential came from a stealer log, a breach dump, or a corporate domain compromise determines the correct response
- Integration with response workflow — the most effective monitoring connects directly to password reset and session invalidation workflows rather than just sending an email
- Coverage beyond email — corporate domains, IP addresses, executive names, and supplier credentials all represent exposure that pure email-address monitoring will miss
Exodesk’s dark web monitoring service covers all of the above for South Island businesses, with alerts verified by our team before notification and immediate response guidance provided alongside each alert. For context on how dark web monitoring connects to broader credential security, our password security guide covers the credential hygiene practices that reduce the risk of credentials appearing on the dark web in the first place.
Dark Web Monitoring and the NZ Privacy Act
Dark web monitoring has a direct connection to NZ Privacy Act 2020 compliance that most NZ businesses have not fully considered.
If dark web monitoring reveals that your business’s client or employee personal data has been exposed in a breach — whether through a direct attack on your systems or via a compromised third-party service — it may trigger your Privacy Act notification obligations. A breach is likely to cause serious harm when it involves credentials that could be used for identity theft or financial fraud.
The advantage of dark web monitoring is that it gives you early warning before the harm occurs — enabling you to notify the Office of the Privacy Commissioner and affected individuals proactively, demonstrate that you had monitoring controls in place, and show that you responded promptly when exposure was detected. All three of these strengthen your legal and regulatory position compared to discovering a breach only after the damage is done.
Are Your Credentials Already for Sale?
Exodesk provides dark web monitoring to South Island businesses from our offices in Christchurch and Dunedin. When your credentials appear in a dark web source, our team verifies the data, alerts you immediately, and guides you through the response — credential resets, session invalidation, device investigation, and access log review.
If you have never had a dark web scan run on your business’s email domains and key personnel, it is very likely that some of your credentials have already been exposed. The fastest thing you can do right now is run your business email domain through Have I Been Pwned at haveibeenpwned.com — it is free, takes 30 seconds, and will tell you immediately whether your domains appear in known breaches. What it shows you will tell you whether monitoring is urgent or already overdue. We offer a no-obligation initial scan to show you what is already out there before an attacker acts on it.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions About Dark Web Monitoring
What is dark web monitoring?
Dark web monitoring is the continuous scanning of criminal marketplaces, hacking forums, data dumps, and infostealer channels for your business’s exposed credentials, email addresses, and sensitive data. When your information appears in these sources, you are alerted immediately so you can reset credentials and revoke sessions before an attacker exploits them. Without monitoring, organisations typically only discover compromised credentials after an account takeover or breach has already occurred.
How do business credentials end up on the dark web?
Credentials reach the dark web through infostealer malware that extracts saved passwords and session cookies from infected devices, third-party service breaches where staff used corporate email addresses, large database compilations combining credentials from multiple historical breaches, and shadow IT exposure where work credentials were used on unofficial platforms that were subsequently compromised. Most credential exposure involves no direct attack on your systems at all.
How quickly are stolen credentials exploited?
Research documents stolen credentials being exploited within 14 minutes of theft in some cases. Automated credential-stuffing tools test stolen logins across hundreds of services simultaneously at machine speed. This compressed exploitation window is why dark web monitoring that alerts in near-real time is essential — waiting to confirm a breach before acting is no longer a viable strategy against the current threat tempo.
What is an infostealer and why is it a dark web threat?
An infostealer is malware that silently harvests saved passwords, session cookies, autofill data, and browser credentials from an infected device, then sends them to attacker-controlled servers. A single infected device can yield dozens of credentials across email, cloud platforms, and banking portals. Infostealer packages are sold in bulk on criminal marketplaces within hours of collection. Infostealer cases increased 30% in 2025 with 14% more variants, making them the fastest-growing source of dark web credential exposure.
What are session cookies and why are they more dangerous than stolen passwords?
Session cookies are authentication tokens that web applications store in your browser to keep you logged in. Infostealers extract these alongside passwords, giving attackers the ability to import the cookie into their own browser and access your account without needing your password or completing MFA — because the session is already authenticated. This is why invalidating active sessions is a critical step in any response to a dark web monitoring alert, not just resetting the password.
Does dark web monitoring prevent a breach?
Dark web monitoring does not prevent credentials from being stolen — it detects the theft early enough to respond before exploitation occurs. The prevention happens through the response: resetting compromised credentials, invalidating active sessions, investigating infected devices, and applying MFA. Without monitoring, you typically learn of a compromise only after an account takeover, ransomware deployment, or data breach — when the cost of response is significantly higher.
What should I do when dark web monitoring alerts me to exposed credentials?
Act immediately. Force a password reset and invalidate all active sessions on the affected account simultaneously. Review access logs for the affected account covering the period the credentials may have been in circulation. If the alert came from a stealer log, investigate the originating device for infostealer infection — resetting the password without cleaning the device means replacement credentials will be harvested. Enforce MFA on the affected account if it was not already in place.
Does dark web monitoring cover session tokens and not just passwords?
It depends on the service. Basic dark web monitoring tools scan for email addresses and passwords in breach dumps and do not cover session tokens or infostealer logs. A complete dark web monitoring service in 2026 must include stealer log monitoring — which covers session cookies, saved passwords, and autofill data — because session token theft is now the primary attack vector. Ask any provider specifically whether their service covers infostealer logs and session tokens, not just breach databases.
What NZ Privacy Act obligations does dark web monitoring support?
If dark web monitoring reveals that client or employee personal data has been exposed in a breach, it may trigger NZ Privacy Act 2020 notification obligations when the exposure is likely to cause serious harm. Dark web monitoring supports compliance by providing early warning before harm occurs, enabling proactive notification to the Office of the Privacy Commissioner and affected individuals, and demonstrating that you had monitoring controls in place and responded promptly — all of which strengthen your regulatory position.
How is dark web monitoring different from antivirus or firewall protection?
Antivirus and firewalls protect your systems from attack. Dark web monitoring watches what happens after credentials leave your environment — through breached third-party services, infostealer infections on staff devices, or historical breach compilations. It covers the attack surface that perimeter tools cannot see: the criminal marketplaces where your credentials are bought and sold regardless of how strong your internal defences are. Both are necessary — they address different parts of the threat.
Can dark web monitoring detect if a supplier or third party has exposed our data?
Yes. Effective dark web monitoring scans for your corporate domains and email addresses regardless of which service was breached. When a supplier’s system is compromised and your staff’s credentials — used to access that supplier’s portal — appear in a breach dump, monitoring will detect the exposure even though the breach occurred outside your environment. This is one of the most valuable aspects of monitoring, because third-party breaches are often not disclosed promptly by the affected vendor.
How does Exodesk’s dark web monitoring service work?
Exodesk continuously scans dark web marketplaces, data dumps, hacking forums, and infostealer channels for your business’s email domains, key personnel credentials, and sensitive data. When a match is found, our team verifies the data before alerting you — filtering out false positives and recycled old data. Alerts are accompanied by specific response guidance covering credential resets, session invalidation, device investigation, and access log review. We are based in Christchurch and Dunedin and provide direct support through the response process, not just a dashboard notification.
