We Are Discontinuing the Dark Web Report

Posted18 days agoActive16 days ago

satertek

162 points

56 comments

support.google.comNewsstoryHigh profile

informativeneutral

Debate

20/100

Business TechnologyDark WebService Discontinuation

Key topics

Business Technology

Dark Web

Service Discontinuation

Google's decision to discontinue its dark web report has sparked a lively discussion, with many commenters weighing in on the reasons behind the move. Some speculate that the report wasn't a revenue generator and was taking up valuable server resources, while others ponder the report's original purpose and the nature of the dark web it monitored. Interestingly, a sideline debate erupted over the status of a website tracking Google's discontinued services, with some claiming it was still active and others joking that the site's team had been laid off. As commenters dissect Google's reasoning, the thread reveals a mix of curiosity and cynicism about the tech giant's priorities.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

10m

Peak period

6-9h

Avg / period

4.6

Comment distribution51 data points

Loading chart...

Based on 51 loaded comments

Key moments

01Story posted
Dec 15, 2025 at 9:56 AM EST
18 days ago
Step 01
02First comment
Dec 15, 2025 at 10:06 AM EST
10m after posting
Step 02
03Peak activity
11 comments in 6-9h
Hottest window of the conversation
Step 03
04Latest activity
Dec 17, 2025 at 12:49 PM EST
16 days ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (56 comments)

Showing 51 comments of 56

9dev

18 days ago

1 reply

Another one for the graveyard!

moebrowne

18 days ago

1 reply

https://killedbygoogle.com/

sunaookami

18 days ago

2 replies

Is this site still updated? Last entries are from 2024, no way Google didn't kill something this year.

mungoman2

18 days ago

1 reply

I hear the team running the site was laid off.

alex1138

18 days ago

The people responsible for sacking the people who have been sacked have since been sacked

extraduder_ire

18 days ago

Looks like it's been updated since you posted this.

I know it's still active because I see someone with that handle posting on bluesky regularly.

eimrine

18 days ago

1 reply

Why was it opened? Is it that dark web where asassination markets and similar stuff happens?

stuaxo

18 days ago

That market was fake, the report on it is really interesting (but the people submitting to it were real).

7bit

18 days ago

3 replies

> While the report offered general information, feedback showed that it didn't provide helpful next steps.

Translation: We don’t actually want to keep spending time, money, and resources on this.

jajuuka

18 days ago

1 reply

That's my read. That it's not a revenue generator and taking server resources that could go to something that is making them money. They've at least added more things to Google One over the past year which softens the blow.

ikiris

18 days ago

Doubtful. The issue is probably the service needs to be moved to some framework that isn't deprecated and being turned off, and no one can justify side projects these days that don't sell an AI product.

nospice

18 days ago

That's not how it reads to me. I think it's more that they feel they can't share enough information to make it useful without compromising their operating methods. Which is an eternal struggle with stuff like that: the bad guys are reading too.

eitally

18 days ago

No, not really. The way this worked is that if they detected personal information on a "dark web" (per their definition -- I have no idea what this actually meant) site, they would show you a report that told you which PII was listed, and it was usually things like your fname/lname, address, phone or location. The problem is that it wasn't actionable [because it was the dark web], unlike their current personal data privacy features and data removal tool.

This is one where I don't blame them for killing it because "it" wasn't really even a product -- it was just a very basic, not useful at all, report.

prepend

18 days ago

3 replies

I found the info not actionable because it wouldn’t say what actual values were posted.

I have a common name Gmail account. The password is rather complex and I would be surprised if it leaks as only I and Google know it. However, I would get reports that it’s on the dark web with blanked out password values. So I never knew if they actually compromised or just something else.

They would also report when some random site that used my Gmail address as user id was on the darknet that I don’t care about. I don’t care if my fidofido account is leaked. I never use it and if I did, then I would reset.

I think if the data were useful Google would have kept this up.

I bet they keep tracking though, just keep the reports internal.

thesuitonym

18 days ago

1 reply

I never got the Google dark web reports, but my credit card used to send me reports constantly saying that my email address was 'found on the darkweb.' Okay, that's not useful information. If it showed me if there were associated passwords, that might be helpful, but just saying my address was found on the darkweb is meaningless. My email address is public information.

