Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

How does dark web monitoring work? 

Dark web monitoring allows you to add a variety of details (identity assets) that you want us to monitor for you on the internet and dark web. When we spot your personal details in a breach, you’ll receive an alert and a detailed breach report telling you exactly what data was found and where, together with suggested next steps to either resolve the breach or ensure it doesn’t affect you again. 

Dark web scanning will also report on other identity assets found in breaches through intelligent association, even if you didn’t explicitly add those to your profile.   

Here’s an example: 

Scenario: A company with your credit card on file has a security breach.  

  1. Defender finds evidence of the breach when it detects your identity asset (credit card) somewhere on the internet or dark web. If the company who had your credit card on file also had your phone number on file at the time of the breach, Defender will pick this up as an associated asset.

  2. Microsoft Defender then automatically aggregates the monitored identity asset (your credit card) and any associated information (your phone number) into an incident alert.

  3. You'll now receive an alert on every device that you're signed into Microsoft Defender on. The alert will also appear on the Microsoft Defender dashboard, and in the Alerts & History page in Defender.

From the alerts you're just a click away from more information and a detailed checklist of things you can do to address the breach and help protect yourself and your family. 

What can we monitor? 

Dark web monitoring can monitor these personal details: 

  • Email addresses

  • Passwords

  • Full name

  • Date of birth

  • Phone number(s)

  • Social Security number

  • National IDs

  • Driver’s license number

  • Medical IDs

  • Mother’s maiden name

  • Passport numbers

  • Bank account details

  • International bank account numbers

  • Credit card details

  • Retail card numbers

  • eBay credentials

  • PayPal credentials

You choose which of these information types you want us to monitor. 

Important: To start monitoring you'll need to tell us at least your email address, full name, and date of birth. 

As mentioned earlier in “How does dark web monitoring work?”, the service will notify you if it discovers a breach that contains any of the pieces of information you have asked it to monitor. Additionally, it may discover other related personal information, such as your home address or the CVV code of your credit card and will report that to you as well. 

How does the restoration service work? 

If you’d like more help after following the recommended next steps (for either dark web monitoring or credit monitoring alerts) you can use the phone number found in the app to speak to a restoration expert who can guide you through the process of addressing the breached details or credit issue and even provide full-service identity restoration services in the event an identity thief is using your personal details to commit fraud. 

How do I get started? 

1. Go to the Microsoft Defender app on your device or the My Defender portal (https://mydefender.microsoft.com) on the web. 

2. Locate the Identity theft monitoring card (if you have not set up identity theft monitoring previously) or Credit monitoring card (in case you previously set up Identity theft monitoring) on your Defender dashboard and select Get started.

3. Follow the steps to create your profile and make sure to read and accept the terms of service. 

4. If you want to set up credit monitoring as well as dark web monitoring, provide your Social Security number when prompted. 

Adding family members in dark web monitoring 

To add a family member, select the Identity Details card, then select their avatar from the top row of the card.  

Family members over the statutory age (13 in the U.S.) need to consent to being monitored before you can add them. 

If the family member you want to monitor has not yet consented to identity monitoring, you'll be prompted to request their consent. 

What do I do when I receive an alert? 

When you get an alert, the product informs you of the data found and gives you a set of recommendations to implement. That list of recommendations works like a to-do list, whenever you've implemented a recommendation, you can click the checkbox to strike it through. This helps you keep track of what you've already completed and which recommendations you have left to do.  

If you need help with any of the recommendations provided, we'll also provide the details to reach the restoration support team. 

At the bottom of the breach alert there are four actions you can take: 

  • Mark as done:  This closes the breach alert and stores it in the breach alert archive.

  • More actions > Save for later:  Closes the breach alert dialog and returns the user to the dark web monitoring details page. Saves the progress on any recommendations marked by the user. You can use this for example when you've taken several recommended steps but need to wait for confirmation or for requested changes to the affected source to take effect.

  • More actions > This info is outdated:  This asks you which identity assets on the breach are no longer relevant. Selecting any of them removes the asset in question from the breach alerts as active (by greying it out), and also prevents the user from being alerted about it in the future. If the user selects all identity assets on the breach, the whole breach is marked as done and moved to the breach alerts archive.

    Note: If you marked any identity asset as "Outdated" by accident you can undo it by opening any active or archived breach containing the asset, clicking the little (i) icon and selecting "You can add it back".

  • More actions > I don't recognize this info:  Similar to This info is outdated, this will allow you to indicate which identity assets in the breach are not yours / you do not recognize as yours. Any selected asset(s) will be removed from the active breached assets on the breach (by greying them out) and will no longer be included in future breach alerts. If the user marks all identity assets on the breach, the whole breach is marked as done and moved to the breach alert archive.

Archived alerts 

You can find any alert you have marked as done or were marked as done by Defender automatically (due to no relevant breached assets being present) in the dark web monitoring Details page or in Alerts & history

You can interact with the archived breach by either clicking the greyed-out breach's title (on the dark web monitoring details page), or by clicking "See details" (in the alerts & history section). Either action will open the archived breach, allowing to see the breached identity assets again. 

At the bottom of this dialog, there are three actions that can be taken: 

  • More options > Undo mark as done:  This resets the breach to an active state while maintaining any previously checked recommendations.

  • More options > I don't recognize this info:  Similar to how this works on active breaches - using this info enables the user to select any or all the identity assets in the breach to mark them as false positives. This prevents the user from receiving alerts about this/these asset(s) in the future.

  • More options > This info is outdated:  Similar to how this works on active breaches. Users can mark any or all assets as outdated to prevent receiving alerts about them in the future.

How to report problems or make suggestions 

We rely on your feedback to help improve this feature, and we encourage you to report any issues you encounter. 

Please submit your feedback through the app or portal by selecting your user icon, then Help and feedback

Give us a clear description of the problem or suggestion, along with specific steps you took when you found the problem. 

Got questions? Get answers! 

Come to the Microsoft Answers community for Microsoft Defender to talk about the app with other people who are using it.  

Learn more 

Getting started with identity theft monitoring in Microsoft Defender 

Credit monitoring in Microsoft Defender FAQ

Protecting yourself from identity theft online

Facebook LinkedIn Email

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×