Google Brings Dark Web Monitoring To All US Gmail Users

At Google I/O on Wednesday, Google said that all Gmail users in the U.S. will soon be able to discover if their email address has been found on the dark web. The dark web report security feature will roll out over the coming weeks, and will be expanded to select international markets. BleepingComputer reports: Once enabled, it will allow Gmail users to scan the dark web for their email addresses and take action to protect their data based on guidance provided by Google. For instance, they'll be advised to turn on two-step authentication to protect their Google accounts from hijacking attempts. Google will also regularly notify Gmail users to check if their email has been linked to any data breaches that ended up on underground cybercrime forums.

"Dark web report started rolling out in March 2023 to members across all Google One plans in the United States, providing a simple way to get notified when their personal information was discovered on the dark web. "Google One's dark web report helps you scan the dark web for your personal info -- like your name, address, email, phone number and Social Security number -- and will notify you if it's found," said Google One Director of Product Management Esteban Kozak in March when the feature was first announced. The company says all the personal info added to the profile can be deleted from the monitoring profile or by removing the profile in the dark web report settings.

You can assume your email is on the dark web

[youn]

With all the sites that have been hacked, at this point, you can assume your emails is on the dark web if you have used any of the major sites.

Change your password if you haven't done so in a while, do so regularly. Expect to have more and more sites to go belly up and more regularly. I strongly recommend you don't reuse the same password

I am not really sure how much additional security this additional monitoring brings. Sure, it's good to know where your address has been compromised... but those are the ones we know about and most of the time, it says "Email has been compromised"... it's amusing to see how many times at this point.

Re:You can assume your email is on the dark web

[sound+vision]

This isn't really about security. Like you, I assume my email address (at a minimum) is all over lists being sold on the dark web. I'm not worried about it because I have a good password, never reused anywhere, not even entered into a password manager. I haven't even turned on 2FA, and I'm not afraid to say that publicly on Slashdot.

What this is about is Google getting to associate, strongly and verifiably, your email address with your phone number.

Re:

[youn]

It's nice you're not reusing passwords and you are changing them regularly, I like it.

With that said, Even with a good password, if they take down the whole master encrypted database, you could still be in danger due to the way hashes work. So, I would still recommend 2FA (Even with it, under some circumstances you are in danger but as much of a pain it is, there are still risks). I have on multiple occasions seen good phishing attacks, tailored to the target which were successful, even if the user was tech

Re:

[Seclusion]

What this is about is Google getting to associate, strongly and verifiably, your email address with your phone number.

I agree with you but it is worth nothing that gmail supports multiple additional login types / 2FAs. Phone/SMS, secondary email, passkeys.
The fundamental problem with a lot of online services is that they don't require an account name. My email address, something I share freely is not what I want to use for an account name (something that should be private). It's also what needs to be changed for dumb things like SSNs. Numbers should be public but how I prove that number belongs to me should be very pri

Re:

[hey00]

With all the sites that have been hacked, at this point, you can assume your emails is on the dark web if you have used any of the major sites.

Not necessarily, if you use several different addresses and only use your "real" one for limited important accounts. According to haveibeenpwned, my trash addresses are indeed everywhere on the darkweb, but my real one isn't. Or more accurately, isn't in any of the breach hibp is aware of. I still act as if it was though.

By the way, isn't the google "feature" just a copy of haveibeenpwned?

Re:

[youn]

Kudos to you using throw away addresses, it's a good habit.

With that said, this is not failproof.

Your email address is still very likely available on hacker databases and if it isn't it is likely a matter of time... unless you haven't used it at all, you are not communicating with anyone else that has your address in their address book, etc... and if so why do you have an email address in the first place lol

Re:

[whoever57]

Change your password if you haven't done so in a while, do so regularly.

I think this is bad advice. My advice is simpler: Use a unique password for your email. Never use this password on any other login. Change your email password now if you have used the same password elsewhere.

Then, add monitoring of your email address through the "Have I been pwned" site.

Re:

[youn]

I like monitoring your email address any way you find best and You are entitled to your own opinion.

