Technology reporter Matthew Sparkes thought his passwords and personal data were safe, but a tour of the murkier sides of the internet revealed otherwise
By Matthew Sparkes
20 June 2025
Hackers are after your personal data, for profit
EThamPhoto/Alamy
Make sure you use a good mix of characters. Avoid your pet’s name. Most of all, never reuse a password. We all know the rules for ensuring that the keys to our digital kingdoms remain secure, and we probably all break them – and that is when hackers sweep in to make money from selling your data.
Marketplaces for stolen personal data thrive on the dark web, sites that lie beyond the borders of the regular internet and can only be accessed through software such as Tor, which was originally designed by US intelligence agencies for covert communications. Not everything there is nefarious – BBC News runs a dark web site for people living under oppressive surveillance, for instance – but a lot of it is.
Read more
Smart TVs take snapshots of what you watch multiple times per second
To find out more, I turned to Rory Hattingh, an ethical hacker at a company called Evalian, who spends his time breaking into companies – legally – to test security. He tells me there is an “exceptionally small” chance that none of my private data has been leaked by hackers. I have written about technology for long enough to understand how prevalent data breaches are, but being confronted with the stark reality that this includes me is admittedly a bit of a wake-up call.
Hattingh begins by showing me a website called Have I Been Pwned (a slang term meaning that your data has been compromised), which compiles usernames and passwords shared on the dark web into a single searchable database. I entered my email address and, worryingly, found it had been caught up in 29 hacking attacks.
The most recent happened in 2024, when the Internet Archive was attacked and my email and password were leaked. My details had also been part of 122 gigabytes of user data scraped from thousands of Telegram channels, as well as a database called Naz.API that was originally posted to a hackers’ forum. Other attacks listed involved stolen postal addresses, job titles, phone numbers, IP addresses, password hints and dates of birth from services including Adobe, Dropbox and LinkedIn.