What it actually queries
Breach monitoring services index publicly-leaked credential dumps — some from the open web, some from paste sites, some from Telegram channels and forum posts. Very little is truly 'dark web' in the Tor sense.
How matching works
Good services use k-anonymity hashing: your browser or client sends the first five characters of a SHA-1 hash and receives all matching suffixes to compare locally. Your password never leaves the device in plaintext or complete form.
What it catches
Credentials that have appeared in known dumps. That's it. It does not detect active account takeover, session hijacks, or credentials sitting in private criminal marketplaces that never get dumped publicly.
What it misses
Anything from a breach that hasn't leaked yet, anything in a closed criminal channel, device-based session theft via infostealers (which is now the dominant vector), and API keys or service tokens that aren't stored as passwords.
How to act on an alert
Rotate the password immediately and anywhere you reused it. Enable MFA if absent. Revoke active sessions. Enable a passkey if the service supports it. Don't panic — an old leak is not an active breach.
Best practices
Combine breach monitoring with a password manager that enforces uniqueness, phishing-resistant MFA (passkeys or FIDO2), and a credential rotation policy tied to breach alerts.