Are your passwords for sale on the dark web?

By Leah Giesbrecht
Jun 5, 2025
Are your passwords for sale on the dark web?
Photo credit: gahsoon/E+/Getty Images

How does your information end up for sale on the dark web, and how can you prevent this from happening in the first place? Get insight from this podcast episode with Anthony Green, CPABC’s manager of security operations and compliance.


Over 24 billion usernames and passwords – by some estimates, that’s the amount of sensitive personal data for sale in cybercriminal marketplaces like the dark web. Does that include your passwords? To discuss common ways your information can end up on the dark web, and how you can prevent this from happening in the first place, we chatted with Anthony Green, CPABC’s manager of security operations and compliance.

How prevalent is this issue is in Canada and North America?

Anthony: Passwords for sale on the dark web is a global issue. North America is definitely a target because we were early adopters of this technology and use the internet so frequently, so many users have a large digital footprint. We are also home to some of the largest internet companies. It’s not that North Americans are more susceptible to the issue, it’s because North Americans have been online for so long and use the internet so often.

How do passwords usually end up for sale on the dark web?

Anthony: One of the most common routes is when an organization has poor cybersecurity and they get breached. All of that organization’s usernames and passwords can then be stolen and posted on the dark web. Another common route is when bad actors attack you directly – for example, infostealer malwares can be installed on your personal computer when you click on an untrustworthy website. If you have numerous passwords and usernames stored in your web browser password managers like Google Chrome or Edge, the malware can take that information because it’s not encrypted, it’s stored in plain text.

Once attackers have one of your usernames and passwords, they will try to log into different accounts because many people use the same password across multiple accounts. From there, your information can end up on the dark web, where anybody who pays a few cents or dollars can access it. Whoever buys it can simply log in to your account.

For anyone who’s been on the internet, at least one of their accounts has likely been breached. This isn’t a big problem unless it’s a sensitive account. For example, my Starbucks rewards program isn’t connected to my credit card, so if that gets breached, someone will know how many coffees I bought. Compare that to if my email account were breached – attackers could change all of my passwords, or if they breached my bank account, they could steal my money.

How can businesses evaluate if their information is at risk?

Anthony: Business owners need to ask, “If a non-user (someone who isn’t an employee, client, or member) logs in to our system as a user, what could they do?” If the answer is, “They can just change some account settings,” maybe you don’t need to take action. But if the answer is, “They could do a lot,” the business needs to implement multi-factor authentication for their users. An attacker won’t be able to get into your account by purchasing your username and password from the dark web if you have multi-factor authentication set up. It’s about reducing risk, because any system or device is a potential target.

What’s your guidance specifically for CPAs and their clients?

Anthony: Many CPAs and their clients have their own portals that they log in to. For example, a CPA might work with 15 different clients and each might have a portal they need to log in to when submitting information, which means they might have 15 different accounts. The worst thing a CPA could do is use the same password for all those accounts. If somebody’s targeting that CPA, knows the clients, and knows just one password, now they have access to all 15 of those clients. However, this is a very solved problem – the client can enable multifactor authentication. On the CPA side, they can use an official password manager like 1Password (a Canadian company) or Bitwarden to securely save the passwords.

What other best practices can we use to protect our passwords?

Anthony: Along with using multi-factor authentication, a password manager, and unique passwords for all your accounts, a good tip is that length beats complexity. A fifteen-character password made of three or four random words put together and a number or special character is significantly stronger than ten random characters. Checking for these factors is a good password security test.

What red flags indicate that your passwords are at risk?

Anthony: Red flags include receiving emails from a site saying that you have changed your settings, permissions, or other configurations. Another area to keep an eye on is activity logs. With most email providers like Gmail and Outlook, you can see who has signed in and their location. Check your activity logs for your sensitive accounts and make sure only people you know and trust have signed in and that nobody has signed in from a strange location.

If you’re seeing these red flags or you get hacked, change your password and make sure it’s unique and long. Next, consider using multi-factor authentication and a password manager. If you have information that is sensitive, add more layers of security to it to protect it. Hopefully by taking some of these suggestions to heart, your information will be safe and we’ll be seeing fewer passwords on the dark web.

Disclaimer: CPABC does not endorse any of the services or products mentioned in this article. It is the reader’s responsibility to research and review the services and products independently.


Leah Giesbrecht is a communications specialist at CPABC.

In Other News