The worst part is, it was an email address I hadn't used in about 10 years, and they wouldn't let me take it out of the report.

deepsun

18 days ago

2 replies

Well you could change the email address you use for the financial services only, and keep it secret. Then it would be harder to impersonate you.

placatedmayhem

18 days ago

1 reply

Or, use a service that lets you generate an address for each business you deal with or use case you have so you can treat them as disposable. After chasing down spammers and companies selling my info, including my email, I found this was easier to keep up with and is more effective. Spam me once or sell it to another company, and I burn that address, replacing it with the original company if I really need them to keep in contact.

deepsun

18 days ago

2 replies

I tried to do that but found out there's almost no services that I would want to treat my account there disposable. If I bother to provide them my email address -- I usually also want to access my account there later (e.g check order status).

There are tens of services where I'd like it disposable, but hundreds of services where account is warranted. And some of those thousands will be compromised some day.

Terr_

18 days ago

[delayed]

godelski

18 days ago

You can do this with aliases. For example Firefox's relay (or you can do it with a website and cloudflare). They'll also give you a catchall domain so you can either have generated emails like "adafergtrees@mozmail.com" or "NameOfArbitraryBusiness@deepsun.mozmail.com". If you want to trash an email you can do that too.

thesuitonym

17 days ago

Well, I could, and actually did. Like I said, I couldn't get that email address out of the report.

liquidgecka

18 days ago

1 reply

Yeah.. I have a five letter email that's a common first and last name @ gmail.com. I second everything you said. Getting report hits every few days are useless given how few sites do any kind of validation. :-/

thaumasiotes

18 days ago

1 reply

> I have a five letter email that's a common first and last name @ gmail.com.

What are the common two-letter first or last names?

tczMUFlmoNk

18 days ago

1 reply

Ng, Le, Li, Lu, Wu, Xu, Xi, Fu… come to mind immediately for last names.

For first names… Jo, Ty, Al, maybe?

bobthepanda

18 days ago

If you have a two letter last name you need a three letter first name to make five. Joe, Bob, Sam, etc.

nomilk

18 days ago

5 replies

> I found (it) not actionable

Tangental, but I found 'Have I Been Pwned' useless too because you can't enter your email and find leaked passwords associated with the address, instead you have to enter each password (and repeat for every password you want to check).

I know there's an explanation that the raw password is not being sent and instead being hashed locally and only part of the hash is sent. But I don't know how to verify that and it feels wild to type passwords into a random website. (if anyone knows how to verify HIBP does only what it says it does [rather than blindly trust and hope for the best], would love to read more about it)

culi

18 days ago

2 replies

Well of course a hostile actor could use this incredibly accessible resource to test a bunch of emails and find their passwords.

Though perhaps there could be a service where you enter in an email address and it sends an email to that address containing the passwords. That would be a slightly more complicated server to set up though

IAmBroom

17 days ago

OK, I would pay for this service.

It doesn't use any information that's not already exposed.

It reveals the extent of my problem to me.

dpoloncsak

17 days ago

Im 99% sure this is exactly what HIBY used to do, and changed their processes. I'm unsure if this was due to government pressures or what

clarionbell

18 days ago

1 reply

I always thought that it could be reasonably simple to have a safe alternative. Have people enter a SHA256 of their password instead, and match against a database of other hashes.

Almost everyone interested in checking for password leaks knows how to generate SHA256 of a string. And those who don't shouldn't put their passwords on the internet.

Or even better, generate hash for all passwords in the database, package these hashes together with a simple search script and let people download it. That way, you are not sending any information anywhere, and noone can exploit the passwords, because hash is a one way function.

Then again, that download could be really large. I admit I have no idea how much storage would that take. But it's just text, so easily compressible. And with some smart indexing, it should be possible to keep most compressed and only unpack a relatively small portion to find a complete match.

Then again, I have virtually no background in cryptography, could be something horribly wrong with this.

eXpl0it3r

18 days ago

2 replies

That's already what is happening...

When you do a check on https://haveibeenpwned.com/Passwords nothing is sent to the server. Instead the password is hashed locally and a list of the hash range is downloaded, which contains all the hashes and the number of occurrences.

