Instead, they open with your actual profile photo, your real follower count, and a thumbnail of your most recent post. Everything in the email looks legitimate because the attacker pulled your public data before sending you anything.

This comes from a phishing campaign documented this week by Malwarebytes that pulls real YouTube channel data to build a personalized copyright scare page. The moment you land on it, the page already knows your avatar, your subscriber count, and your most recent video. If you enter your credentials on the fake Google sign-in it serves up, you lose your entire Google account.

And while this particular scam focuses on YouTube, it can equally apply to any number of other platforms, from Facebook to Instagram to Substack. Creators are especially at risk.

Subscribe now

This scheme runs like a global hacker franchise. Multiple attackers share the same phishing kit, each running their own campaigns with their own affiliate ID embedded in the links. One operator can swap out the destination domain at any time to evade takedowns. That means the infrastructure stays live even when individual phishing pages get flagged.

There’s also a detail that says a lot about how professionally these operations are being run. The scam automatically screens out any channel with more than three million subscribers, instead showing those creators a clean bill of health rather than a scare page. The reason is simple if you think about it:

Large creators are more likely to have security staff, YouTube contacts, or the visibility to get the operation shut down quickly. Smaller creators, who have less protection and just as much to lose, are the higher value target.

The reason this scam works is that YouTube has a public API. In case you think this is just a YouTube problem, public APIs are not unique to YouTube. Any platform that displays your profile photo, follower count, and recent activity to the world gives an attacker the raw material to build a personalized scare page.

Facebook business pages, LinkedIn profiles, Etsy storefronts, Substack publications all expose enough public data to run the same scheme. A fake “your Facebook page has been flagged for removal” notice showing your page name, your follower count, and your most recent post would be just as convincing to a small business owner as the YouTube copyright notice is to a creator.

Voice cloning has crossed what researchers at the University at Buffalo describe as the “indistinguishable threshold.” Some major retailers are already reporting over 1,000 AI-generated scam calls per day.

The family emergency call, the one where you hear your daughter’s voice saying she’s been in an accident, is no longer a theoretical risk. It’s running at scale, and it runs on a few seconds of audio pulled from a public video or voicemail. Experian’s 2026 fraud forecast describes intelligent bots carrying out automated family-member-in-need scams with a sophistication that wasn’t possible even two years ago.

Both of those attacks share the same logic as the YouTube scam. They start with real data about you, pulled from public sources, and use it to make the approach feel legitimate before you’ve had a chance to think.

There’s a separate but related story worth knowing about too. A credential-stealing malware called Omnistealer revealed the other day hides its attack code inside blockchain transactions on networks like TRON and Binance Smart Chain. Because blockchains are append-only, those malicious snippets are effectively permanent once they’re mined into a block. You can take down a malicious GitHub repo or revoke a domain, but you can’t roll back TRON to remove a few hundred bytes of malware staging code.

The campaign has been linked by on-chain forensics to (no surprise!) North Korean state-sponsored actors. It spread through fake developer job offers on LinkedIn and GitHub where technically skilled targets handed what looked like a routine freelance project.

While the personalization angle is less pronounced here, what Omnistealer illustrates is the other half of the same shift:

sophisticated fraud operations are not only getting better at targeting people, they’re getting better at making their infrastructure difficult, if not impossible, to shut down. The attacks are more convincing and more resilient at the same time.

That combination is what makes this moment different from previous waves of online fraud.

Share

For most of the history of online fraud, the attacker’s main constraint was personalization. A phishing email that addressed you by name was already considered sophisticated. And a scam call that knew where you worked was alarming.

Building something that looked genuinely specific to you (your face on the page, your voice in the audio or your channel data in the copyright notice) required real effort and real resources. That constraint kept the volume down. It limited who could run these operations and how many people they could reach.

That constraint is gone, and it’s not coming back.

The YouTube copyright kit fetches your real data automatically from a public API. Voice cloning tools require a few seconds of audio, freely available for most people who have ever posted a video or left a voicemail. The personalization layer is now a commodity. Anyone with modest resources can build an attack that feels like it was made specifically for you, because technically, it was.

What legislators and most security advice haven’t caught up to yet is that the old detection signals no longer work. You were told to look for misspellings, generic greetings, implausible urgency. An email that called you “Dear Customer” was a tell. None of that applies anymore. The new signals are different, and defending against them requires a different posture.

Subscribe now

How to Defend Yourself

The defense move here isn’t about being more skeptical of suspicious-looking messages. That’s because messages won’t look suspicious. The defense is structural, which means developing habits and configurations that hold up even when the attacker has already done their homework on you. Here’s how to do that.

Read more

Yet their faces ended up training a facial recognition system that now sells to police departments, government agencies, and the military.

How did that happen?

Subscribe now

The U.S. Federal Trade Commission (FTC) alleged that OkCupid shared users’ photos, location data, and demographic profiles with Clarifai, a “computer vision company”. They did so without user consent and in direct violation of its own privacy policy. OkCupid’s founders were personally invested in Clarifai, and one of them sent the photos from his personal email account, bypassing any corporate oversight.

No contract governed the data handoff. And no restrictions were placed on what Clarifai could do with the misappropriated data.

Clarifai ended up using the images to build technology capable of identifying the age, sex, and race of faces. The company has since secured contracts with the U.S. Air Force Research Laboratory and partnered with defense firms supplying AI to the Army’s intelligence community.

So dating profile pictures became raw material for defense contractors. The people in those photos had no idea, and were never asked.

Share

The FTC settled the case in March 2026.

The good: The settlement permanently bars Match Group and OkCupid from misrepresenting their data practices and requires compliance reporting for a decade.

The bad: Match Group did not admit wrongdoing.

The ugly: The settlement carries no financial penalty. And the FTC did not require Clarifai to delete any of the data it received.

Twelve years of willfully misusing people’s images, and the regulatory consequence is a promise to tell the truth going forward.

The OkCupid Story Isn’t Really About OkCupid

Most people process news like this as a company-specific scandal. OkCupid was reckless with customer data, OkCupid got caught, but you don’t use OkCupid, so you’re fine.

That’s the superficial take. As is usually the case with these stories, there’s a deeper level.

Every site where you’ve uploaded photos, whether LinkedIn, Facebook, Instagram, a fitness app, a medical portal, or a real estate platform, operates under a privacy policy that its legal team wrote. And they wrote it to maximize the company’s flexibility, not yours. I’ve written before about why reading those policies is a waste of time. 👇

What the OkCupid case illustrates is the specific mechanisms that makes privacy policies useless:

Privacy policies are often inaccurate, either out of negligence or intentional bad behavior (as appears to be the case with OKCupid). Or a company can change the policy at any time, usually without notice, to make their privacy infringing practices legit. And in almost all cases privacy policies are drafted to provide broad rights and discretion to use your data, which means most people don’t know what they’re supposedly consenting to.

Unfortunately the OKCupid incident isn’t a one-time failure by a company with bad intentions. It’s a repeatable playbook.

Many people now understand that tech companies design features specifically to get you to hand over your face voluntarily. It’s been going on since the dawn of the internet but AI companies have taken it to a whole new level. The best example is when OpenAI/ChatGPT pushed an anime filter, the Ghibli-style portrait, which allowed users to see themselves as a cartoon.

Users got a quick dopamine hit from doing that. And OpenAI received valuable data to bolster their facial recognition capabilities without paying anything. That’s about as lopsided of a trade as you can find.

OkCupid’s founders didn’t need a clever feature to capture valuable biometric data because they already had three million photos sitting in a database. But the outcome is the same:

your face, in a training set, with no restrictions on what gets built from it.

The enforcement consequence for any of this is, apparently, a compliance checklist. Which shouldn’t be surprising to anyone following these incidents. Penalties handed down by regulators are usually small compared to company revenues. Businesses then calculate the cost of protecting (or not protecting) your privacy, and when the answer is zero (or near zero) dollars in penalties, the math doesn’t work in favor of your privacy.

For photos specifically, the only meaningful control you still have is upload discipline. Review which apps have access to your Google, Apple, or Facebook account, and think carefully before handing your face to the next platform that makes it seem fun or convenient. The photos you never put up can’t be handed to anyone.

You can't un-upload a photo, and you can't control where it goes once a company has it. Knowing that your photos can move from a dating app to a defense contractor through a personal email and a handshake should change how you evaluate the next platform that asks for your face. While the next platform asking for your photo isn't OkCupid, the incentive structure is identical.

One more thing: I've been sharing the behind-the-scenes of building DoxxScore over on Substack Notes. Things like the thinking behind the product, what I've learned about digital privacy along the way, and where it's headed. If that interests you, a sample post is below. DoxxScore goes live next week, so stay tuned for more information. ⌛

Subscribe now

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

  Share Secrets of Privacy

That’s the official summary. Here’s what the official summary doesn’t help you with.

Subscribe now

When a breach involves booking details specifically, the follow-on scam isn’t generic phishing. It’s targeted.

A scammer who knows your name, your hotel, and your travel dates can send you a WhatsApp message that reads exactly like something your accommodation would send. Or call you, reference your reservation, and tell you there’s a payment problem with your booking.

The message will be well-written and the details will be accurate. Add it all up and the urgency will feel legitimate.

And this isn’t a theoretical scenario.

In November 2025, researchers at Sekoia documented a campaign in which attackers who had stolen hotel staff credentials used that access to contact guests over WhatsApp and email, referencing their real reservation details. The cover story was that a security issue had come up during verification of their banking details, and that confirming their information was a procedure Booking.com used to protect against cancellations. Victims who followed the link landed on a fake payment page built to look like the real thing.

The current breach didn’t involve hotel account access (thankfully). But the same logic applies: an attacker who already knows your name, your hotel, and your travel dates doesn’t need to compromise anything else to make an approach convincing.

The disorienting part is that the breach notification email itself looks like the kind of thing scammers send. Plenty of people receiving a legitimate email from noreply@booking.com this week will reasonably wonder whether to trust it. Reasonably so because a decade of phishing awareness training has taught people to distrust exactly this kind of message.

The actual risk hierarchy here is worth being clear about. On the positive side, the exposed data cannot be used to make purchases or drain accounts directly. What it can do is make someone more likely to hand over payment details voluntarily, because the person asking seems to already know things only Booking.com would know.

Share

One thing worth doing now: If you received a breach notification, or if you have an upcoming Booking.com reservation, treat any inbound contact claiming to be from Booking.com or from your accommodation as suspicious by default. That means phone calls, WhatsApp messages, and emails asking you to update payment details or “secure” your booking. If something seems urgent, navigate to booking.com directly by typing the URL and handle it from your account there. Don’t call back numbers from messages you received. Look up the number yourself.

Booking.com says it has reset PINs for affected reservations, which is a reasonable containment step. What they haven’t said is how many reservations were affected or how the access happened. That opacity is frustrating, and it’s also a pattern for them: the company was fined €475,000 by Dutch regulators in 2021 for notifying authorities too late after a previous breach.

There’s a structural question buried in all of this. Travel platforms collect a surprising amount of contextual detail about where you’re going, when, with whom, and what you’ve requested. That data is operationally necessary in the short term. Whether it needs to be retained as long as it typically is, in the form it’s stored, is a question the industry hasn’t been forced to answer seriously yet.

If you’ve had a similar experience with scam follow-up after a travel booking, I’d be curious to hear about it. Reply to this email.

Subscribe now

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

  Share Secrets of Privacy

The results are quietly sent back to LinkedIn’s servers for processing and data mining. None of this is in LinkedIn’s privacy policy.

This is BrowserGate, a detailed investigation published last week by Fairlinked e.V., a European association of commercial LinkedIn users. BleepingComputer independently confirmed the scanning behavior through its own testing.

LinkedIn calls it a security measure. The rest of us call it covert surveillance of a billion users’ browsing behavior at industrial scale. BrowserGate is a bad look for Microsoft owned LinkedIn and reinforces their poor privacy tactics.

But there’s a larger issue here beyond LinkedIn. And that is Google Chrome’s role, which makes this whole scheme possible (and all the similar ones out there you don’t know about yet).

Subscribe now

What LinkedIn Can Actually Learn From Your Extensions

A list of browser extensions sounds like dry technical data. It isn’t.

Some of the extensions on LinkedIn’s scan list may indicate religious beliefs, political views, health conditions, or whether a user is actively seeking employment.

The investigation found 509 job search tools on the list, including extensions for Indeed, Glassdoor, and Monster. If you’re quietly browsing jobs while your current employer can still see your profile, LinkedIn may already know.

The list also includes extensions that identify practicing Muslims, tools built for neurodivergent users, and partisan news filters that reveal political leanings. Under EU law, this is special-category data. Collecting it without explicit consent is prohibited, not just discouraged.

Perhaps most interesting, LinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha, and ZoomInfo. Because LinkedIn knows each user’s employer, it can map which companies use which competitor products. LinkedIn knows your real name, your job title, and where you work. When it spots a competitor’s tool in your browser, it doesn’t just know you have it. It knows your company has it. This data is extremely valuable.

Share

This is a Google Chrome Problem

Google built Chrome, and Google’s business model is advertising.

Chrome is the most widely used browser in the world, which means the data it makes available to websites (and to Google itself) flows at enormous scale. Google uses Chrome browsing data to inform its ad targeting systems. It has repeatedly introduced features that privacy advocates pushed back on, including a tracking system called the Privacy Sandbox that replaced third-party cookies not by eliminating tracking, but by moving it into the browser itself. Chrome still doesn’t block third-party tracking cookies by default, something Firefox, Brave, and Safari have done for years.

The extension architecture that makes LinkedIn’s scanning possible is a Chrome-specific design. Firefox and Safari expose extensions differently, which is why the scan doesn’t work there.

LinkedIn’s script actually checks whether you’re using Chrome before it fires. If you’re not using Chrome, nothing happens.

Now LinkedIn didn’t single out Chrome users. Chrome was simply the only browser where the technique works, and it covers roughly two thirds of all web traffic. That combination of architecture and reach is what made BrowserGate possible.

The scan list in this case started at 38 extensions in 2017. As is true with most privacy intrusions, it quickly grew. LinkedIn’s scanning now covers more than 6,000. Nearly a decade of growth, all enabled by the same Chrome design decisions that Google has never had much incentive to change.

So Which Browser Should You Use?

If you switch from Google Chrome to Firefox or Safari, LinkedIn’s scanning script simply doesn’t run. That’s the cleanest fix, though not our recommendation.

Brave is also a meaningful upgrade over Google Chrome. Now Brave detractors will tell you that Brave is a chromium based browser, which is true. But that’s a misleading story.

Yes, Brave is built on the same underlying engine as Chrome, so LinkedIn’s script does target it. But Brave blocks the tracking endpoints where the collected data gets sent. A Brave privacy engineer confirmed this publicly, and even told users they could verify it themselves by opening LinkedIn in Brave and watching the DevTools network tab. The data collection is interrupted before it leaves your browser.

So what’s the practical solution hierarchy here? Firefox or Safari stops the scan entirely. Brave stops the data from being transmitted. Whichever browser you choose, you’re in a substantially better position than Google Chrome users.

Our Recommendation on What You Can Do Right Now

Brave is our recommended primary browser, and BrowserGate is a good illustration of why.

While Brave is built on the same underlying engine as Chrome, Brave blocks the tracking endpoints where the collected data gets sent. And in the grand scheme of things, Brave is the best overall privacy browser around. The reasons for that deserve a separate post, which is in our queue.

Firefox stops the scan from running at all, since LinkedIn’s script checks for Chrome’s architecture before it fires. But as regular readers know, we don’t recommend Firefox as a primary browser since they’ve strayed from their privacy first ways. But keeping it installed and using it as a dedicated browser for sites like LinkedIn is a reasonable approach. Either way, Firefox is a better choice than Google Chrome for anything privacy-sensitive.

The bottom line:

if you’re using Google Chrome as your primary browser, you’re exposed to this LinkedIn scheme and to a long list of similar techniques that Chrome’s architecture enables. Switching to Brave costs you nothing and fixes the problem.

Switching browsers is one of the easiest first steps toward removing Google from your daily life entirely. If you want a full roadmap for doing that, I put one together, and it covers the browser switch and everything beyond it. Paid annual subscribers get it for free but everyone else can get it for 20% off here.

For further reading on the technical aspect of BrowserGate, check out this post from our friend Digital Mark:

Digital-Mark

The LinkedIn Panopticon

SPECIAL ANNIVERSARY BULLETIN: 04.03.2026…

Read more

20 days ago · 54 likes · 11 comments · Digital-Mark

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

Initially it looked like a one-off crime. Turns out it wasn’t.

Federal investigators eventually connected that break-in to at least 19 other burglaries across the United States, spanning both coasts, with total losses exceeding $1.6 million. Ten suspects were arrested in Michigan, California, New Jersey, and Wisconsin. According to federal court documents, the group had conducted weeks of surveillance on each target, researching victims through internet searches, open-source databases, and social media to study the layouts of their homes and identify items of value.

They didn’t pick their targets randomly. They built profiles on them, using tools that are freely available to anyone with an internet connection.

Subscribe now

The Digital Casing Playbook

Think of traditional burglary as a physical operation. A thief drives through a wealthy neighborhood, looks for an unlocked door or an empty driveway, and takes their chances.

What federal prosecutors described in this case is fundamentally different. It’s a research operation that follows a repeatable playbook, one I’d call “digital casing.”

The playbook works in four stages.

Stage 1 — Identify. Find a target through business directories, social media, or community visibility. In this case, the group focused on immigrant business owners, particularly those running restaurants, jewelry stores, and other enterprises where cash and gold might be kept at home.

Stage 2 — Locate. Use people-search websites, open-source databases, and property records to connect a business owner’s name to a home address. These sites aggregate data from voting registries, property filings, motor vehicle records, and more. Many provide a home address for free.

Stage 3 — Surveil. Study the home using real estate listing photos (which often remain online for years after a sale), Google Street View, and social media posts that reveal layouts, valuables, routines, and travel patterns. In one case tied to this ring, a neighbor of a victim in Kentucky found a camera hidden in the bushes, rigged with fake foliage and a wireless hotspot.

Stage 4 — Execute. Time the break-in using GPS trackers placed on vehicles, knowledge of the family’s schedule, and even estimates of local police response times.

This four-stage process is what transformed a burglary into something closer to an intelligence operation. And every tool used in stages 1 through 3 is legal, commercially available, and accessible from a phone right now.

Share

This is Not an Isolated Case

The Kent County case is part of a much larger pattern. The FBI has identified what it calls “South American Theft Groups” (SATGs) as a significant and growing criminal threat. These aren’t a single organization. According to Kent County Sheriff’s Sgt. Scott Dietrich, there are “tens, maybe hundreds of these groups all over the United States” that target specific people or specific things. (source)

The scope is larger than you would think.

In Houston, law enforcement linked over 60 home burglaries to SATG-connected crews. West University Place Police Chief Gary Ratliff told Fox News Digital that these groups used signal jammers to disable Wi-Fi security cameras and alarm systems during break-ins, rendering wireless home security effectively useless. (source)

A separate Chilean burglary ring targeted the homes of professional athletes, including Patrick Mahomes, Travis Kelce, and Joe Burrow, using public social media posts and game schedules to time their break-ins for when the players were away. The FBI released a podcast episode in February 2025 specifically warning about this tactic ahead of the Super Bowl, noting that SATGs use “a combination of internet research, surveillance, and commercially available camera and tracking technologies to scope out their targets.” (source and source)

In Pennsylvania, a theft ring targeting Asian business owners led to six convictions, with suspects sentenced to up to 10 years in prison. (source)

And police in Riverside, California have confirmed that detectives routinely find Zillow and Redfin searches on phones seized from arrested burglary suspects. (source)

This Is a Privacy Story More Than a Crime Story

Most coverage of these burglary rings focuses on the criminal element.

And that’s understandable.

But the reason I’m writing about it is because the vulnerability these criminals exploited isn’t a broken lock or an open window. It’s the fact that an enormous amount of actionable intelligence about where you live, what you own, and when you’re home is publicly available by default.

Consider what a motivated person can assemble about you, right now, without breaking any laws.

From people-search sites like Spokeo, WhitePages, and BeenVerified, they can get your full name, home address, phone number, email, names of relatives, and sometimes estimated income or net worth. Many of these sites provide actionable results for free.

From real estate platforms like Zillow, Redfin, and Realtor.com, they can view interior photos of your home, floor plans, entry points, window types, and camera placements.

From Google Street View, they can study your property from multiple angles, check vehicles in your driveway, scope out fences and access points, and assess escape routes.

From social media, they can learn your daily routines, track when you’re on vacation, identify expensive purchases, and piece together your family structure.

From business registrations and licensing databases, they can connect you to a business and make assumptions about cash or inventory you might keep at home.

None of this requires hacking. None of it requires specialized skills. And critically, none of it requires the criminal to be anywhere near your home until they’re ready to act.

The court documents in the Kent County case put it plainly.

These were not crimes of opportunity based on an unlocked door. Victims were targeted and stalked. The court noted that the “shadowing sense of fear that someone is coming after you is not unrealistic.”

The immigrants who were victimized in this case had done most things right. They built businesses, followed the law, saved diligently. What they hadn’t done, and what almost nobody does, is manage their digital footprint. Because most people don’t realize there’s anything to manage.

That’s the gap. And it’s one that organized criminals have figured out how to exploit with industrial efficiency. The question is whether the rest of us are going to keep pretending this information is harmless just because it’s technically “public.”

The good news is that this is a solvable problem. Not perfectly, but meaningfully.

Most of the data these groups rely on during the “identify” and “locate” phases of their playbook can be removed or significantly reduced. And the surveillance tools they use during the “execute” phase, particularly Wi-Fi signal jammers, have known countermeasures that most homeowners haven’t implemented because they don’t know the threat exists.

Below I’ll walk you through exactly how to close each stage of the digital casing playbook, starting with the single most impactful step you can take in the next 10 minutes.

How to Close Each Stage of the Digital Casing Playbook

The digital casing playbook has four stages. Each one has countermeasures. I’ll walk through them in reverse order of difficulty, starting with the steps you can take today.

Read more

Then they actually look, and it’s much more than that.

This guide walks you through exactly how to audit your own digital footprint: where to look, what you’ll find, and what to do about it.

Subscribe now

Start With a Basic Search (but do it right)

The obvious first step is searching your own name in Google, DuckDuckGo, or Brave. But most people do this wrong and miss a lot.

Do these searches:

• Your full name in quotes: "Jane Smith"

• Your name plus your city: "Jane Smith" Chicago

• Your name plus your employer: "Jane Smith" Acme Corp

• Your name plus your phone number or email address

• Your username, if you use the same one across sites

Search on at least two engines. DuckDuckGo and Google surface different results, so start there first. What one buries, the other sometimes surfaces prominently.

Look past the first page. Most people stop at page one, but data brokers and people-search sites often rank lower and contain far more personal detail than anything on page one.

Data Brokers Are the Real Problem

Search engines show you what’s publicly indexed. Data brokers show you what’s been collected, aggregated, and sold.

Data brokers are companies that compile personal information from public records, purchase histories, loyalty programs, social media, voter registrations, property records, and dozens of other sources. They then package it into profiles they sell to marketers, landlords, employers, and anyone else willing to pay.

The profiles are detailed. A typical data broker entry might include your full name, current and past addresses, phone numbers, email addresses, relatives’ names, estimated income, property ownership, court records, and social media handles — all on one page, available to anyone who searches.

The major people-search sites to check first:

• Spokeo

• WhitePages

• BeenVerified

• Intelius

• PeopleFinder

• FastPeopleSearch

• Radaris

• MyLife

Search your name on each one because what you find will vary. Some brokers have more complete records than others, and the data they hold updates at different rates.

This is uncomfortable for most people. The volume and specificity of what’s available is usually worse than expected.

Check What Google Knows Specifically

Beyond general search, Google maintains records of your activity across its own products. If you use Gmail, Google Maps, YouTube, or Android, there’s a detailed log of that activity attached to your account.

Go to myactivity.google.com and sign in. You’ll see a timeline of searches, sites visited, videos watched, locations visited, and more. This data often going back years.

Google also allows people to request removal of certain personal information from search results. If your phone number, home address, or other sensitive details appear in Google Search, you can submit a removal request at support.google.com/websearch/troubleshooter/9948276.

Look at What Social Media Exposes, Including Accounts You Forgot About

Social media platforms often expose more than people realize, especially when privacy settings drift from their defaults over time.

Facebook: Check your profile as a non-friend or logged-out user. Go to your profile, click the three dots, and select “View As.” What’s visible may surprise you, and can include tagged photos, check-ins, and older posts are often more public than expected.

LinkedIn: Your profile is typically fully public and indexed by search engines. Your connections list, employment history, education, and any posts or comments you’ve made are visible to anyone. LinkedIn is one of the most commonly harvested surfaces for scammers and data collectors because the information is both detailed and voluntarily provided.

Instagram and Twitter/X: Both default to public. Old posts, location tags on photos, and comments under other people’s content all appear in search results.

Also think about accounts you may have created years ago and forgotten: old forums, Tumblr, Reddit, Disqus, Quora, and gaming platforms. Search your username across these. A username you’ve used consistently is one of the most reliable ways for someone to build a comprehensive profile of your activity online.

Check Public Records

A surprising amount of information is publicly available through government records:

• Voter registration: In many US states, voter rolls are publicly accessible and include your name, address, date of birth, and party affiliation

• Property records: If you own property, your name, purchase price, and address are typically in public county records

• Court records: Civil and criminal court filings are often searchable online by name

• Business filings: If you’ve ever registered a business, LLC, or been listed as a registered agent, that information is typically in state records

Many data brokers pull directly from these sources, which is why opting out of the broker itself doesn’t always prevent the information from resurfacing. The reason? They just re-pull from the original public record that never changes.

What You’re Likely to Find

After going through this process, most people discover some combination of the following:

• Current and past home addresses, sometimes going back decades

• Phone numbers, including mobile numbers they never gave out publicly

• Names of family members and their addresses

• Estimated income and net worth ranges

• A list of “associated” people (neighbors, relatives, former roommates)

• Old email addresses

• Court records, even minor ones

• Photos pulled from social media, sometimes years old

• URLs that you registered

The goal of this audit isn’t to alarm you, rather it’s to give you an accurate picture of your actual exposure, rather than an assumed one.

What to do About It

Knowing what’s out there is step one. Step two is reducing it.

The highest-leverage moves, in order:

1. Opt out of the major data brokers. Most have opt-out processes, though they vary in difficulty and reliability. Some require ID verification, some require a written request, and some re-add your data after a period of time and need to be revisited.

2. Tighten your social media privacy settings. Review what’s visible to non-connections and to search engines. Most platforms have a “view as public” option that shows you exactly what a stranger sees.

3. Request Google removal for any personally identifying information that appears in search results.

4. Use separate email addresses for different purposes so a data breach on one service doesn’t expose activity across others.

5. Be selective with loyalty programs and apps that request location access. These are common data collection points.

The honest answer is that a full cleanup takes time. The data broker opt-out process alone involves dozens of individual sites, each with its own process. But each step meaningfully reduces your exposure, and the high-leverage ones (like the major people-search sites) make an immediate difference.

If you want a structured path through all of this, including a step-by-step audit process, a data broker opt-out tracker with 75+ sites pre-loaded, and guides covering email privacy, LinkedIn, Apple settings, and more, the Secrets of Privacy Library has everything in one place. “Excellent content, really helpful and clear” - James Adams

Published by Secrets of Privacy — practical privacy guidance for people who want real protection without going off-grid.

He hosted a webinar on a sensitive topic and deliberately chose not to record it because the content was personal, the attendees were vulnerable, and he wanted no record to exist.

Weeks later, he received a cold email from a company called WebinarTV. It contained a direct link to his webinar session, which was now published as an AI-generated podcast episode on WebinarTV’s platform.

Rademacher hadn’t uploaded anything and hadn’t consented to the podcast creation. He hadn’t even recorded the webinar himself.

So what happened?

Subscribe now

WebinarTV describes itself as “a search engine for the best webinars.”

What it actually does is scan the internet for publicly accessible Zoom meeting links, join those calls using bots or AI transcription tools, record the audio, and convert it into podcast content. The company then uses it as a sales pitch to the very people whose meetings it captured. Journalists at 404 Media found their own public event with the Freedom of Press Foundation listed on the platform without their knowledge or consent. (source)

Zoom confirmed the activity is not the result of a vulnerability or security issue on its platform. (source) The problem is the link itself and the settings controlled by the Zoom webinar creator. So no hacking.

A Zoom Meeting Link is a Door With No Lock

If that link is anywhere on the internet, such as embedded in a public calendar event, posted in a community forum, listed on an events page, it’s findable. WebinarTV’s bots scan for the “zoom.us/j/” string across public web pages, and if a link isn’t behind an authentication wall, it’s treated as public. (source)

The meeting being “private” in your mind means nothing if the link is public in practice. It’s the same logic as leaving your address on a public post and assuming only friends will show up.

The fix is the same across every major platform:

stop treating the join link as the access control, and start requiring identity before entry.

Zoom: When scheduling a meeting in the Zoom web portal (not the desktop app), enable “Registration required” under the meeting settings. Set approval to “Manual” so you review each registrant before they receive a join link. Each approved participant gets a unique link tied to their registration, which means a generic link won’t get them in. This is the single most effective change you can make.

Google Meet: In your Calendar invite, click the gear icon next to the Meet link and open Host controls. Set the meeting access type to “Trusted” or “Restricted,” then uncheck the box that says “Anyone with the meeting link can ask to join.” (source) With that unchecked, only participants signed into their invited Google Account can enter. Bots attempting to knock via “Ask to join” are automatically denied without any action required by the host. (source)

Microsoft Teams: Before the meeting, open Meeting options and find “Who can bypass the lobby?” Set it to “People who were invited” so anyone who has the link but not an actual calendar invitation will wait in the lobby until you admit them. (source) Also disable the option that allows participants to forward the invitation, which closes a common secondary vector.

One More Thing Worth Knowing

CyberAlberta, a Canadian cybersecurity organization that investigated WebinarTV in depth, found that some access comes through AI note-taking browser extensions that users install voluntarily. These are extensions that quietly request calendar permissions and forward meeting details to the platform. (source)

For individuals, the fix is straightforward: in Chrome, go to Settings > Extensions and review what’s installed. For any extension with calendar or meeting access, check its permissions and remove anything you don’t actively use.

If you run a security or privacy program you may be rolling your eyes because you know that browser extensions are a major shadow IT problem.

Employees routinely install productivity and AI tools directly in the browser, grant them calendar and meeting access without a second thought, and IT often times never sees it happen. WebinarTV is an unusually visible consequence of that, but the underlying exposure is much broader because any extension with calendar permissions can see meeting links, attendee lists, and in some cases join URLs.

If you run a security program, the WebinarTV story is a useful conversation-starter for adjusting internal policies regarding browser extensions on corporate equipment. Browser extensions that touch calendar or meeting data should probably require explicit approval, not just user discretion.

Whether to ban web browser extensions all together is a conversation for another day.

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

• Do you own a Smart TV? If so, you won’t want to miss this reader fav post Smart TV Privacy Settings: How to Disable Tracking on Every Brand.

If you’re reading this but haven’t yet signed up, join for free (4.7K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇

“How are companies getting my phone number? I never gave it to them.”

A recent example from a privacy forum illustrates the problem.

Someone recently visited the Samsung website for the first time, browsed a few phone models to compare prices, and left without adding anything to a cart or entering any information. The next day, Samsung called to ask why they hadn’t completed a purchase.

The person didn’t create an account, didn’t fill out a form and didn’t buy anything. He simply visited a website.

So how did Samsung get this guy’s phone number?

The short answer is that he probably did give his number to them, just not to Samsung directly. The mechanism connecting those two facts is called identity resolution, and understanding it changes how you think about every form field you’ve ever filled out online.

Subscribe now

You may recall that last month we ran a test on a free reverse phone lookup site.

We entered a family member’s phone number and got back his full name, home address, estimated income range, and a list of domain names he’d registered years ago and largely forgotten. We didn’t have to create an account or even make a payment. We typed in a 10-digit number and had detailed results a few seconds later.

That post was about what gets exposed once your phone number is in the data broker ecosystem. This situation is different and about how your number keeps getting passed around to companies even after you’ve done everything right.

What’s Actually Happening

When you visit a website, your browser sends a set of signals, such as your IP address, device type, browser version, and a collection of behavioral fingerprints that are surprisingly unique to you.

Most of that sounds familiar. What’s less understood is what happens to those signals next.

Companies like LiveRamp, Neustar, and Tapad maintain what the industry calls “identity graphs”. Translated, that means databases linking device fingerprints, IP addresses, cookies, and mobile advertising IDs to real-world identifiers: names, email addresses, and phone numbers.

These graphs are built from years of data collected across millions of websites and apps. One company’s graph covers more than 260 million U.S. profiles.

When you visit a site carrying one of their tracking pixels, your signals get matched against that graph. If you ever entered your phone number into any form on any site carrying one of their trackers, such as a a checkout page, a loyalty program signup, a contact form, that number is now linked to your device. The site you’re visiting today can surface it, even if you’ve never interacted with that company before.

This is distinct from what session replay tools do (recording your keystrokes in real time, which we covered previously - see here) and from what reverse phone lookup sites do (serving your data to anyone who searches).

Identity resolution is the layer that feeds both of those systems. It’s also why opted-out data broker profiles keep reappearing a few weeks after removal.

Share

The Phone Call is the Least Of It

Getting an unexpected phone call from a retailer is annoying. That’s the visible effect, and it’s the one that tends to generate Reddit threads.

What happens beneath the surface is considerably more significant.

When identity resolution links your browsing behavior to your real phone number and name, it doesn’t just enable that call. It creates a behavioral record that is attached to your actual identity. That could include a wide array of activities like what health symptoms you researched at 11pm, whether you spent time on a bankruptcy attorney’s site, what political content you engaged with, how often you visited a payday loan page.

That record flows into the same data broker ecosystem we covered in our reverse phone lookup post. From there, it becomes accessible to insurance underwriters, employers running background checks, lenders running risk models, and anyone else paying for enriched consumer profiles.

The call is visible. The downstream use of the behavioral profile built in the process of identifying you is not.

There’s no notification, no audit trail, no way for most people to know what inferences have been drawn from their browsing history or how those inferences are affecting decisions made about them.

This is also why the standard privacy advice, such as opting out of data brokers, use incognito mode, clear your cookies, doesn’t address the actual problem. Incognito mode doesn’t prevent a site from running identity resolution scripts. Clearing cookies doesn’t erase your entry from an identity graph. And opting out of data brokers removes the current record but doesn’t stop the graph from re-linking your number to your device the next time you visit a tracked site.

One Thing You can Do Right Now

Stop using your primary phone number for anything outside trusted personal contacts and critical financial accounts. Every loyalty program, app signup, online order, and form gets a secondary number.

A Google Voice number works as a starting point (even if it does create a Google nexus). A prepaid SIM (a $5-10 card that reloads automatically) is more robust, since VoIP numbers are increasingly flagged by sites requiring verified numbers.

The secondary number can be handed out freely. Your real number stays out of the identity graphs, which means it stops accumulating behavioral data linked to your actual identity.

This is the correct upstream intervention. It’s why we recommend it in the reverse phone lookup post as a long-term protection strategy. Now you know the mechanism that makes it work.

The identity resolution industry is actively developing ways to maintain these graphs even as third-party cookies disappear. The infrastructure is expanding, not contracting. If you’ve wondered why your data broker profiles keep coming back after removal, or why a company seems to know more about you than you ever told them, this is the system responsible.

Reply and let us know: did you already suspect something like this was happening, or is this new information?

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Do you own a Smart TV? If so, you won’t want to miss this post from our three part series on how To make your smart TV less creepy.

If you’re reading this but haven’t yet signed up, join for free (4.7K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇

Subscribe now

That post created a hypothetical scenario about a woman we called “Tina” whose Instagram account gets taken over by a bad actor who then uses her real photos for exploitation.

We wrote that as a warning of where things were heading. As it turns out, a federal court case proved us right almost detail for detail.

Subscribe now

In late February, a 22-year-old Alabama man named Jamarcus Mosley pled guilty to computer fraud, extortion, and cyberstalking after hijacking the social media accounts of hundreds of young women, including minors, over a three-year period.

And shortly before that, a 27-year-old Illinois man named Kyle Svara pled guilty to hacking nearly 600 women’s Snapchat accounts. He sold and traded their stolen private photos online and even offered his hacking services on Reddit.

Two men. Two guilty pleas. Nearly 900 victims combined. And neither one used any sophisticated hacking tools.

The Back Door to Your Account

Both of these cases relied on the same basic approach, and it’s worth understanding because it does not require technical skill. It’s social engineering, which means manipulating people into giving up information they shouldn’t.

Think of it this way.

Your social media account has two doors. The front door is your password.

Most people have gotten reasonably good at locking that one (or at least they know they should). The back door is your account recovery system, the process platforms use to help you get back in when you’re locked out. That back door is now a huge target.

In both federal cases, the attackers didn’t crack passwords. They tricked victims into handing over the keys to the back door.

Share

Two Cases, One Playbook

The Mosley Case

According to the U.S. Attorney’s Office for the Northern District of Georgia, Mosley ran his scheme from April 2022 through May 2025. His method was straightforward. He would use an already-compromised account belonging to a victim’s actual friend to reach out on Instagram or Snapchat. Because the message appeared to come from someone the victim knew and trusted, the request seemed legitimate.

In one case, Mosley used an Instagram account belonging to a 20-year-old Georgia woman’s high school friend. Pretending to be that friend, he asked the woman to help him recover “his” Snapchat account. She provided a recovery passcode, not realizing it was for her own account. Mosley used it to take full control, accessed her private images and videos, and then threatened to post them unless she complied with his demands.

When an 18-year-old Florida woman refused his demands for additional explicit photos, Mosley followed through on his threat and posted her stolen private photos publicly. He also targeted a 17-year-old in Illinois, tricking her into sharing her Snapchat “My Eyes Only” passcode. He then used her compromised account to contact her 13-year-old sister, sending a Snapchat map screenshot to show he knew where the younger girl lived.

The case was investigated by the Kennesaw Police Department and the U.S. Secret Service.

(Sources: BleepingComputer, WSB-TV, FOX 5 Atlanta, Marietta Daily Journal)

The Svara Case

Svara’s operation ran from May 2020 through February 2021. He took a slightly different approach.

Instead of impersonating friends, he posed as a Snapchat support representative. When his unauthorized login attempts triggered Snapchat’s security system to send verification codes to victims’ phones, he would text the victims using a free VoIP service and ask them to share those codes. He contacted over 4,500 women. Roughly 570 provided the codes, and he accessed at least 59 of their accounts to download private images.

Svara then sold or traded the stolen photos on internet forums and advertised on Reddit that he could hack Snapchat accounts on demand. One of his paying clients was Steve Waithe, a former Northeastern University track and field coach who hired Svara to hack the accounts of student athletes he had coached. Waithe was sentenced to five years in federal prison in 2024 for cyberstalking and sextortion.

(Sources: The Record, CBS Chicago, Reuters via U.S. News, BleepingComputer)

This Is a Pattern, Not an Anomaly

These two cases are not outliers. They are part of a well-documented surge.

The FBI has reported a significant increase in sextortion cases involving minors in recent years. In fact, we wrote a heartbreaking post earlier in the year about a teen boy who took his own life because of a sextortion scam. See here:

But between October 2021 and March 2023 alone, the FBI and Homeland Security Investigations received over 13,000 reports of online financial sextortion of minors, involving at least 12,600 victims. At least 20 of those victims died by suicide. The FBI observed a 20% increase in financially motivated sextortion reports involving minors in a six-month period compared to the prior year.

The National Center for Missing & Exploited Children (NCMEC) reported that online enticement reports increased by more than 300% between 2021 and 2023. Research published by Thorn in late 2025 found that one in five teens reported experiencing sextortion.

And on Safer Internet Day in February 2026, just weeks before the Mosley plea, the FBI issued yet another public warning about the growing threat.

(Sources: FBI Nashville, FBI Kansas City / Safer Internet Day 2026, NCMEC via Our Rescue, Thorn)

Recovery Codes Are the New Passwords

What stands out about these two cases is not that they happened. We know sextortion is a rapidly growing criminal activity. Rather, it’s how these cases happened.

Neither Mosley nor Svara needed to write a single line of code. They didn’t exploit a software vulnerability. They didn’t deploy malware. They used the platform’s own account recovery process as a weapon. Mosley impersonated friends. Svara impersonated Snapchat support. Both convinced real people to hand over recovery codes voluntarily.

This is the evolution we flagged in the 2024 article. Back then, the dominant threat was credential stuffing, where attackers take stolen username/password combos from data breaches and try them on other platforms. That’s still a problem, and password managers remain essential protection against it.

But attackers have adapted.

As more people adopt stronger passwords and two-factor authentication, the attack surface has shifted to the recovery process itself. Recovery codes bypass your password entirely. They bypass your two-factor authentication. They are designed to be the override, and that makes them the most valuable target.

The reality is that platform security features designed to help you regain access are now being turned against you. And the platforms have done very little to address this. Snapchat’s recovery process was exploited in both of these cases across a span of five years, from 2020 to 2025.

If these cases involved one isolated attacker, you could dismiss it. Two separate federal cases with nearly 900 combined victims should make it clear that this is a pattern, not an anomaly. And while these cases targeted young women, the underlying technique works on anyone. It only requires trust and a recovery code.

Most of the advice you’ll find about protecting yourself online still focuses on passwords. Use a strong one, don’t reuse them, get a password manager.

That’s all still true and it’s necessary. But it’s not sufficient anymore. The attack vector in these cases bypasses all of it.

There are specific steps you can take to protect yourself and your family against recovery code attacks. Some are settings you can change today in about five minutes. Others require a shift in how you think about account security altogether.

What You Can Do About It

Read more

Most people who try to DIY opt out give up because the scope feels unmanageable. Dozens of sites, each with its own form, its own verification step, its own timeline. The project looks like it measures in days.

Turns out the math is more forgiving than it appears (at least a little).

Subscribe now

What most opt-out guides don’t tell you is that a significant share of the data broker industry is owned by a small number of parent companies. Which means those parent companiess typically run a single opt-out process across all their properties.

Why is that good?

Because one submission can remove you from a dozen sites at once. Work through a handful of the right processes in the right order and you’ve covered far more ground than the site count suggets.

Free opt-out lists you find online tend to miss this entirely. They give you a column of URLs and leave you to figure out the rest. The ownership layer (i.e. which sites share a process, which submissions are redundant, which ones actually matter) usually isn’t there.

Understanding that structure is what separates people who make real progress from people who spend a weekend on it and still feel like they’ve barely started.

To help with that, we just released the Data Broker Opt-Out Tracker. It’s a formatted Excel workbook covering 76+ of the highest risk data broker sites. Best of all, it’s organized by parent company, priority tier, and what each opt-out actually requires.

It includes step-by-step instructions for each site and a built-in status tracker so you don’t lose your place. The goal is to give you a clear picture of how the industry is structured and a logical path through it, rather than just a list of links.

Annual paid subscribers get it free. Everyone else can grab it for $19, which includes lifetime updates to the tracker.

Grab your copy here —> Data Broker Opt-Out Tracker: 70+ Brokers with Direct Links, Methods, and Notes

If you’ve been putting off the opt-out process because it felt like too much, the consolidation in this industry works in your favor, you just need to know where it is.

Share Secrets of Privacy

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

That’s a problem, because some of these settings genuinely matter. They determine what happens to your account if you die, whether a thief can lock you out of your own Apple ID, and how much of your data Apple itself can access.

This post covers nine settings worth your attention. Some are foundational. Others are more situational. All of them are overlooked by the vast majority of iPhone users.

You don’t need to enable all nine today. But you should at least know they exist.

Note for paid subscribers - we added two extra privacy/security features just for you at the end. 🎁

Subscribe now

Two-Factor Authentication

Two-factor authentication is the baseline. If you haven’t enabled it, nothing else on this list matters much.

Here’s how it works: when you sign into your Apple ID on a new device, Apple sends a six-digit verification code to a device you already trust. Without that code, your password alone isn’t enough to get in.

This protects you from the most common attack vector: someone who’s obtained your password through a phishing attempt, a data breach, or simple guessing. Even if they have the password, they’re stuck without physical access to one of your trusted devices.

If you created your Apple ID in the last few years, two-factor authentication may already be enabled. But it’s worth checking.

To verify or enable: Settings > [your name] > Sign-In & Security > Two-Factor Authentication.

If it’s off, turn it on. If it’s on, make sure your trusted phone numbers are current. That list is critical because if you lose access to all your trusted devices and your trusted phone numbers are outdated, recovery becomes significantly harder.

Recovery Key

A recovery key is a 28-character code that serves as a backup way into your Apple ID if you ever get locked out.

Once you enable a recovery key, Apple can no longer help you regain access to your account. The usual “forgot password” flow that relies on Apple verifying your identity? Gone. You’re on your own.

That might sound scary, but for privacy-conscious users, it’s actually a feature. It means Apple doesn’t have a back door into your account. No one at Apple can reset your password, which means no one can be socially engineered or legally compelled to do so either.

So the catch here is kind of obvious. If you lose your recovery key and get locked out, you’re done. There’s no appeal process. There’s no customer service escalation that will save you. Your account and everything in it (photos, documents, purchases, etc.) becomes permanently inaccessible.

To enable: Settings > [your name] > Sign-In & Security > Account Recovery > Recovery Key.

If you enable this protection, be sure to write the code down. Store it somewhere physically secure and separate from your devices. A safe deposit box or at home firebox are great locations. Treat it like you’d treat a passport or a birth certificate.

Share

Recovery Contacts

Recovery contacts offer a softer alternative to the recovery key.

Instead of relying entirely on a code you might lose, you designate one or more people you trust. If you ever get locked out, Apple can send them a verification code that helps confirm your identity. They don’t get access to your account, rather, they’re just vouching for you.

This is a good option for people who want a safety net but aren’t ready to go full self-sovereign with a recovery key. It’s also a reasonable complement to a recovery key, giving you multiple paths back into your account if something goes wrong.

To add a recovery contact: Settings > [your name] > Sign-In & Security > Recovery Contacts

Choose someone who’s reliable, who won’t lose their own phone, and who you’ll still be in contact with years from now. You can add multiple people if you want redundancy.

One thing to keep in mind: recovery contacts won’t help you if you’ve enabled a recovery key and lost it. The recovery key overrides everything. So think of these as two different approaches rather than layers that stack on top of each other.

Legacy Contact

Here’s a question most people don’t think about: what happens to your Apple ID when you die?

By default, the answer is “nothing good.” Your family can’t access your account. They can’t retrieve your photos, your documents, your messages. Apple’s policy is to protect your privacy, even posthumously, which means your data stays locked unless someone navigates a complicated legal process involving death certificates and court orders.

A legacy contact changes that.

You designate someone, such as a spouse, a family member, or a trusted friend, and share an access key with them. When you die, they combine that key with a copy of your death certificate to gain access to your account. They can download your data, manage your digital legacy, and eventually memorialize or delete the account.

To set up a legacy contact: Settings > [your name] > Sign-In & Security > Legacy Contact > Add Legacy Contact.

You’ll be prompted to share an access key with the person you choose. You can send it digitally or print a physical copy. Either way, make sure they know where to find it and what it’s for.

This setting is especially important if you have photos or documents that would matter to your family. Without a legacy contact, those memories might be lost forever.

Subscribe now

Advanced Data Protection for iCloud

This is the most significant privacy setting Apple has introduced in years, and few people use it. Here’s a quick overview.

When you store data in iCloud, Apple encrypts it. But for most data types, Apple holds the encryption keys. That means Apple can technically access your data if they choose to or if they’re compelled to by law enforcement. Your iCloud backups, your photos, and your notes can be ready by Apple if the circumstances demand it.

Advanced Data Protection changes the equation. When you enable it, end-to-end encryption extends to almost everything in iCloud: backups, photos, notes, reminders, voice memos, and more. Apple no longer holds the keys. Only your devices can decrypt the data.

The practical effect is that your iCloud data becomes genuinely private. Even Apple can’t access it. Neither can hackers who breach Apple’s servers. Neither can government agencies serving Apple with warrants.

To enable: Settings > [your name] > iCloud > Advanced Data Protection > Turn On Advanced Data Protection.

Apple will require you to set up account recovery first, either a recovery contact or a recovery key. That’s because if you get locked out with Advanced Data Protection enabled, Apple can’t help you. There’s no fallback.

This setting isn’t for everyone. If you’re worried about losing access to your account, the standard iCloud encryption is probably fine. But if you care about privacy and you’re disciplined about account recovery, this is one of the most meaningful steps you can take.

Share Secrets of Privacy

Stolen Device Protection

Stolen Device Protection is relatively new, and it addresses a specific nightmare scenario that’s become increasingly common.

Think of a thief who watches you enter your passcode in public, such as a bar, on the subway, or concert. Then they steal your phone. With your passcode, they can change your Apple ID password, disable Find My iPhone, and lock you out of your own account. By the time you realize what’s happened, your digital life is gone.

Stolen Device Protection adds friction to this attack.

When it’s enabled, certain sensitive actions, like changing your Apple ID password, turning off Find My, or accessing saved passwords, require Face ID or Touch ID authentication. A passcode alone won’t work. And for the most critical actions, there’s also a one-hour security delay, but only when you’re away from familiar locations like your home or workplace.

The idea is that a thief can’t make irreversible changes to your account in the few minutes after stealing your phone. You have time to remotely lock or erase the device before they can do real damage.

To enable: Settings > Face ID & Passcode > Stolen Device Protection.

There are two levels: “Standard” applies the protections only when you’re away from familiar locations. “Always On” applies them everywhere. For most people, “Standard” strikes the right balance between security and convenience.

Significant Locations

This one’s less about security and more about awareness.

Your iPhone quietly tracks the places you visit most frequently. Apple calls these “Significant Locations,” and the stated purpose is to improve personalized services. Think predicting traffic, surfacing relevant photos, that sort of thing.

In practice, it means your phone maintains a detailed log of where you go and when.

Some people are fine with this. Others find it unsettling to discover that their phone has been silently building a dossier on their movements. Either way, you should probably know it’s happening.

To view or disable: Settings > Privacy & Security > Location Services > System Services > Significant Locations.

You’ll need to authenticate with Face ID or your passcode to access this menu. Once you’re in, you can see the history, like a list of cities and specific locations, with timestamps. You can clear the history, turn off the feature entirely, or leave it on if you find the personalization useful.

There’s no right answer here. It’s a personal decision based on how you weigh convenience against surveillance. But it’s a decision you should make consciously, not one that’s made for you by default.

Safety Check

Safety Check is designed for people in dangerous situations, such as domestic abuse, stalking, controlling relationships. But it’s useful for anyone who wants to quickly audit and revoke the access they’ve granted over time.

When you open Safety Check, you get two options: “Emergency Reset” and “Manage Sharing & Access.”

Emergency Reset is the nuclear option. It immediately stops sharing your location with everyone, resets privacy permissions for all apps, limits FaceTime and Messages to the device in your hand, and signs you out of iCloud on your other devices. It’s designed for someone who needs to cut ties quickly and completely.

Manage Sharing & Access is more surgical. It walks you through who has access to your location, which apps have permissions, and which devices are signed into your account. You can revoke access selectively, without blowing everything up.

To access: Settings > Privacy & Security > Safety Check.

Even if you’re not fleeing a dangerous situation, this is a useful tool. Over the years, you accumulate sharing relationships and app permissions that you forget about. Safety Check lets you see it all in one place and clean house if needed.

Subscribe now

App Privacy Report

App Privacy Report gives you visibility into what your apps are actually doing.

Once you enable it, your iPhone tracks how often each app accesses sensitive data: your location, your camera, your microphone, your contacts, your photos. It also shows you which network domains each app contacts, revealing who they’re sending data to behind the scenes.

The results can be illuminating. Some apps access your location hundreds of times a week even when you’re not using them. Others reach out to dozens of tracking domains the moment you open them. The information is all there, you just have to look.

To enable: Settings > Privacy & Security > App Privacy Report > Turn On App Privacy Report.

Check it periodically. If an app’s behavior seems disproportionate to its function (e.g. a flashlight app hitting your location every hour or a game contacting dozens of ad networks), that’s a signal worth paying attention to.

Final Thought

None of these settings will make your iPhone perfectly private. iOS is still a closed system controlled by Apple, and Apple’s interests don’t always align with yours. Though it’s worth noting that the GrapheneOS project recently said that an iPhone 17 is the best private phone option behind a Pixel running their OS. 👇

But these nine settings represent the controls Apple does give you. Most people never touch them. Now you know where they are and what they do.

Pick a few. Enable them. And if you found this useful, share it with someone who could use the nudge.

Friendly Ask

If you found this helpful or informative, chances are your friends and family will as well. Please share it with them to help spread awareness about the looming VPN bans.

Share

Two More (For Paid Subscribers)

Two more settings below, for paid subscribers only. The first addresses an attack vector that lets someone intercept your two-factor authentication codes and take over your accounts without ever touching your phone. The second stops email senders from tracking exactly when you read their messages and where you were when you did it. Both are fixable in minutes. Both are worth knowing about.

Read more

Your anonymous internet identity can now be unmasked for $1.

A research paper from ETH Zurich and Anthropic titled “Large-scale online deanonymization with LLMs” made the rounds, and the reaction was predictably alarmist.

Posts racked up millions of views. The framing was almost universally that AI has killed online anonymity, your Reddit throwaway is compromised, and it only costs a dollar.

Here’s a sample (pardon the language):

After reading the actual paper (twice), we decided the reality is more nuanced than the headlines suggest, but it’s also more concerning in ways that most of the social media commentary missed entirely.

The short version:

the current results are uneven, and the “unmask anyone for $1” framing is an exaggeration. But the trajectory of this technology is what should concern you.

The techniques demonstrated in this paper will get better, fast. And most people’s online habits are not remotely prepared for where this is heading.

This post tackles the following:

1. What the researchers actually found (and what they didn’t)

2. Explains the four-step pipeline that makes this work

3. Gives you our honest take on where the real risk sits today

4. Then walks through a concrete defensive playbook for future-proofing your digital anonymity before this technology matures.

Let’s start with what actually happened.

Subscribe now

What the Researchers Actually Found

The paper tests several different scenarios, and the results vary widely.

In the most impressive demonstration, the researchers gave an AI agent anonymized interview transcripts from 33 scientists and asked it to figure out who they were. No names, no usernames, no direct identifiers.

The agent searched the web on its own, cross-referenced details against published papers and university profiles, and correctly identified 9 of the 33 scientists. When it made a guess, it was right 82% of the time. (source)

In a separate test on Reddit, the system matched pseudonymous users to their real identities at rates between 25% and 52%, depending on the community.

Those are real results, and they’re concerning. But let’s put them in perspective: most people in these experiments were not identified. A 27% success rate is not the all-seeing surveillance tool the viral posts implied.

So why are we still writing about this?

Three reasons.

First, the cost: the entire experiment cost about $2,000, roughly $1 to $4 per person targeted. A year ago, this kind of investigation would have required a skilled human spending hours on a single target.

Second, the comparison to older methods: classical deanonymization techniques scored close to 0% on these same tasks. LLMs didn’t just improve the old approach. They made an entirely new category of attack possible.

Third, and most important, the trajectory: the researchers found that simply increasing the model’s reasoning effort doubled the success rate in some tests. As models get smarter and cheaper (both of which are happening fast), these numbers will climb.

To understand why this works and where you’re vulnerable, you need a simple framework.

The Mental Model: Death by a Thousand Data Points

Think of every piece of information you share online as a coordinate on a map. Your city is one coordinate. Your profession is another.

The programming language you use, the dog breed you own, the college you attended, the subreddit you comment in. Individually, none of these coordinates are identifying. Millions of people live in Portland. Thousands are software engineers. Hundreds have golden retrievers.

But the intersection of all your coordinates is almost certainly unique. There’s probably only one software engineer in Portland who has a golden retriever named Biscuit, graduated from Stanford, and has strong opinions about the Rust programming language.

In privacy research, these little details are called “micro-data.”

The concept goes back to Latanya Sweeney’s landmark research in the late 1990s, where she demonstrated that 87% of the U.S. population could be uniquely identified using just three data points: ZIP code, gender, and date of birth. (source) That finding was later debated (some researchers put the figure closer to 63%), but the core principle is that combinations of ordinary facts about you form a fingerprint.

The problem has always been that exploiting this was hard.

Your micro-data was scattered across different platforms, buried in unstructured text, and connecting the dots required a skilled human investigator spending hours or days on a single target. That made mass deanonymization impractical. Only high-value targets (journalists, activists, political dissidents) were worth the effort.

LLMs remove that bottleneck.

How the Attack Actually Works

The researchers designed a four-step framework they call ESRC: Extract, Search, Reason, Calibrate. Understanding each step matters because it reveals where you’re most vulnerable.

Extract. An LLM reads all of your posts on a given platform and builds a structured profile. It pulls out stated facts (you mentioned living in Austin), inferred facts (you seem to be in your 30s based on cultural references), and incidental disclosures (you mentioned walking your dog through a specific park). The model is remarkably good at this. It picks up on things you’d never think to scrub, like:

• spelling patterns that reveal your nationality

• niche technical knowledge that narrows your field

• opinions on local politics that pin you to a region

Search. Your extracted profile gets converted into a mathematical representation (an embedding) and compared against a database of candidate profiles. In the Reddit experiment, the candidate pool was 10,000 users. The system uses semantic similarity to find the closest matches, returning the top candidates most likely to be you.

Reason. This is the step that separates AI deanonymization from older techniques. Instead of simply returning the closest mathematical match, the system feeds the top candidates into a more powerful reasoning model. That model examines each candidate’s profile against yours, looking for confirming evidence and contradictions. It weighs rare attributes more heavily than common ones. It catches false positives that pure pattern-matching would miss.

Calibrate. Finally, the system assigns a confidence score. When it’s uncertain, it abstains rather than guessing wrong. This is what gives the attack its high precision. In fact, the researchers tuned it so that when the system does make a prediction, it’s right roughly 9 out of 10 times.

The researchers benchmarked their approach against a classical technique modeled on the famous Netflix Prize deanonymization attack from 2008, where researchers proved they could identify Netflix users by matching their anonymous movie ratings against public IMDb profiles. (source)

Across every experiment mentioned above, the classical method achieved close to 0% success on unstructured text. Not low success. Effectively zero.

What this means is that before LLMs, there was no viable way to deanonymize people from the kind of content they actually post online.

The Full Picture: What They Tested and What It Actually Proves

The researchers ran several different experiments. It’s important to understand what each one does and does not demonstrate, because the headlines tend to blur them together.

Experiments that actually unmask real identities:

The scientist interviews and the Reddit-to-real-identity tests are the most relevant results for most people. These show the system taking anonymous text and producing a real name.

The success rates (25-52% on Reddit, 27% on interview transcripts) are moderate but meaningful, especially at the price point. And the system is selective. When it isn’t confident, it abstains rather than guessing wrong, which means the guesses it does make are right roughly 80-90% of the time.

Cross-platform professional matching:

The researchers also collected 987 LinkedIn profiles linked to Hacker News accounts and tried to match them. After stripping out names, URLs, and other direct identifiers from the Hacker News side, the LLM pipeline correctly matched 55% of users at 90% precision, climbing to 45% recall even at 99% precision. (source)

A significant caveat: these users had voluntarily linked their Hacker News and LinkedIn accounts, which means they probably weren’t trying to stay anonymous. People who publicly connect accounts across platforms tend to share more identifying details in their posts. The researchers acknowledge this bias. This number likely overstates the success rate against a genuinely privacy-conscious user.

Experiments that link anonymous accounts to each other (but don’t reveal real names):

The researchers also tested whether the system could determine that two anonymous accounts belong to the same person. This is different from unmasking someone, but it’s still a serious threat. If an attacker can link your throwaway Reddit account to your main account, or connect your posts across different forums, they can build a much richer profile even without knowing your name.

In the strongest of these tests, they split 5,000 Reddit users’ comment histories into “before” and “after” halves separated by a one-year gap, then tried to match them. The full pipeline correctly re-linked 67% of users at 90% precision from a pool of 10,000 candidates. (source)

In a harder test using movie discussions across different subreddits, success rates were lower but still meaningful. Users who discussed ten or more of the same movies were identified at a 48% rate. Users who shared only a single movie title were caught just 3% of the time. (source)

The classical (non-AI) baseline achieved close to 0% in both of these scenarios.

What the scaling projections suggest:

When the researchers extrapolated their results to larger candidate pools (closer to real-world scale), the numbers dropped but didn’t collapse. At a projected 1 million candidates, the LLM approach still estimated roughly 35% recall at 90% precision for account linking. (source - figure 7a) These are rough projections, not guarantees. But they suggest that even at internet scale, the approach doesn’t just fall apart.

Our Take: Not an All-Seeing Eye, But the Threat Is Real for Specific People

We covered the cost and trajectory arguments above, so no need to repeat them. Instead, let’s focus on who should actually be concerned right now, because the answer isn’t “everyone equally.”

Even at today’s moderate success rates, this technology is dangerous for people in specific situations.

If a government wants to identify activists posting on an anonymous forum, they don’t need to unmask everyone. Identifying 25-30% of the users, with high confidence, is more than enough to have a chilling effect. If someone going through a bitter divorce wants to find their ex-spouse’s anonymous Reddit account, they only need to succeed once.

The researchers flag governments targeting journalists, corporations building advertising profiles from forum posts, and attackers crafting targeted social engineering campaigns. Here’ a more mundane threat that is underappreciated:

anyone in a personal dispute with both motivation and a few hundred dollars. Custody battles, workplace conflicts, stalking. The barrier to running this kind of investigation has dropped from “hire a professional investigator” to “use an API.”

And remember, the 25% rate today could be 50% in a year. The account-linking capability that hits 67% today could approach near-certainty on active users. The time to build good habits is before you need them.

What Legislators and Platforms Are Getting Wrong

Most privacy regulation was designed for a world where the threat was structured data, such as databases, tracking cookies, browsing histories. The regulations ask companies to anonymize datasets by removing names and direct identifiers. The entire framework of data protection, from GDPR’s pseudonymization provisions to HIPAA’s Safe Harbor method, assumes that if you strip out the obvious identifiers, the remaining data is reasonably safe.

This research demonstrates that unstructured text (your comments, your posts, your forum contributions) is just as identifying as structured data, possibly more so. And no current regulatory framework addresses this. The data that makes online communities valuable is the same data that makes you identifiable.

Platforms aren’t much better positioned. Reddit, Hacker News, and most forums make user post histories publicly accessible by default. That’s a design choice that made sense when parsing those histories required human effort. It makes far less sense when an AI can process every comment you’ve ever written in seconds.

Whether the current success rates worry you or not, the direction is clear. And the defensive steps that work against today’s pipeline will work even better against tomorrow’s. The attack has specific vulnerabilities at each stage, and understanding those vulnerabilities gives you a real playbook for reducing your exposure.

Your Defensive Playbook: Disrupting Each Stage of the Attack

Read more

Colorado’s Senate passed a copycat bill two days ago (which we covered here). Mexico just mandated biometric identity for all 127 million cell phone lines. And the federal versions of COPPA 2.0 and KOSA are advancing through committee.

These are not separate policy experiments. They are the same infrastructure being built at every layer of the digital stack, but under different names, across different jurisdictions, and justified by different rationales. The end result is the same though:

verified identity tethered to digital access.

I want to walk through the layers quickly, because the shape of this matters more than the details of any single bill.

Subscribe now

The Layers

Connectivity. Mexico enacted a law on January 9 requiring every cell phone line in the country to be biometrically linked to a government-credentialed individual by June 30. Fingerprints, iris scans, facial recognition, all tied to the national ID system.

Unregistered lines get suspended July 1. Mexico’s Supreme Court struck down a nearly identical law in 2022 as unconstitutional. The government repackaged it, and this time it appears to be sticking. In fact, registration is already underway, carriers are collecting biometric data at point of sale, and legal challenges have so far failed to stop the rollout.

Operating system. California’s AB 1043, signed by Governor Newsom in October, requires every operating system provider (Windows, macOS, iOS, Android, Linux, etc.) to collect user age at account setup and broadcast an age bracket signal to app developers via API. It takes effect January 1, 2027. Colorado passed SB26-051 through the Senate on March 3, modeled directly on AB 1043. New York has a version in committee. The OS-level approach is already replicating before California’s law even takes effect.

App store. Texas, Utah, and Louisiana have each passed App Store Accountability Acts requiring app stores to verify every user’s age and obtain parental consent for minors before any app download. Texas’s version was blocked by a federal judge in December as a likely First Amendment violation. A federal version (S.1586 / H.R.3149) is moving forward anyway, backed by 40 state attorneys general and bipartisan sponsors.

Platform. COPPA 2.0 would extend regulated privacy protections from children under 13 to everyone under 17, ban targeted advertising to minors, and create an “eraser button” for personal data. KOSA would impose safety-by-design obligations on platforms.

Both advanced through a House subcommittee in December alongside 16 other child safety bills. The House versions are narrower than the Senate versions largely because of preemption clauses that would override stronger state-level protections.

Same Infrastructure, Different Excuses

The justifications for these laws vary by jurisdiction:, but here are the most common:

• Child safety in the United States.

• Content regulation in Brazil (whose OS-level age verification law takes effect March 17).

• Crime prevention in Mexico.

Once every layer of the digital stack requires identity verification, anonymous or pseudonymous digital existence does not just become illegal. It becomes nearly impossible to architecture around. There is no layer left to opt out of.

Share

The Federal App Store Accountability Act

I posted a deep dive on X last week breaking down the federal App Store Accountability Act. Proponents of the ASAA are using the language of parental empowerment to promote the bill. There are three problems with that:

1. the bill creates a universal identity verification system that applies to every smartphone user in the country - including adults

2. the tools it claims to provide already exist, for free, on every iPhone and Android device right now

3. the App store accountability concept is being pushed by Meta/facebook’s own Mark Zuckerberg

Our article covers the privacy paradox at the heart of the bill (the liability structure incentivizes overcollection, not minimization), the rhetorical funnel that makes these laws politically impossible to vote against, and why the infrastructure they create will inevitably be repurposed.

Read it here if you haven’t already:

And if you have kids and want to see what actual parental empowerment looks like without identity verification databases, our free First iPhone Ready course walks you through the entire setup in 45 minutes or less. No government ID required. Click the image below to get your copy.

That’s a high level overview of the current attack on digital anonymity. And I didn’t even mention what’s going on in the United Kingdom.

Provided there’s enough interest, I will cover this topic in more depth as these bills advance. Log your vote below on whether I should continue covering this topic in the newsletter (I’m sure it’ll come up on X and Substack Notes).

Share Secrets of Privacy

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Governments around the world are starting to crack down on VPNs, and not the usual suspects like Russia, China, and North Korea. VPN bans are being proposed in Western countries as well, such as the United Kingdom and the United States. Get up to speed on the latest (and how to prepare) here:

If you’re reading this but haven’t yet signed up, join for free (4.5K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇

Subscribe now

Not the kind that just tells you whether it’s a landline or cell. The kind that pulls up names, addresses, income estimates, and more.

With a family member’s permission, we ran his primary cell phone number through the site. Within seconds, the results came back:

full name, home address, estimated income range, and, perhaps most unsettling, several domain names he had registered years ago (including a few that were, let’s say, not ones he’d want a coworker or client finding).

No account required. No payment. Just a phone number and a few seconds of patience. Here’s a sample from the free, no registration-required report. 👇

We name the specific site down below, and also walk you through the other tools in this ecosystem and lay out the exact steps to scrub your information from all of them.

But first, let’s talk about why this matters and who’s already using these tools in ways most people haven’t considered.

Subscribe now

The Phone Number Problem

Your phone number is no longer just a way to reach you. It’s now a key that unlocks your entire identity.

Think about how many places have your phone number.

• Your bank.

• Your doctor.

• Many (if not most) apps on your phone.

• Every online account that uses two-factor authentication.

• Every delivery service, every loyalty program, every time you’ve scribbled it on a form at a checkout counter.

Your phone number is the single most connected piece of personal data you own. And unlike an email address, which most people have several of, most people have one phone number, and they’ve had it for years.

That persistence is the problem.

A phone number is a unique, long-lived identifier that ties together your financial life, your digital life, and your physical address into one searchable package. And a growing ecosystem of websites makes all of that searchable by anyone, for free.

Who’s Actually Using This (And Why You Should Care)

The obvious fear is hackers and stalkers. But the more likely (and arguably more insidious) misuse cases are the ones most people never think about:

A potential employer. You applied for a job. The hiring manager Googles you, sure. But a quick reverse phone lookup on the number from your resume? Now they know your home address, an estimated income range (which gives them leverage in salary negotiations), and maybe your past addresses, which could reveal things about your background you didn’t volunteer.

A car salesman. You walked onto the lot and filled out a “just looking” card with your phone number. Before you’ve finished your test drive, the salesperson has looked you up, knows your approximate income, and has tailored their pitch accordingly. This isn’t hypothetical, OSINT tools are increasingly marketed for sales and lead qualification.

A date. You exchanged numbers with someone on a dating app. Before the first coffee, they’ve got your full name, home address, and whatever else the lookup returns. For most people, that’s just creepy. For someone escaping an abusive situation, it could be dangerous.

A scammer. Phone-based social engineering attacks become dramatically more convincing when the caller already knows your name, address, and approximate financial situation. “Hi, this is [your bank] calling about suspicious activity at your [your actual address]” hits differently when every detail checks out.

A neighbor, an angry commenter, a political opponent. Doxxing, the act of publicly revealing someone’s private information to harass or intimidate them, often starts with nothing more than a phone number.

Share

This Is a Real and Growing Threat

The data broker industry, which collects, packages, and sells personal information, is enormous.

According to Grand View Research, the global data broker market was valued at roughly $278 billion in 2024 and is projected to surpass $512 billion by 2033. (source) These companies aggregate information from public records, app usage, purchase histories, and dozens of other sources, then make it available to anyone willing to pay, and in even some cases, for free.

The Privacy Rights Clearinghouse recently built a unified database by cross-referencing all five U.S. state data broker registries and identified over 750 registered data brokers. (source) Some estimates put the global total at around 5,000. (source) And that only counts the ones that bother to register.

Reverse phone lookup sites are the consumer-facing tip of this iceberg. They take the data that brokers collect, such as names, addresses, relatives, income estimates, property records, domain registrations, social media profiles, and make it searchable by phone number.

Some charge a fee. But a growing number offer basic results for free, which makes them especially dangerous. What was once the domain of professional investigators is now a hobby anyone can pick up over a lunch break.

The real-world consequences are playing out. A 2025 survey by SafeHome.org found that 77% of Americans are at least somewhat concerned about being doxxed, and personal safety fears around doxxing rose 8 percentage points year over year. (source) Yet only 25% of respondents said they’d know how to remove their personal information from the internet if they needed to.

Since 2024, doxxing and swatting incidents have increased significantly, according to the National Association of Attorneys General. (source) Texas has treated doxxing as a criminal offense since September 2023, defining it as posting someone’s private address or phone number online with intent to cause harm. But most states still have no specific anti-doxxing statute, and federal law has yet to catch up.

Our Unique Take

Here’s what most people (and most legislators) get wrong about this problem:

they frame it as a data breach issue. They talk about hackers and dark web marketplaces and stolen databases. And those things are real threats.

But the reverse phone lookup problem isn’t a breach. It’s a feature. This data isn’t stolen (at least not always). It’s collected legally, packaged commercially, and served up through a clean user interface with a search bar.

That distinction matters. It means the standard advice of “use strong passwords,” “enable two-factor authentication”, doesn’t help here. No password was compromised. No account was hacked. Someone just typed a phone number into a website, and the data broker ecosystem did the rest.

The rise of AI is about to make this worse, not better.

When someone can feed a phone number into a lookup tool, get a name and address, then hand that information to an AI that cross-references it across social media, public records, and breach databases in seconds, the amount of personal information extractable from a single phone number grows exponentially.

We’re not there yet for the average person, but we’re closer than most people realize.

So What’s the Solution?

The good news is that this is a solvable problem, for those who know where to look and what steps to take. There are specific actions that remove your information from these databases, reduce your exposure, and make your phone number far less useful as an identity key. There’s even a brand-new government tool, launched just weeks ago, that makes part of this dramatically easier.

The data broker industry deliberately makes the opt out process confusing, fragmented, and tedious.

Below, we cut through all of that. We’ll name the specific reverse phone number site noted earlier, the other major tools in this ecosystem, and walk through the exact removal steps for each one.

The Reverse Phone Number Site (And What It Found)

Read more

Over 14.7 million combined downloads on Google Play.

And more than 1,500 security vulnerabilities between them, including 54 rated high-severity.

That’s what mobile security firm Oversecured found when they scanned popular Android apps designed to help people with depression, anxiety, panic attacks, and bipolar disorder. (source)

One therapy app with over a million downloads had 85 medium- and high-severity flaws on its own. Some of these bugs could let an attacker access internal app activities that handle authentication tokens and session data. Which means your therapy records could be exposed.

Other apps stored data locally in a way that gave any app on your phone read access to your CBT session notes and mood logs.

And six of those ten apps? They explicitly told users their data was private or encrypted. Which as it turns out, wasn’t the case.

Subscribe now

Why This Is Worse Than a Typical Data Breach

Mental health data isn’t like a leaked credit card number.

You can cancel a credit card in five minutes and you’re not responsible for fraudulent charges. You can’t un-share that you’re managing bipolar disorder, attending therapy for trauma, or tracking self-harm indicators.

The economics reflect this.

On dark web marketplaces, medical records routinely sell for $250 to over $1,000 per record, according to Experian and multiple cybersecurity firms. A stolen credit card number goes for $1 to $5. (source)

Mental health records are arguably worth even more than typical medical data because they carry massive blackmail and social engineering potential. Therapy session transcripts, medication schedules, mood logs are the kind of information that can destroy careers, relationships, and lives if it ends up in the wrong hands.

Remember the Tea app?

Last July, the dating safety app (which marketed itself as “the safest place” for women to share sensitive information) suffered a catastrophic breach. Over 72,000 user images (including government IDs) and 1.1 million private messages were leaked on 4chan, affecting more than 1.6 million users.

Women who had shared intimate details about their relationships, including discussions of abuse and infidelity, were suddenly exposed. Websites popped up where strangers could rate stolen selfies. The app now faces multiple class-action lawsuits.

Tea was a warning shot. Mental health apps are the next, much larger target.

Why It’s About To Get Much Worse

Here’s what connects these dots:

we’re in the middle of an explosion in AI-generated apps, and security isn’t keeping up.

The Google Play Store peaked at around 3.6 million apps in 2017, then declined for years as Google cleaned out low-quality listings. (source)

But that trend has reversed; the store is now back above 3.9 million apps and adding roughly 1,200 new ones every day.

A major driver?

“Vibe coding” — the practice of building apps by describing what you want to AI tools like Cursor, Replit, and Lovable, which then generate all the code. Collins Dictionary named it their Word of the Year for 2025. It lets people with zero security experience ship production apps to millions of users.

We’re trying not to be sensationalist, but the security track record is alarming.

Research from security firm Escape found over 2,000 vulnerabilities and 400+ exposed secrets across just 5,600 vibe-coded apps they analyzed. (source) Wiz Research reported that roughly 1 in 5 vibe-coded apps had security misconfigurations. (source)

A Tenzai assessment of five leading vibe coding tools found 69 vulnerabilities across just 15 test applications, including several rated critical. (source) And a 2025 study found that approximately 45% of AI-generated code contains security vulnerabilities. (source)

Now combine that with the mental health app market, where the data is extraordinarily sensitive, users are often in vulnerable emotional states, and the barrier to entry just dropped to “describe what you want and hit publish.”

📌 If you missed it: We did a breakdown of the online age verification chokepoint strategy, and why Facebook’s Zuckerberg wants identity checks baked into your operating system. Read on X.

Our Take

We’re headed toward a wave of mental health app breaches that will make the Tea incident look small. Circumstances are creating a perfect storm for a dangerous outcome:

a surge of AI-generated apps built by people who don’t understand security, handling some of the most sensitive data imaginable, downloaded by millions of users who trust the app store listing at face value.

And the app stores aren’t going to save you here.

Google has tightened quality controls, but their review process doesn’t catch the kinds of vulnerabilities Oversecured found; things like hardcoded API keys, insecure session token generation, and misconfigured internal activities. These are architectural security failures, not policy violations.

We’re about 12–18 months away from a major mental health app breach that results in blackmail campaigns. The data is too valuable, the apps are too poorly built, and the attack surface is growing exponentially. Scammers and extortionists who currently buy medical records on the dark web will specifically target therapy and mental health platforms because the leverage is unmatched.

Subscribe now

What You Can Do Right Now

Before you download any app, but especially a mental health or wellness app, check one thing: when was it last updated?

Oversecured noted that only four of the ten apps they tested had been updated this month; some hadn’t been touched since September 2024. An app that isn’t being actively maintained almost certainly isn’t being actively secured. It’s not a perfect signal, but it’s the fastest filter you have.

Beyond that, consider whether you actually need an app for this. A notes app with local-only storage and no cloud sync might serve you better than a slick AI therapy chatbot that’s sending your deepest thoughts to a poorly secured backend server.

Looking Ahead

This is one of the privacy stories we’ll be watching most closely this year. The intersection of AI-generated software, sensitive health data, and minimal oversight is a perfect storm.

And if this post has you wondering what’s already out there about you, from health apps, data brokers, or anything else, we created a guide for exactly that. How Exposed Are You Online? walks you through finding out.

Share Secrets of Privacy

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Do you own a Smart TV? If so, you won’t want to miss this reader fav post Smart TV Privacy Settings: How to Disable Tracking on Every Brand.

If you’re reading this but haven’t yet signed up, join for free (4.5K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇

Subscribe now

Could be a package with your name on it. Could be a letter on official-looking letterhead from a company you trust.

Either way, there’s a QR code inside, and the message is urgent:

scan this now.

This is the new face of phishing.

It doesn’t come through email, where spam filters can catch it. It doesn’t pop up in a browser tab.

Instead, it arrives the old-fashioned way, through your front door.

This time though, it’s wearing a logo you trust, like Amazon, or Ledger, or Trezor. And because we’ve spent twenty years being trained to distrust suspicious emails but almost no time learning to distrust suspicious mail, the scammers are stacking some wins.

Two incidents in the past few weeks make this impossible to ignore.

One involves Amazon packages. Another involves cryptocurrency wallets.

But the people who should be most concerned aren’t just Amazon shoppers or crypto investors, they’re everyone who gets mail.

Subscribe now

The QR-Code Mailbox Attack

Everything else in this piece follows from one idea: the attack surface is moving offline.

Every piece of cybersecurity software you’ve ever used, whether spam filters, antivirus, browser warnings, or two-factor authentication prompts, is designed to catch threats that travel through digital channels.

Physical mail bypasses all of it.

A letter can’t be flagged by your email provider. A package can’t be scanned by your router’s firewall. And a QR code on a piece of paper hides its destination URL, making it harder to do something like hover over it the way you can hover over a link in an email.

Scammers have noticed. And they’re investing in postage.

Share

Two Incidents, Same Playbook

Incident 1: The “Mystery Gift” Amazon Package

Police departments across the US are warning residents about a new twist on so-called brushing scams. Here’s how it works.

An unsolicited package arrives at your door. It has Amazon branding. It has your real name and address on the label. Inside, there’s either a small item, usually something cheap and lightweight, or just a note.

And there’s a QR code, asking you to scan it to “find out who sent this gift,” “claim your reward,” or “report a wrong delivery.”

The QR code doesn’t lead to Amazon. It leads to a fake Amazon page designed to steal your login credentials, or it prompts you to download something that hands over access to your banking information. (source)

The original brushing scam was annoying but mostly harmless and worked like this: sellers shipped you junk so they could post a “verified purchase” review. This is a different animal. The QR code turns what was a nuisance into an active threat. The package is the lure. The code is the trap.

Incident 2: The Letter That Looked More Legitimate Than the Real Thing

If the Amazon package scam is a low-budget operation, the campaign targeting cryptocurrency hardware wallet owners is something else entirely. And even if you don’t own any crypto, this incident matters to you for reasons we’ll get to shortly.

Starting around February 2026, people who own Ledger or Trezor hardware wallets (physical devices used to store cryptocurrency offline) began receiving physical letters in the mail. (source) The letters appeared on official-looking letterheads. They included holograms. They included QR codes. They bore what appeared to be the signature of company executives.

The letters claimed that an urgent “Authentication Check” or “Transaction Check” had become mandatory. Recipients were told to scan the QR code and complete the process before a specific deadline or risk losing access to their wallet entirely.

Scanning the QR code led to a website that looked exactly like the official Trezor or Ledger setup interface. The site walked users through a plausible-sounding verification process and, at the very end, asked them to enter their wallet’s recovery phrase, the 12-, 20-, or 24-word master key that controls everything in the wallet. Once entered, the funds are gone. Within minutes.

The Three Unfair Advantages of Mail Phishing

Physical mail phishing works because it exploits three things simultaneously that digital phishing almost never can.

First: it bypasses every filter you have. No spam folder. No browser warning. No antivirus scan. Your mailbox has zero security infrastructure.

Second: it feels more trustworthy. We’ve been conditioned to distrust urgent emails from companies we do business with. We’re far less conditioned to distrust urgent letters. Physical mail carries a subconscious weight because someone spent money on paper, printing, and postage. It feels like it means something.

Third: QR codes hide the destination. When you get a suspicious link in an email, you can hover over it and see where it actually goes. A QR code on paper gives you nothing. You can’t see the URL without scanning it. And most people don’t know how to preview a QR code before opening what it points to.

Combine these three factors and you have an attack that is genuinely harder to defend against than the average phishing email. Not because it’s more technically sophisticated, but because it exploits social and cognitive vulnerabilities that most people have never been warned about.

This Is a Data Breach Problem, Not a Scammer Cleverness Problem

Here’s what most coverage of these incidents is getting wrong.

The Ledger and Trezor letters aren’t impressive because the scammers are creative. They’re impressive because someone handed them a roadmap.

• In June 2020, Ledger suffered a data breach that ultimately exposed approximately 272,000 customer records (full names, phone numbers, and home addresses) which were later dumped publicly online.

• In January 2024, Trezor disclosed a breach that exposed contact information for nearly 66,000 users, including emails.

• And in January 2026, Ledger customers were notified of another exposure through a third-party payment processor called Global-e.

That is a lot of home addresses and other PI in the wild. And home addresses are the only input you need to mail someone a very convincing letter.

The Amazon brushing scam works the same way. Scammers are buying or scraping real names and addresses to make their packages look legitimate.

We tend to think of data breaches as a password problem. Change your password, enable two-factor auth, move on. But your home address doesn’t change when a breach happens. It just sits there, in some hacker’s database, waiting to be monetized. The current generation of mail phishing attacks is that monetization. The breach happened years ago. The invoice is arriving now.

This is the part that should worry you: we are in the early stages of this trend. As more personal data leaks accumulate and more scammers realize that physical mail bypasses every digital defense, this attack vector is going to get more common, more sophisticated, and harder to distinguish from legitimate correspondence.

What legislators and most cybersecurity companies don’t fully grasp yet is that the protection framework needs to extend offline. And right now, almost none of it does.

Where This Goes Next

Here’s why you don’t need to own any crypto for this to matter to you.

Crypto users were the perfect population to test physical mail phishing against. They’re identifiable by name and address thanks to documented breaches. They hold high-value assets, which justifies the cost of printing, holograms, and postage (scammers need the per-victim payout to cover their materials). And they’re already primed to think about wallet security, so a letter about a “mandatory security check” lands believably.

But testing on crypto users was never the end goal. It was the proof of concept.

Once scammers confirm that physical mail phishing converts (that people scan QR codes from letters, that the ROI works) the playbook gets ported to target populations where the per-victim take is smaller but the volume is orders of magnitude larger. Here’s where what likely comes next:

The IRS letter. Fake IRS correspondence is already the most successful phone scam category in America. A physical letter with a QR code is the obvious evolution. Something like “scan to verify your identity before your refund is processed” or “respond within 14 days to avoid an audit hold”. The IRS already communicates exclusively by physical mail, which means recipients are specifically conditioned to take letters from them seriously. Nearly every adult American is a viable target.

Medicare and Social Security. The demographic that trusts physical mail most deeply is also the demographic most heavily targeted by phone scams. A letter saying “your Medicare coverage requires reconfirmation — scan here to avoid a lapse in benefits” is perfectly engineered for that audience.

Banks and credit unions. “Your account has been flagged for unusual activity — scan to verify your identity and avoid a temporary freeze.” Banks do send physical fraud alert letters. The format is completely plausible, and the credential harvest that follows works the same way it did with Amazon.

Utilities and local government. “Final notice before service interruption” is a proven psychological lever. Fake utility QR-code letters have already appeared in parts of Europe. It’s a matter of time before this is widespread in the US.

Healthcare and insurance. People managing chronic conditions receive regular correspondence from insurers, specialty pharmacies, and providers. They’re often dealing with something stressful enough that they act quickly when they see urgent mail, and healthcare data breaches have put millions of home addresses into circulation.

Mortgage servicers and title companies. Homeowners receive physical mail from county assessors, mortgage servicers, and title companies constantly. A QR code on a letter appearing to be from your lender could be used to initiate wire transfer fraud.

The pattern in all of these: a sector where (a) physical mail is the established communication norm, (b) real urgency sometimes exists, and (c) a data breach has already put home addresses in the public domain. That describes most of modern life.

Scammers proved the model on crypto users because the payout justified the investment. The next phase is scaling it down in value and up in volume. If you pay taxes, have a bank account, or receive mail (and that’s basically everyone) you’re in the next wave of targets.

The Actual Solution: How to Protect Yourself From Mail Phishing

This section is more involved than “don’t scan QR codes from strangers,” though that’s the right instinct. Here’s a practical protocol.

Read more

And when you tap “connect your bank,” you’re often giving a whole chain of companies ongoing access to your transactions, balances, and account details.

Most people never get a clear explanation of what happens next. They just want a clean dashboard and a spending chart that makes sense.

For this guest post we enlisted Vadim Semeniuk, co-founder of Digitus Data (a custom software studio) with over a decade in business. Vadim breaks down the hidden privacy tradeoff behind “free” budgeting apps: the data-sharing ecosystem that sits between you and your bank.

We asked Vadim to write a guest post after checking out his privacy friendly personal finance statement analyzer called SpendSum. This is not an ad and there’s no affiliate relationship. We just thought it was a cool project and wanted to tap into Vadim’s expertise in this area.

In this guest post, you’ll learn what that “connect your bank” button really does, why financial data aggregators matter (even if you’ve never heard of them), and how to do a few high privacy IQ cleanups that make you a harder target.

By the end, you’ll have a simple action plan:

• how to audit and disconnect old bank connections

• what to look for in a privacy policy before linking accounts

• how to tighten up Venmo settings

• a couple of safer ways to track spending without handing over your entire financial life.

Subscribe now

In March 2024, Intuit shut down Mint.com. Over 20 million people had used the app at its peak. Most of them got a polite email telling them to migrate to Credit Karma, another Intuit product. Same company, same data ecosystem. Most users never thought twice about it and migrated.

What that email didn’t explain was what had already happened to years of their financial data. Or where it went. Or who paid for access to it.

Mint was free. And like most free apps, the product was never the budgeting tool. The product was you.

That was one app. But every budgeting app that asks to “connect your bank” feeds the same machine. If you’ve ever tapped that button, you’re part of it. And chances are you have since a majority of US adults use digital tools to manage their money.

After Mint died, millions moved to Rocket Money, YNAB, Monarch, Copilot. The app changed. The question didn’t:

what happens to your data after you hand it over?

Share

The Company Between You and Your Bank

When a budgeting app asks you to connect your bank account, you’re almost certainly not connecting to your bank directly. You’re going through a financial data aggregator, a company that acts as a middleman between you and your bank.

The biggest is Plaid.

According to Plaid’s own marketing, one in two US adults have connected a financial account through their system. They link to over 12,000 financial institutions and power more than 7,000 apps.

If you’ve used Venmo, Cash App, Robinhood, or Coinbase, you’ve used Plaid. Other major aggregators include Yodlee (sold by Envestnet to private equity firm STG in 2025), MX, and Finicity (acquired by Mastercard in 2020).

Most users have no idea these companies exist, let alone that they’re involved.

Here’s how it used to work (and in many cases still does):

you’d type your bank username and password into what looked like your bank’s login screen. Except it wasn’t. It was Plaid’s interface, designed to mimic your bank. Plaid would then log into your bank as you and scrape your account data. This practice, called screen scraping, was the industry standard for years.

Newer connections use token-based access, which is better. But the core dynamic is the same. A company you never chose now has ongoing access to your transactions, balances, account numbers, income, and investment holdings.

And that access doesn’t necessarily expire when you stop using the app.

Your Spending Data Is More Revealing Than Your Search History

Your search history shows what you’re curious about. Your transaction history shows what you actually do.

A peer-reviewed study published in Psychological Science analyzed spending records from over 2,000 people and found that purchase data alone could predict personality traits like:

• neuroticism

• extraversion

• self-control

• materialism.

Open-minded people spent more on flights, extraverts on dining and drinks, the conscientious on savings. All from bank transactions.

But it gets more personal than personality types. Look at what your transactions actually say about you.

A pharmacy charge is a health record. A therapy copay hints at a diagnosis. Donations map your politics and your faith.

Then there’s the stuff you’d rather keep private: gambling app charges, liquor store runs, late-night delivery orders. Splitwise payments and divorce attorney retainers trace your relationships in real time. Payday loans and overdraft fees tell anyone watching that you’re struggling.

Even your daily coffee stop and Tuesday grocery run build a map of your routine. Most people wouldn’t willingly hand that to a stranger.

Researchers at USC and UT Austin analyzed 389 million public Venmo transactions over an eight-year period and found that about 40% of users in the dataset had publicly leaked sensitive information through their transaction notes. Health conditions, political orientation, drug and alcohol use, all sitting in plain text.

No single data source reveals more about a person’s actual life than their spending.

Subscribe now

Who’s Making Money Off Your Money Data

It starts with the aggregators.

Plaid settled a $58 million class action in 2022 after consumers alleged the company harvested and sold financial data without consent. People who signed up for Venmo didn’t know Plaid was collecting their transaction history, investment data, and salary information. Each affected consumer got about $36.

Yodlee was worse.

Three members of Congress (Senators Wyden and Brown, and Representative Eshoo) demanded the FTC investigate after reports surfaced that Yodlee had been selling bank and credit card transaction data of tens of millions of Americans to investment and research firms. The data showed “how much people spent and where.”

A class action alleged they shared some of this data in unencrypted files. A court later sanctioned them for destroying evidence in a separate case.

Then there are the apps themselves.

Mint’s business model was showing users financial product offers (credit cards, loans, insurance) and collecting referral fees. The catch: the products with the highest fees were rarely the best fit for users.

One analysis noted this “created misaligned incentives between the company and its users.” When Intuit killed Mint, they funneled users toward Credit Karma, a platform with over 130 million members whose entire business is recommending financial products based on your profile.

This is how free budgeting apps stay free. Advertisers pay more to reach someone actively managing debt or saving for a home, and your spending data tells them exactly which bucket you’re in.

Your own bank is in on it too.

JPMorgan Chase launched Chase Media Solutions in 2024, an advertising business that lets brands target Chase customers based on their purchase history. Pilot campaigns with Air Canada, Solo Stove, and Whataburger. The bank charges advertisers only when a customer actually buys something, meaning your past spending directly feeds the algorithm predicting your next purchase.

Mastercard sells access to billions of purchase transactions through more than 25 data service products, according to a US PIRG investigation. Buyers include ad networks, data brokers, insurance companies, and employers.

And all of it feeds a bigger market.

The data brokerage industry is projected to reach $462 billion by 2031 (per Transparency Market Research). Spending data sells for a premium because nothing predicts what someone will do next like what they already spent. Brokers use it to sort people into categories tied to ethnicity, religion, health status, political affiliation, and income level.

When the Data Gets Loose

Data that gets collected eventually gets breached.

In 2021, a former Cash App employee accessed customer financial reports after leaving the company, exposing the names, brokerage account numbers, and portfolio information of 8.2 million people. That breach led to a $15 million settlement. Separately, Cash App’s parent company Block was hit with an $80 million fine from 48 state regulators in January 2025 for anti-money laundering failures. Two different problems, same company, same customers bearing the risk.

Across fintech, 41.8% of breaches originate from third-party vendors, according to a 2025 SecurityScorecard report analyzing the top 250 fintech companies. Those third parties are often the same aggregators and data processors handling your bank connection.

And then there’s Venmo.

Transactions on Venmo were public by default for years. In 2018, a researcher scraped 207 million public transactions, documenting “users’ lives: everything from cannabis sales to budding romances, to breakups, to how much pizza they ate and how much Coke they bought.”

In March 2025, reporters discovered that National Security Adviser Mike Waltz had a public Venmo friends list with 328 contacts, including White House staffers, military officers, and journalists. The account was only made private after the press reached out to the White House.

Don’t Count on Regulators

If you’re waiting for the government to sort this out, it’s going to be a long wait.

The Biden-era CFPB proposed two rules that could have helped. One (Section 1033) would have given consumers more control over how their financial data gets shared. The other would have treated data brokers as consumer reporting agencies, forcing them to get consent before selling your information.

Both are dead.

A federal judge enjoined the Section 1033 rule in late 2025, and the CFPB is now rewriting it from scratch. The data broker rule was withdrawn entirely in May 2025. The CFPB’s decided it was not necessary or appropriate at this time. (source)

What You Can Do

None of this means you should stop tracking your spending. It means you should care about how you do it.

Audit your bank connections. Start at my.plaid.com. You’ll see every financial account you’ve ever connected through Plaid, often including ones you forgot about years ago. Disconnect anything you’re not actively using. Then check your bank’s own “connected apps” or “data sharing” section and revoke anything stale there too.

Read the privacy policy before connecting. Specifically, search for “data sharing” and “third parties.” If a financial app is free, find out how they make money. That will tell you what’s happening to your data.

Use tools that don’t require bank access. This is why I built SpendSum, a statement analyzer that runs entirely in your browser. You download a CSV from your bank, drop it in, and the analysis happens on your machine. No bank connections, no accounts, no third-party aggregators touching your data. Nothing leaves your device.

Use your bank’s own tools. Most banks now offer basic spending breakdowns in their apps. Less detailed, but the data stays with your bank.

Lock down Venmo. Switch your default transaction visibility to private (Settings > Privacy > Default Privacy Setting > Private) and review your friends list visibility while you’re there.

Keep transaction notes vague. On any payment app, write “dinner” not “Dr. Martinez copay.” Notes are stored, analyzed, and on Venmo, potentially public.

One Question Worth Asking

Twenty million Mint users got that polite migration email in 2024. Most clicked through to Credit Karma without a second thought. Intuit already had years of their spending data. The cycle just continued with a different app.

Next time an app asks to connect your bank, ask yourself: who else gets to see this data? If you can’t answer that clearly, maybe the app isn’t as free as it looks.

Your spending data is the most detailed record of your daily life that exists anywhere. Treat it that way.

Friendly Ask

If you found this helpful or informative, chances are your friends and family will as well. Please share it with them to help spread awareness.

Share

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Do you own a Smart TV? If so, you won’t want to miss this post from our three part series on how To make your smart TV less creepy.

If you’re reading this but haven’t yet signed up, join for free (4.4K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇

Subscribe now

But what about the accounts you’ve already created?

Even if you start fresh today, your old usernames are still searchable. OSINT tools can find that gaming handle you used in 2012, connect it to your yahoo account, and keep pulling the thread until they’ve built a profile on you. The past doesn’t disappear just because you’ve changed your habits.

So what do you do about it?

Subscribe now

Schedule an Account Cleanup Day

Rather than trying to fix everything at once (you won’t), block 30-60 minutes on your calendar for an account cleanup. It could be quarterly, monthly, or some other frequency. The important part is that it’s something you can follow through on.

Is this annoying? Of course.

Is it necessary? Depends on your risk profile and how much you like to try and future proof things.

If you decide this is a worthwhile exercise, here’s how to spend that time:

1. Pull up your password manager. Sort by oldest accounts or just scroll through the list. You’ll probably be surprised by how many you’ve forgotten.

Don't have a password manager? Your email inbox is the next best thing. Search for terms like "welcome," "confirm your account," "verify your email," or "thanks for registering." You'll be surprised how many forgotten accounts surface. This is also a good reminder to start using a password manager, which makes future cleanup days much easier.

2. For each account, ask three questions:

• Do I still use this? If not, delete it.

• Can I change the username? If yes, swap it for a unique one.

• