Defensive OSINT: Auditing Your Own Digital Footprint
Before you can reduce your exposure, you need to know what is exposed.
What the Scammer Already Knew
The call came at 9am. The caller knew Kevin's full name, his home address, the last four digits of his credit card, and the name of his bank.
Kevin assumed a breach. But there was no breach. All of it was assembled from public sources in under 15 minutes: his address from a public electoral register lookup, his bank from a LinkedIn post mentioning a payment dispute, the card digits from a leaked prize draw database, and his phone number from an old forum post in 2018.
The scammer did not need to hack anything. They just knew where to look.
What Is Actually Happening
15 min
is all an experienced OSINT investigator needs to build a basic profile of most ordinary people.
All from freely available public sources. No hacking required.
Source: SANS OSINT Summit; Trace Labs OSINT research, 202414B+ Compromised Records
HaveIBeenPwned tracks over 14 billion compromised accounts from known data breaches. The average person's email appears in 4-5 breaches. Most people have never checked.
Your Address Is for Sale
Sites like Spokeo, Whitepages, and BeenVerified aggregate your address, phone, relatives, and financial estimates from public records and purchased data. Anyone can pay a few dollars to access it.
Most People Never Do
In surveys, fewer than 20% of adults report having Googled themselves in the past year. Old forum accounts, comment histories, and archived profiles are often still indexed and publicly accessible.
Possible but Must Be Repeated
Data broker opt-outs are real but data is re-collected periodically. Removal requests need to be repeated every 6-12 months. Paid services (DeleteMe, Kanary) automate this process for a subscription fee.
What OSINT Actually Reveals About You
Search engine results
Your name + city in Google surfaces old profiles, forum comments, news mentions, and employer directories. Most people are surprised by how much is indexed from accounts they created years ago.
HaveIBeenPwned
A breach check shows which services have exposed your email in a known data leak. Each breach entry tells you what was exposed: passwords, physical address, phone number, or payment data.
Reverse image search
Uploading your profile photo to Google Images or TinEye reveals every site where your image appears - including ones you never posted to, where it was scraped without your knowledge.
Data broker listings
Spokeo, Whitepages, BeenVerified, FastPeopleSearch, and Intelius aggregate your address, phone, relatives, estimated income, and public records. These are accessible without a login.
Public records and property databases
UK Land Registry (search by name for property ownership), electoral register, Companies House (director listings), and court records are all publicly searchable. In many countries, property ownership records are available to anyone who pays a small fee. These are common starting points in targeted fraud research.
OSINT tools used against you
The same tools used by security researchers are used by fraudsters: Google dorking ("site:linkedin.com [your name]"), Shodan (connected devices), PimEyes (facial search), and Maltego (relationship mapping). You do not need to use these tools yourself - but knowing they exist explains how quickly a stranger can build a picture of you.
Social media public view
Log out of your accounts and search your name. What a stranger sees on your public profile is what a scammer or social engineer sees first.
Try It: Personal Footprint Audit
Work through 5 checks and see where your information is exposed. Each finding comes with a specific action step.
What That Just Showed You
1. Exposure accumulates over years. Old accounts, old emails, and old forum handles are still indexed. Most people's highest-exposure content was created when they were least aware of privacy.
2. Removal is possible - but requires repetition. Every removal step is real and effective. But data brokers re-collect data from public records. Opt-outs need to be repeated annually.
3. The most urgent risk is usually breach exposure. A breached password from 2016 is still being used in credential stuffing attacks today. If your email has been in a breach, that specific password - wherever else you used it - is compromised.
Three Things Worth Doing
1. Check haveibeenpwned.com today. Enter every email address you use. Change the password for every service that appears. Use a unique password for each one (password manager makes this practical).
2. Google yourself in a private window. Search your full name + city. Note everything on the first 3 pages. Request removal of personal details from search results using Google's Results About You tool.
3. Submit opt-out requests to the four largest data brokers. Acxiom, LexisNexis, Spokeo, and Whitepages all have free opt-out processes. The full opt-out guide at privacyrights.org covers 200+ brokers with direct links.
One Question Before You Continue
You deleted a forum account from 2014. Does this mean the posts are no longer publicly accessible?