The server doesn't receive the password, neither in plain-text nor hash form.

godelski

18 days ago

1 reply

They meant you submit the checksum instead of your password. Replace "Password to check" with "Checksum to check"

sharperguy

18 days ago

It would be easy enough to add this as a "secret" feature:

* user submits password * gets hashed client side * server compares it against stored hashes * server also re-hashes the stored hash, and compares it against the hash received from the client

This would effectively mean that either entering the password, or the password hash would correctly match, since when entering the hash you are effectively "double" hashing the password which gets compared to the double hashed password on the server.

The upside is that users who don't understand hashing or don't feel like opening a sha256 tool wouldn't have to change their behavior or even be confused by a dialog explaining why they should hash the input, while advanced users could find out about the feature via another channel (e.g. hackernews).

The downside would be that it adds an extra hash step to every comparison on the sever. It's hard to know how expensive this would be for them.

account42

18 days ago

Care to explain how you can tell what scripts gp was sent for the page https://haveibeenpwned.com/Passwords and what scripts he will be sent on future visits?

prajaybasu

17 days ago

Bitwarden's web vaults has a reports feature which allows you to check this in bulk.

yencabulator

16 days ago

[delayed]

nix0n

17 days ago

There's an API[0] that takes a prefix of a hash.

I don't know how to verify what the website does, but I think that in a few minutes I'll be able to put together a CURL call that does what we're hoping the website does.

[0]https://haveibeenpwned.com/API/v3#PwnedPasswords

MinimalAction

18 days ago

1 reply

While this was a free service and thus Google is under no obligation to continue offering this service, this is still quite sad. They could have atleast bundled it for some tier of Google One paid subscription.

therein

18 days ago

It was as inactionable and useless as the ones that ID.me or whatever sends. Also calling it Dark Web report always felt super insincere. It had nothing to do with the "dark web", that just served a way to make it sound cooler and more hackery. Aren't we talking about something that's equivalent to HaveIBeenPwned?

martythemaniak

18 days ago

1 reply

Is there a product that will do go through the vast expanse of accounts you have and either delete them or mass-change their passwords? I basically I wish to shrink my online presence as much as possible, but doing it manually would mean finding all the various accounts I have, logging in, trying to close, etc. Seems like good fit for an LLM browser agent.

rolph

18 days ago

[delayed]

levocardia

18 days ago

1 reply

I might be misremembering this but FWICR on Chrome it would link your saved passwords with the dark web report, and automatically recommend you change any account that had the same password as the "pwned" account found in the dark net. Was pretty useful.

permo-w

18 days ago

Apple has this feature on iOS. no idea where they source the info from, but in your keychain it will say something like "this password has appeared in a data leak"

Mistletoe

18 days ago

The email about this went to my spam folder on Gmail. Ok, come on Google.

password-app

18 days ago

Google discontinuing this is unfortunate timing given the recent breach surge (700Credit, SoundCloud, LinkedIn leak).

Alternatives: haveibeenpwned.com (free), 1Password Watchtower, Bitwarden breach reports.

The harder part isn't knowing about breaches—it's actually rotating passwords afterward. Most people know they should but don't because it's tedious.

Automated rotation tools are emerging but need careful security architecture (local-only, zero-knowledge) to avoid creating new attack vectors.

pluto_modadic

18 days ago

huh. did their source / login get burned?

mholt

18 days ago

Discover (Card/Bank) also announced recently that they are stopping their dark web report service. I wonder if they just used Google, or if it's a coincidence...

bflesch

18 days ago

Can one of the good souls at google please donate the data to archive.org?

xxmarkuski

18 days ago

I set it up for an old Google account that has been breached. It did a relatively good job, but HIBP has more data in my experience, albeit it mainly looks at emails, whereas Google's report can do lookups by full name, address, and phone number. I think it was useful, but did not get enough love to be like a second HIBP.

rolph

18 days ago

[delayed]

kittikitti

17 days ago

The reason their data got leaked was because they were using Google services. The only actionable thing people could do was delete their Google accounts. This move is to hide the inherent security holes in using their products.

5 more comments available on Hacker News

View full discussion on Hacker News

ID: 46275316Type: storyLast synced: 12/18/2025, 2:50:42 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN