The tricky thing about online privacy is that so many aspects of our life exist digitally, and malicious actors can piece together a lot of information about you from every little piece of information that you put online. Furthermore, these little tidbits can be as innocuous as a social media post, or an account on a random website that you created a decade ago and forgot about.
I’ve put together a checklist of things that you can fix today, or over a weekend, that will have a huge impact on your overall privacy, your digital security, and peace of mind.
With how poorly most people protect their online data and accounts, the only reason that the majority of people aren’t having their accounts taken over or their privacy violate on a regular basis is just sheer luck.
Furthermore, most people are having their privacy violate on a regular basis, so there’s that, too.
Let’s fix that!
Read through the following checklist, and explore the rest of the article for in-depth explanations and actionable solutions to all of these ways that your privacy and private information and private online accounts can be compromised by malicious third parties, leading to frustration, theft, and worse!
Then take a half-day or so to run through the solutions, patch up the biggest holes, and you’ll be in much better shape. By the end of this article, you’ll have an actionable checklist of steps you can take right now, and you’ll be well on your way to developing strong habits, and looking at the Internet in a new light.
This new mindset will help protect you from existing threads, and will also give you the framework you need to protect yourself from new threats that don’t even exist yet.
Deleting Data From Shady Data Brokers
A lot of information that you’ve put online, or information that is available in public records, gets compiled into these so-called “data warehouses”, packed up, and bought and sold over and over. This data gets collected from your mobile device when you install certain random applications, and can even come from popular social networks. Beyond that, they will merge this with data that is publicly available, and before long ,they’ve got a very specific, detailed profile on you and what you do online.
By now, most people understand that when you use a free service on the internet, it’s usually funded by advertisements, but the next layer of this is that various data points about you are also being collected and traded.
Solution: There are services like Incogni that exist to get your data removed from these places. It’s better if your data never gets there in the first place, but that’s not realistic for anyone who wants to exist on the internet in any capacity. Thankfully you can use a service like Incogni to remove your information from the internet and protect your privacy.
Data Breaches & Leaked Password Lists
You know how people are always telling you to change your passwords on a regular basis, and to use different passwords for each site/service you sign up for? That’s because anytime you hear news about one of those big data breaches where customer data is compromised (and all the smaller ones you never hear about), this data can include your email address, your name and physical address, your log-in passwords, and more.
When someone has your email address and password for one site, even if you change it on that site, if you’re using the same email and password combination for other sites and services, it’s only a matter of time until someone is able to put the pieces together and to gain access to more and more of your accounts, profiles, banks, and so on.
Between using a password manager and some additional form of authentication (like when a website texts you a code to enter when you log-in), your accounts will be much more secure. It can be a bit annoying to take these extra steps every time you log-in, but a password manager can make it much easier.
Solution: A password manager such as 1Password or BitWarden can help you generate unique passwords for each site or app that you register for, along with updating your existing passwords. By creating one master password for the password manager app, you’re able to use very complex and unique passwords everywhere else, making it almost impossible that somebody is able to gain access to more than one of your accounts even if your password leaks from some old website you signed up for ages ago.
You can check if your data has been included in any major breaches using the site Have I Been Pwned? You simply enter your email address, and this site will instantly cross-reference it across known data breaches, so that you can see which of your accounts are already compromised and which holes you need to start patching up immediately. Simply change your password can help.
Read more: Why You Need To Change Your Passwords RIGHT NOW (### Coming soon!)
Check Your Privacy Settings
Let’s step back from the data that being taken, stolen, bought, or sold without your knowledge or consent and let’s look at the stuff you’re posting intentionally. Reputable social networks have taken steps to be more transparent about your privacy and what data you’re putting out there for the world to see, so use these features to make sure that you’re comfortable with what the world can see about you.
Know that there are data scrapers, basically bots that scour the internet and compile everything they can, then sort it, to gather data about you in bulk, and be mindful about what you’re putting out there. One of these such scrapers is Google itself, and other search engines, who will index just about anything that’s posted publicly on the internet.
Something as innocent as a vacation photo from 10 years ago that you put on Facebook, where you tagged your mother, could give someone access to so, so much more. Let’s say that your parents divorced a few years ago, and your mom decided to revert to her maiden name. Do you see where this is going? If your Facebook is totally public, the name you tagged in that photo captioned “My lovely mum!” will now be publicly displaying your mother’s maiden name, which is often a security question that people use, but we’ll cover that more in the next section.
There are 1000 different examples of the above scenario where you could end up leaking sensitive data about yourself, without even realizing it, even if you were being cautious at the time. You couldn’t have known that your mother would re-adopt her maiden name, for instance, or that an old photo captioned “Happy birthday to me!” could give someone yet another key to bypassing your security questions and accessing your accounts.
So by this point, they’ve got your email address, username, and password from an old woodworking forum. When they try to use that to access your email account or your bank, it might ask them “What is your mother’s maiden name?” or if they phone in and try to impersonate you to gain further access to your accounts, one of the security questions might be to provide your birthdate and address. That old photo where you proudly bragged about purchasing your first home, that has the house number in the background? Yeah, you get where this is going. Every little crumb you put out there makes it easier for somebody to dig deeper into your digital life, putting your accounts at risk, and the privacy of yourself and those you care about.
Solution: Make sure to check your Facebook privacy settings, and do the same for any other social networks or sites where you post publicly. Lock things down as much as you can, and ubscure as much of the data as you can.
Change Your Mother’s Name and Get a New Birthdate
Following up on the previous point, it’s a really good idea to use a made-up maiden name for your mother, to avoid a situation like we outlined above where you inadvertently end up sharing her maiden name with the world.
Also, furthermore, information like your mom’s last name and your birthdate aren’t really private in the first place, and other people could end up sharing this inadvertently and totally out of your control. For instance, an old friend of your mom’s from high school might upload their yearbook photos that show everyone’s names at the time, and tag them, which would directly connect your mother to her maiden name, publicly, in a way that neither of you could have foreseen, even if you’re being cautious! Or any family member or friend could make a post to wish you a happy birthday.
Solution: When you sign up for a site that asks security questions, use made-up answers. Invent a different word to use as your mother’s maiden name, or simply come up with a code-system. Let’s say her maiden name is Smith. You could simply add a letter, and use Smithx when signing up for sites, or to take it to another level, you could use Smith + the first letter of the site you’re signing up for.
For instance, if you were signing up for an online account at Citibank, you might use Smithc as the maiden name, then if you sign up for an account with TD Bank, you might use Smitht, and so on. You’ll end up using the same maiden name across several sites, but as long as you remember the format/code you’re using, it’s still much safer than using her real maiden name, since nobody else but you is going to know the correct answer.
The same goes for your birthdate. If you’re joining random apps and sites that don’t need to know your real birthdate, use a made-up one! There are instances where you’ll need to use your real birthday, like with banks or government sites, but those accounts will be much more secure when your birthday isn’t included in every other potential place that your data can leak from. If nothing else, it can confuse the data brokers, which is a good thing for you.
Security questions aren’t used as commonly as they used to be, since 2FA (two-factor authentication, those codes that get texted tyo you, etc) has become more popular, but many legacy accounts and even new ones may still rely on security questions. Use made-up answers for all of it, from your first car, to the city you were born in, to your favourite food, whatever it asks – just use a fake answer. Don’t even use an answer in the same category, your favorite drink can be “Tears of my enemies“, or your first car can be “The Lakers“.
Just make sure that you remember these answers, which is where a password manager comes in crucial, since you can add notes to each log-in that it saves for you, where you can record these answers.
Use Multi-Factor Authentication
I’ve touched on the idea of MFA/2FA (multi-factor authentication or two-factor authentication) already. I know, sometimes we’re hesitant to turn it on, since it is a pain, but it’s worth it to get into the habit. The downside is that it might keep you locked out of your account if you lose your phone or aren’t able to complete the authentication, but there are steps you can take to avoid this, such as writing down backup keys and storing them somewhere safe.
Overall, this type of authentication will more or less completely secure your account, save for instances where somebody uses social engineering or finds enough other puzzle pieces about you around the internet to systematically access the other accounts they’d need to complete the authentication, like gaining access to your cellphone company and getting a replacement SIM card, but that’s a much higher level attack than most people will need to worry about.
Solution: Just bite the bullet and get used to using MFA, or look into tools such as YubiKey, which is a physical device that plugs into your phone or computer, and uses your fingerprint or other factors to authenticate you. Make sure you buy two at a time, because you will want a spare, just in case!
With many of the more locked-down security steps you can take, there’s usually some backdoor method that you, as the user, can retrieve access – but not always! Remember, any backdoor that exits for you can also make it easier for someone else to get in. Still, many apps that use MFA will give you the option to store your backup security keys, which can be used if you can no longer access your cellphone or the email address where the authentication code would normally be sent.
By using strong passwords, changing the most important ones even on a yearly basis, and using multi-factor authentication for the most important accounts (like an email address, since it’s the gateway to accessing so many other accounts), you’ll be in tip-top shape and far above average, which means anyone digging through data broker lists or leaked password lists generally won’t bother with you, they’ll be looking for much lower-hanging fruit.
Educate Yourself About HOW People Violate Your Privacy
This is also something I’ve touched on already throughout this article, and just by reading to this point, you can more or less check this off the list already – that’s a freebie!
Understanding the various threats that exist, and putting yourself in a privacy mindset, will go far in keeping you and your loved ones safe from online threats.
Phishing attacks are another popular way that people will gain access to your data and accounts, sometimes without you ever even knowing. You might get an email saying that your Spotify account is expiring, you might think “What, I just paid my bill..” so you click the link and log-in, and boom – you’ve just given away your log-in info. The next screen might say “Our mistake, looks like your payment is up to date!” and now a random third party has access to your account. Having your recommended songs messed up due to someone else using your account is the least of your worries in this csae, since once again, it’s just another piece of the puzzle and now you’re identified as someone who might fall for these types of things.
The emails can be super convincing, too! Remember, your data can get pooled together in these warehouses, so the phishing emails sent to you can be customer and personalized, they can reference your real username, your address, and plenty more. They might even mention the names of family members or BE SENT FROM THE EMAIL ADDRESSES OF FAMILY MEMBERS. Remember, if someone takes over an email address, they’ll have free-reign of their address book, and they could even spoof an email address without ever having access to it in the first place.
Solution: If you get an email from a site, even if you recognize it, even if it references your name or real info about you, BE CAREFUL. Links can be spoofed so that it might SAY it’s leading you to “account.google.com” as the text of the link, when in reality, clicking the link will take you somewhere else entirely.
Learn about phishing attacks, how accounts commonly get hacked (the password stuff we talked about earlier, and MFA), protecting your data, and how to stay safe online in general. It’s an on-going process, and you’ll never have things down 100%, but you can get pretty close – at least to a point where you’ll be one of the last people anyone would bother to target, since it’s high-effort with a low chance of payoff.
You Have a Long Trail of Vulnerabilities
As you can see by now, there are countless little holes and leaks for threats that can spring up, it could be a password that leaked years ago that finally gets acquired by someone who uses it to act maliciously, or something as innocent as someone posting your birthdate to Pinterest or changing their name on Facebook.
Understanding how dangerous every little piece of the puzzle can be is a huge step! Using better passwords and cyber hygiene moving forward is a big step, but it’s also important to look back at your old accounts and tidy up as much as you can to prevent them from being leveraged against you in the future.
So, what can you do if you don’t even remember all the old accounts you’ve made? Well, thankfully, older websites do tend to shut down sometimes, so in those cases, the data will hopefully just be wiped away over time. For everything else, check if your webbrowser has a list of saved accounts/passwords, you can use that as a starting point.
Beyond that, start to pay attention to any random emails you get from old sites or apps you’ve signed up for in the past. Check old email address that you don’t use anymore, too.
Consider making a new email address, a “burner account” of sorts. Log-in to all these old sites, and remove any personal information you’ve given them, and delete your accounts if they allow it.
TIP: There’s a regulation in the EU called the GDPR (General Data Protection Regulation), which includes a section called the Right to be Forgotten, which means that websites must remove your personal information upon request. Now, even if you’re not the EU, sometimes you can reach out to sites and request something like this…
“Hello, per the GDPR / right to be forgotten, I’m requesting that you delete my account and all associated data.”
You might get pushback if the company doesn’t operate in the EU, or if you aren’t in the EU, but usually it’s just easier for them to press the button and wipe your data, rather than going back and forth and fighting you over it, even if neither parties are in the EU or those laws may not apply in your case.
Solution: Start making a list of all the places you have old, straggling accounts that you don’t use. Log-in to old emails when you can, and add to this list. Log-in to all of the sites and accounts that you can, go to your user information / settings section, and replace as much of the information as you can with made-up data. If you might ever need to access this account again, make a note of the fake data that you enter, since you might need it to answer security questions in the future.
Replace your data with fake data BEFORE deleting the account, so that the data that’s ultimately stored. If the site still keeps a copy of the data from deleted accounts, at least it won’t be accurate.
Even better, if you can make a new email account, use a random username for it, either a made-up combination of names or words and numbers, and then switch to that email address on these old profiles. Malicious actors would still be able to use this email address to tie things together, but it’s much better than if your email address is your [email protected], for instance. It gives you an extra degree of separation and protection, and puts an additional step between these old forgotten accounts and your real data.
An old website you joined ages ago is probably one of the most likely ways that your data can be hijacked, since a forgotten or abandonned site can be bought and sold, or may simply not keep their software up to date, which leaks to vulnerabilities and exploits, making it an easy target for somebody who is looking to acquire a large list of users to run through their password-cracking software or other methods.
Use Technology To Your Advantage
Technology is the reason that a lot of this data is at risk in the first place, and it’s why we need to take extra steps to protect our privacy – but technology is also the solution to reduce a lot of this risk. It also takes some common sense, some care, and some diligence on your part, but when you combine that with technology, you’ll be in great shape.
There are a number of apps and services that can help you to protect your privacy from common and not-so-common threats. Here are the ones we’ve outlined this article, and some additional options, too…
- 1Password / BitWarden / LastPass
- Facebook Privacy Tools
- Have I Been Pwned?
- Incogni
- YubiKey
Final Thoughts on Protecting Your Privacy Online
You could make an entire career out of trying to track down every possible point of weakness in your overall online privacy, but that’s not realistic.
Start with the things we’ve outlined on this page, learn the fundamentals of what people are trying to access so that you can protect it, and you’ll be in pretty good shape overall.
It’s like they say, if you’re with a group of people and you’re being chased by a hungry bear, you don’t have to be the fastest runner… just don’t be the slowest.
As long as you have above average privacy for yourself, and take above-average steps to protect it, you’ll be doing great. Most people do a poor job of this out of ignorance or complacency, so hopefully you’re reading this before it’s too late to tidy up your online privacy and keep yourself safe and secure.
