The amount of information openly available on the internet about any given individual is staggering.
More and more, privacy and online security are brought into the limelight and people are becoming more protective of their online presence. We urge our family, friends, and colleagues to follow general safety guidelines such as to use complex passwords, change them often, turn off geolocation services, and set profiles to private.
These are great practices, but most still don’t realize that even for the most careful and private among us, the internet makes available information which can be detrimental to our safety if it falls into the wrong hands.
The most easily accessible information is known as publicly available information, which comes from sources such as social media and public record data web pages, including “background check” pages, voter registrations, property records, etc.
These pages are where an attacker can retrieve information such as names, addresses, phone numbers, email addresses, usernames, relationships, and more.
Any one piece of information can be a loose thread in a person’s privacy sweater, and with so many free websites providing the information - all the attacker has to do is start pulling.
In most cases, social media and free ‘people search’ websites provide everything a would-be attacker might want. In a couple hours, the attacker could identify where their target lives, where they work, who they are close to, contact information, even their interests and hobbies to use in building rapport with the target or those close to the target.
The Danger of Aggregation
Beyond surface-level publicly available information, it is important to recognize how aggregate information can help to form a more holistic information portfolio.
A selfie on one’s porch or even with a window in the background may seem harmless, but it can be all the information needed to verify a residence. Information sites may return only partial, old, or incorrect addresses which can be verified with satellite imagery and street views based on identifying characteristics found in online photos.
Similarly, other information can also be found or verified through aggregation utilizing online account functions. Many online accounts will display contact information such as email addresses or phone numbers on the login or account recovery page. In most cases, these functions lead to discovery of additional information not included on information pages, such as secondary or alternate emails and phone numbers.
All of this available data not only puts our physical safety at risk, but also our digital safety, which can include online shopping or banking accounts.
We recently encountered someone who kept a low social media profile and likely thought their online presence was fairly safe. They did a great job of keeping their social media presence hidden and private, but their personal information still existed on information websites and elsewhere online.
With the available information we were able to identify their residence, contact information, and the same for their spouse and close relatives.
What’s worse is the recovery email for their primary personal use email was discoverable, and only required answering a security question to gain access. The answer to this security question was also easily discoverable with a simple search on Google.
At this point, an attacker could have gained full access to this person’s life once into this one email account. Luckily for this person, we found these vulnerabilities before someone else did.
There are ways to have most of this information removed before bad actors can retrieve it.
Most information sites will remove data upon request, and street view and overhead imagery services such as Google Maps will usually blur locations on request as well.
The key is to get ahead of any threat actors and have the information removed before it is discovered, because once the information is on closed forums and in doxx communities, it is likely never going to be removed.