Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

Dark Web Monitor data: Why are data leaks decreasing?

Data breaches involve private information leaking onto the internet. The number of breached companies remains high – but fewer users are being affected. In this article, we’ll explain what might be causing this, why the risks remain high, and how you can protect yourself.

Dark Web Monitor data: Why are data leaks decreasing?

What is NordVPN’s Dark Web Monitor?

Let’s start by defining NordVPN’s Dark Web Monitor and how it protects user account safety.

Dark Web Monitor is a cybersecurity feature that runs in the background to help you prevent hackers from exploiting user account information leaked to the dark web.

It scans the dark web for leaks of the email address associated with your NordVPN account and alerts you if and when a leak is detected.

Once you receive an alert, you should immediately take action to protect your information (like securely changing your password on the affected account).

What does the Dark Web Monitor data show?

To understand the changing landscape of data breaches and cyberattacks, we’ve looked at the topline data of Dark Web Monitor. Here’s what the data shows.

The number of attacked companies remains high

According to the Dark Web Monitor data, the number of breached companies per year remains high. The chart below shows breaches increased between 2012 and 2018, with a slight decrease in 2018.

In 2020, the number of breached companies reached a peak at 350. While it is difficult to know the exact reasons why 2020 resulted in so many attacks, it could potentially be linked to the domination of the Coronavirus and COVID-19 scams that year.

Looking at the past two years, the number of attacks on companies hasn’t decreased. However, most of the breaches affected fewer than a million users, potentially because hackers have started targeting smaller companies.

number of breached companies

The number of user records leaked to the dark web has decreased

Despite the high number of data breaches in 2021 and 2022, the Dark Web Monitor data shows that the number of leaked data per incident has decreased since 2020.

NordVPN looked at leaked records per incident. Compared to 2020, the number of leaked records per incident dropped significantly in 2022.

number of breached companies

Let’s illustrate this trend with a few recent examples. Several big, well-known companies experienced data breaches in 2022, with relatively few users affected.

  • Uber. The ride-hailing and food delivery company has been hacked several times over the past years, with the most recent attack occurring in 2022. Uber suffered an internal systems breach but said there was “no evidence” that the hackers had successfully accessed sensitive user data.
  • Revolut. Hackers launched a highly-targeted cyberattack on this popular fintech app in 2022. However, out of the 20 million users, a relatively small portion – 50,000 – were affected by the incident.

Dark Web Monitor alerts: users need to react quicker

NordVPN has also uncovered a shocking statistic: 62% of Dark Web Monitor users still have their personal data on the dark web. These users have received alerts urging them to safeguard their accounts.

Ignoring Dark Web Monitor alerts means your information remains on the dark web, exposing you to serious privacy and security threats.

If you’re unsure how to check for Dark Web Monitor alerts or what to do when you receive them, read this article on using the Dark Web Monitor feature.

Why is leaked data on the dark web decreasing?

We’re seeing this shift for several reasons. Let’s go over those in a little more detail.

Businesses are better at protecting users’ credentials

Companies are doing more to protect customer data, such as using end-to-end encryption for computers.

Businesses are also adopting more cloud security tools allowing them to encrypt data before uploading it to the cloud, monitor end-points, and rank data per risk level.

These practices could be why smaller companies are more affected by data breaches, with larger organizations having more resources and funds they can dedicate to advanced cybersecurity.

Hackers demand a ransom payment instead

Ransomware attacks are an easier way to monetize stolen data. Thus, instead of selling it on the dark web, hackers demand that the breached company pay a large sum to retrieve it.

Several large ransomware attacks have taken place over the years, with the Colonial Pipeline incident being one of the most significant ones.

Open Authentication (OAuth)

Fewer people are using email addresses and passwords to log in, with more logging in with their Google or Facebook accounts. Doing so provides fewer interception opportunities as both Facebook and Google have strong security standards.

More customers are using multi-factor authentication (MFA)

MFA adds an extra layer of security to online accounts, requiring users to verify that they made the login attempt, not someone else. With more users choosing to enhance their account security with MFA, fewer data points end up on the dark web.

The rise of bot sales on the cybercrime market

Instead of purchasing user login details, criminals can now buy bots that include cookies, digital fingerprints, and forms. Doing so gives them more information about the user, making it easier to access their accounts.

What can hackers do with stolen user data?

If hackers gain access to user data during a data breach, they can use it in many ways:

  • Hackers can steal your money. User data may give hackers access to your bank or investment account – and an easy way to steal your funds.
  • Hackers can steal your identity. It’s common for hackers to use stolen user data to open new credit cards, get medical treatment using your health insurance, or file a tax return under your name.
  • Sell your data on the dark web. Cybercriminals may sell or trade information on the dark web for anywhere between $1 to $2,000 (according to Experian).

Dark Web Monitor can help protect your data

While companies must do most of the work to keep your user data safe, you can also take steps to safeguard your account information.

One way to do so is by turning on NordVPN’s Dark Web Monitor. Use it regularly for good digital hygiene — and receive an alert if your data appears on the dark web so you can immediately take action.

Here’s how to enable it on your NordVPN account for continuous monitoring:

  1. Open the NordVPN app.
  2. Go to “Settings” > “Tools.”
  3. Turn on the “Dark Web Monitor” toggle. That’s it!


The data above comes from the Dark Web Monitor feature and only includes breaches with a known incident date. Therefore, it doesn’t reflect the actual number of breaches registered by the Dark Web Monitor in the years listed.

Dark Web Monitor only detects breaches that end up on the dark web. Other breaches occur, but hackers may ask for ransoms and not publish user data on the dark web.

The data mentioned in the article only includes active Dark Web Monitor users. NordVPN looked at the number of leaked email records of active DWM users.