I also agree, Definitely change your password if you have reused your email password somewhere else.

With that said, my previous message is GOOD advice and it's one thing that most security professionals can agree on... and it's hard to get them to agree on anything lol

*I'll say it again, change your passwords regularly, don't reuse passwords, as annoying as it is.* (for multiple reasons)

Even if it is

Re:

[whoever57]

With that said, my previous message is GOOD advice and it's one thing that most security professionals can agree on... and it's hard to get them to agree on anything lol

Not any more:
https://www.packetlabs.net/pos... [packetlabs.net]
https://www.ftc.gov/policy/adv... [ftc.gov]
https://arstechnica.com/inform... [arstechnica.com]
https://www.ncsc.gov.uk/blog-p... [ncsc.gov.uk]

Re:

[youn]

Basically what they say is that when they have guessed one transform, they have a better chance of guessing other transform which doesn't say it is a bad idea to change passwords.

From the ftc article you pointed at,
"If it will make you feel better or if you just feel like it’s time for a change, then by all means go ahead and change your password."

I'm sorry it does make me feel better with the increased password vaults that have been cracked, constant breaches and it's not just the ones from the dark

"At all US Gmail Users"

[Dictator For Life]

My kingdom for an editor. sigh

Let me shut the gate

[warp_kez]

now that the horse has bolted.

The rules, the rules!

[NotEmmanuelGoldstein]

... the profile can be deleted from the monitoring ...

This sounds useful but it breaks the 'don't trust a cloud service with ...' your PII, rule.

Given everything Google knows about you

[Required Snark]

they don't like the competition.

The Real Question

[dohzer]

Deep web monitoring when?

Slippery slope

[Errol backfiring]

First, it was "Don't be evil", then it became "see no evil, hear no evil", and now they admit that there is no evil they are not personally involved in.

Dark Web for Search Engines?

[leets]

I thought that dark web was sites not crawled by (out of reach of) search engines.
How does Google see them ?

Re:

[Anonymous Coward]

they crawl a couple then announce headlines

like journalists know the fscking difference

What's a US user?

[nospam007]

Those whose VPN-Exit is in the US?

What garbage

[wwphx]

I get notifications frequently that my email is compromised! The problem is, they don't tell me from what site it was compromised. I have the same email address all over the place, but use strong, discrete passwords wherever I have banking or credit card info stored - which I try to avoid. So what is most likely compromised is a weak password that I use more commonly, which is unimportant as those sites aren't much more than social media/message boards and stuff that I don't care about.

I expect this G

Is it dark or not?

[Nkwe]

I thought that the "Dark Web" generally referred to content on the Internet that isn't indexed by the major search engines - content that you can't search for, discover, or access with common tools. If Google knows that an email address is on the dark web, then Google is indexing and crawling the dark web. If Google is indexing the dark web, why is it still dark? Is Google intentionally hiding the contents and keeping it dark? Could you say that Google is is a participant in the dark web? Inquiring minds want to know...

Re:

[leets]

Just saw the series "Hacking Google" on YouTube.
The Google Security Team has an internal version of Google Search showing all the sites Google removed due to malicious content.
These sites/links are not shown in the Google Search seen by the ordinary public.
These sites might be what Google is calling their "Dark Web".

The Dark Web?

[AlexSledge]

Can someone tell me how to get on the dark web? I really want to check it out.

Guess all internet is secure

[futuretechoutlook]

This is still a paid thing for some anti virus services in 2023. The fact that Google is doing this freely means that even the old school TOR for the government net is so safe its like agitation propaganda with Bitcoin in 2009 if they say things are so bad now. Great but also not so great because that means the internet is officially from unofficially fully controlled.

Re:

[futuretechoutlook]

This is still a paid thing for some anti virus services in 2023. The fact that Google is doing this freely means that even the old school TOR for the government net is so safe its like agitation propaganda with Bitcoin in 2009 if they say things are so bad now. Great but also not so great because that means the internet is officially from unofficially fully controlled.

Argh I mean its still a paid plan though really close to being free so again internet is secure lol