← back to /blog

You're more public than you think: how attackers know everything about you

What an attacker can find out about you in an hour using only public data — and a practical checklist to make yourself a harder target.

updated 7 min read securityosintprivacy

If you are reading this, you almost certainly have some or all of your personal details leaked online. Whether via a careless company's data breach or because you accidentally gave it away yourself, the result is the same — you're more visible than you think. For the vast majority of people, publicly available data only poses an increased risk of fraud, but for high-profile targets (like working in a crypto firm) it enormously increases the risk and ease of cyber attacks.

Open source intelligence (OSINT) is the area of security concerned with publicly available data. Whether it's your Facebook account, the Instagram posts of your favourite restaurant, or a forum you posted on in 2013, there's a web of information about you online ready to be harvested. Everything you've ever posted, every public account, every photo you've been tagged in leaves a tiny fingerprint of who you are. When you add data breaches into the mix, an attacker has everything they need to make you their next target.

Before we get to fixing it, it's worth seeing what this actually looks like in practice.

LinkedIn Gardening forum Hobbies Data breaches Breach UK Electoral roll Instagram Strava Facebook Email Password Address Partner Kids Daily routine DOB JohnSmith

How an attacker connects the dots

Imagine an attacker has decided to target employees working at the fictional crypto company SuperCoin. They start where you'd start: LinkedIn. Fortunately for our attacker, the operations manager John Smith's profile is fully public — name, employer, job title, the city he lives in, the university he went to, and, most importantly, his email address.

We plug the email into any data breach search engine and find a 2018 forum dump that leaked his password and full home address. Cross-reference the address against the UK electoral roll: it returns the name of John's partner. Her Instagram is open. Photos at the gym, a recent holiday, and tagged shots of two children whose names appear in the captions. Their school is visible in the background of one shot.

The same Gmail address is also registered with several public accounts, including social media and fitness apps. Facebook gives us a full date of birth and confirms the same information from LinkedIn. A public post on a gardening forum from 2013 confirms his hobbies — a seemingly meaningless detail but useful for phishing.

Meanwhile John's Strava is public; his daily run, at the same time every day, maps right to his front door. By the time the attacker has spent an hour, they know where he works, where he lives, who he lives with, where his kids go to school, what time he leaves the house, and a password he probably still uses. They haven't broken anything, looked at anything private, or paid for any data. Every piece was sitting in plain sight, waiting to be connected.

Our attacker now has a comprehensive background on their target and can use it to plan a targeted cyber attack.

What you can do

The good news is that most of it is fixable, and most of it is free. Here's the playbook:

  1. Audit what's already searchable — five minutes with Google, in private mode.
  2. Lock down what you've published — social media, fitness apps, public records.
  3. Check what's been leaked — HIBP, password reuse, breach notifications.
  4. Untangle what's been collected — the data-broker industry.
  5. Read the conclusion — the four things to keep doing.

Start by Googling yourself

You'll be surprised how much information about you is just a simple Google search away. Open a private browsing window so personalisation doesn't skew the results, then run a few searches:

  • Your full name in double quotes — "Firstname Lastname" — to force exact matches.
  • Each email address you use, also in quotes.
  • Your usernames and phone number, if you've ever used either publicly.

If you have found your entire life story online already, don't panic! There are many steps we can take to reduce your online fingerprint.

"John Smith" "johnsmith@example.com"

Clean up your public profiles

Your Google search was probably worrisome, but there are easy steps to follow.

  • Social media. Walk through every account and lock down what's public. Ensure your social media accounts are private and your posts/photos and personal data (especially date of birth) are only visible to friends/followers.
  • Fitness apps. Strava in particular — public activity feeds map your gym, your commute route, and the road outside your house. The Pentagon learnt this the hard way in 2018 when Strava's global heatmap inadvertently revealed the location, layout, and patrol patterns of forward operating bases across Syria, Iraq, and Afghanistan — traced from the running routes of off-duty soldiers. Set activities to followers-only and add privacy zones around your home, workplace, and gym so no map data is published from those areas.
  • Linked usernames. Reusing the same handle across services lets attackers stitch profiles together in seconds — including accounts you joined once in 2014 and forgot about, still searchable and often still public. Search your usual handles in Google to surface old accounts, then use JustDeleteMe to close the ones you don't want any more.
  • Job-board profiles. Public profiles on LinkedIn, Indeed, and Reed are an OSINT goldmine — full job history, employer locations, contact preferences, and "open to work" status, all without needing an account. If you've also attached a public CV, that piles on full contact details, education, and exact dates. Lock the profile down (or set it to recruiter-only) once you've found a role.
  • Google reviews. Lower priority, but a surprising amount of personal context leaks here — the gym you go to, the GP you visit, the takeaway near your house. Either anonymise the account or delete reviews that map your routine.

Note

If you are still overwhelmed with panic about your online presence (like I once was) you can take the nuclear option and submit GDPR erasure requests to any companies you're concerned about. The General Data Protection Regulation (GDPR) is legislation designed to protect your data and is powerful for privacy-concerned individuals.

What's been leaked: Have I Been Pwned

Have I Been Pwned is the easiest place to start. Type in your email and you'll get back a list of every public breach it's appeared in. You will probably already appear in a breach, but the count is not important — it's what was breached that matters. A breach that leaked your password, date of birth, or address is a different problem to one that leaked your name or favourite hobby.

Two things to do once you've looked yourself up:

  • Sign up for breach notifications, so you find out from HIBP rather than from a stranger.
  • Treat any password from a breach as compromised. If you reused it anywhere — and most people have, at some point — change it everywhere it lives. A password manager makes this dramatically less painful.

Tip

A password manager (1Password, Bitwarden) makes it easy to use a unique, long, random password for every account — and you only ever need to remember one master password. This is daunting at first, because you won't 'know' your own passwords, but it makes breaking into your accounts much harder and breaches less of an issue.

What's been collected: data brokers

Beyond the breaches, there's an entire industry quietly assembling profiles of you from public records, marketing exhaust, and resold app data. These are the data brokers — companies like Spokeo, BeenVerified, and dozens more — and they'll happily sell a packaged dossier of your address history, phone numbers, and known associates to anyone with a credit card.

Each broker has a removal process. They're all different, all annoying, and most need re-running every few months as the brokers re-harvest the same data. Services like Incogni automate the process: they file the takedowns on your behalf, on a recurring schedule, and give you a dashboard of what's been removed and what's still pending. I personally use Incogni for my entire family, and you should see a lot fewer spam calls after signing up.

Conclusion

You can't disappear from the internet, but you can be inconvenient. Attackers work through lists, and if it takes them an hour to assemble your profile instead of five minutes, most move on to the next name — so the goal is to be the next name, not the first.

If you do nothing else this week:

  • Audit your public profiles — social media, fitness apps, job boards — and lock down anything beyond your name and current role. The defaults are nearly always too permissive.
  • Sign up for Have I Been Pwned notifications, and treat each new alert as a prompt to lock down whichever account was hit.
  • Use Incogni (or work through brokers manually) to pull your records back from the data-broker industry. Re-run every few months — they re-harvest.
  • Set a calendar reminder for six months from now to spend five minutes redoing all three.