A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposed

The internet never forgets information that we post online - and, as I discovered, old information can come back to haunt you.
Written by Danny Palmer, Senior Writer

The internet does not like to forget. 

Many of us know this, or at least it's something that's in the backs of our minds as we post updates to Facebook, share photos on Instagram, detail little insights into our daily lives on Twitter, and enter our personal data into a variety of other social media platforms and online services. 

But now I can see that it's really true, for me at least.

For years, I've been writing about cybersecurity, so I'm aware of the risks around personal information being shared online and how valuable our sensitive data can be to cyber criminals – as I wrote about when someone tried to use my stolen bank details over 4,500 miles away.

SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attempts

It's why I'm careful with what I sign-up to, what I post, and who can see it. I make sure that my passwords are complex enough so they can't be guessed, plus whenever possible, I use multi-factor authentication to protect my accounts. 

These are all habits I've developed during the past 10 years or so. 

But prior to that, I was much more naive about putting personal data online, particularly when I started regularly using the internet, after getting a home computer for the first time as a teenager in around 2001. 

This access opened a lot of worlds to me. I was part of gaming clans, I got my first taste of social media with MySpace, and I joined various online forums, posting comments and talking with people with similar interests – later, even meeting other users in person at group meets. 

Back then, security and privacy didn't really cross my mind. Gradually, as I got older, and went to university, found and changed jobs, moved to different cities and found new hobbies, I didn't post on the forums anymore, and eventually I forgot about them. 

Which is why it was startling when someone showed me how easy it was to find my username for a particular forum – and linked to a thread from the bulletin board containing almost two-decade old photos of me from a forum meetup. These old photos were innocent enough – just group photos from a London pub – but I had completely forgotten they existed, yet there they were still sitting on the open internet. 

It was strange to see them and think about how they'd been sitting online for almost 20 years – and for a savvy cyber sleuth, that account could provide a pathway to finding out all sorts of other information about me and my online habits – and as I discovered, it does.

Fortunately for me, it wasn't anyone with ill-intent who'd been digging around my online history, but rather Jack Chapman, VP of threat intelligence at cybersecurity company Egress. But it gave me an insight into how this long-forgotten online profile – and other aspects of my digital footprint – were out there on the internet and how they could be abused. Because while finding old data about me had nostalgia value, in the wrong hands and against a different person, such information could be the key to unlocking a whole lot more.

"We're in the age of data and that data can easily be held by people with nefarious means," Chapman told me. 

So how was it possible to track down an old forum account, along with a bunch of other information, and tie it to me?  

It starts with something that, unfortunately, has happened to almost anyone who has online accounts – being involved in a data breach, where hackers have broken into online services, stolen and then leaked email addresses, passwords, contact information, credit dark details and other sensitive personal data.  

It was one of these elements that was the first step to tracking down long-forgotten aspects – or so I thought – of my online footprint. 

SEE:  How to keep your bank details and finances more secure online

If you're using the internet, it's highly likely that you have at least one personal email address. It's what we use to sign up for various services – and there can potentially be hundreds of those, even if we only use them once before forgetting about them. And that information doesn't go away. 

I have a personal email address that that's been active for almost 20 years, which has been used to sign up for many different websites and online services. Unfortunately, a number of those services have ended up being breached by cyber criminals and information about the accounts pasted online.  

According to HaveIBeenPwned, that email address has been in at least 14 different breaches over the years, exposing linked information including my name, online usernames, passwords and more.  

Some of these were huge data breaches that exposed the information of millions of people, such as May 2016's LinkedIn data breach that exposed 164 million email addresses and passwords, or January 2019's Collection 1 dump, a massive set of leaked and stolen data that contained 773 million usernames and passwords. 

Chapman was able to use that information as a jumping-off point to search for personal data about me available online that malicious cyber criminals could potentially use against me – and it was a shock to hear him read out some of my old passwords to me. 

In most cases, I knew these passwords had been revealed in breaches and previously made the effort to change each one to a unique new password. But 10 to 15 years ago when I was more naive about using the internet, I used the same password across multiple different online accounts – which meant if one account was breached, the others were also vulnerable to being hacked.  

Cyber criminals often take advantage of the way people re-use the same password. For example, someone using one password on their personal email account and the same one for their corporate account could potentially provide cyber criminals with a route into a corporate network. Alternatively, if your username and password for your email is the same as your username and password for your bank, cyber crooks will quickly discover and exploit this loophole. 

Some of the breaches of my details involved some of my old online usernames related to forum accounts and online-gaming handles. By combining that information with my name and email address, it was possible to locate an old forum profile – particularly as it turned out I'd long forgotten that I'd written blogs for one of these websites, which linked my real name and user profile name together.  

It was via this profile that Chapman was able to find my old forum posts, including those in the photo thread that I'd forgotten about until now – because my username was in the title for the forum thread. It was very weird seeing how someone could use leaked information to track old photos of me.

This particular bit of online history was from 2005, when I hadn't really considered online privacy as an issue. And yet over 15 years later, a determined attacker could use these – as it turned out – very public details to try to gather information about me that could be used to break into accounts or attempt to carry out phishing attacks designed around my habits. 

But at least I remember posting on these forums – what was worrying was how a database of breaches, which my old email address had been involved in, included various websites I don't even remember signing up for or using. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

One of these that stood out was a data breach of online game Stronghold Kingdoms in July 2018, exposing usernames, passwords and email addresses. I've heard of the game but don't remember ever signing up to play it. It's possible I did, or given the nature of games, that the studio behind it was acquired or merged with another studio, which created a previous online game I played years before. Yet my username and password were exposed in this breach. 

And from there, Chapman was able to link to another data breach, at a website called Zoosk. This is another site I have no memory of at all, but it turns out to be a dating website that I apparently used in about 2010 – and that data breach gave away my date of birth and the city I was living in at the time. 

Further analysis of the breach even linked it back to an IP address and an internet provider. This was a location I haven't lived in for over a decade now, but it was still unnerving to see how information on a website could be used to ultimately help trace the geolocation of where I was at the time.  

All of this is sensitive information that cyber criminals could use to build a better picture of targets and to gain as much from them as possible – and, in this case, as much as possible about me. 

"By having more information, it allows an attacker two key advantages – first, it allows them a better understanding of your life and work. This allows them to tailor their attacks to improve their credibility and likelihood of success," says Chapman.  

"The other opportunity is that it offers them the chance to understand your 'social network' both on a personal and work front. This is often used for robust targets, where they initially breach a more vulnerable victim in their target's close network". 

In my case, that 'social network' attack would involve a cyberattacker spying on people I know or hacking their accounts to gain more information about me. If I thought an email was really sent from a friend, I might be more willing to open links contained within it. A cyber criminal who controlled that account could use that link to deliver malware or carry out other nefarious activities.

Some of the breaches my data has been exposed in are over a decade old. And the problem is that once that data is out there, it's not going away. While it's possible to change passwords, for other information – such as your name, address, online username and email address – it isn't really possible. 

Our email address is often the key to our online lives. We use it to log in into social networks, banking, shopping and many other online services. Most of us stick to the email address that we've used for many years, because we're used to it, and it's tied to so many things we use everyday. 

That makes it difficult to alter – imagine having to go around dozens of your online accounts and in each case going through all the steps to change your email address every time it gets leaked in a breach. But is there a case to be made for potentially discontinuing the use of an email address if it's been in too many breaches, because that could leave us vulnerable to being hacked, particularly if it's a corporate email address? Chapman thinks so.

"One thing we as an industry haven't had a conversation about is retiring email addresses. If they have been in a certain number of breaches, should we have best practice where we say, 'no, actually, that's elevating the amount of risk we're facing as a business – we should shut that down now,'" he says.

SEE: How to delete yourself from internet search results and hide your identity online

But for most of our information, once it's out there on the internet, it's out there for good and there's not much we can do about it. That means the best practice is to understand what information might be out there and to be alert about when your personal data might potentially be abused.  

For example, if you know credit card details have been stolen in a data breach, it's a good idea to contact your bank, cancel that card and get a new one to avoid fraudulent activity on your account. 

Meanwhile, if you get an alert from a service provider that they've been hacked and it's possible information might have been stolen, it's good practice to change your password for that account – and any other accounts that password may be used for – to stop cyber criminals abusing stolen data. 

If you're aware that your details have been leaked in a breach, you should also be on the lookout for phishing emails. In many cases, leaked emails just get put on spam lists. Many of these are simple to detect – emails claiming you've won gift cards or offering free items. 

But some are sneakier and will use worries around data breaches to send more targeted phishing emails. For example, when a Bitcoin trading site is the victim of a hack, other attackers look to take advantage by sending phishing emails to leaked lists of users, claiming their accounts are at risk and to 'click here' to fix it – only for that link to be a portal to steal login details and Bitcoin.  

This happens with many different breaches, so it's vital that users treat emails like this with suspicion. It's unlikely that a company will inform you of a breach and include a link to log in. And if you do think there might be an issue, it's best to open your internet browser and go to the site itself, thus avoiding getting caught out by a phishing email. 

If there's old accounts that you don't use anymore, it might be worth shutting them down, as they could contain a lot of personal information that could be used against you by cyber criminals. If the account doesn't exist, there's much less risk to the user.  

"Unless you manually delete or change things, nothing is forgotten now – and attackers know that," says Chapman.  

That's certainly the case with the old photos on the online forum. But in a frustrating twist, I checked to see if I could go back and delete the images from the forum posts, but it isn't possible – my account was automatically shut down at some point because it wasn't being used, only listing my profile as a 'former member' of the forum. But my username is in the title of the thread and the photos are still there.

There's no way to remove the photos or the connected forum posts, along with a traceable trail of information about my online history spanning almost 20 years. It's a little disturbing but serves as a reminder that personal information that ends up on the internet can end up there forever, even if it's something you'd rather forget.

Editorial standards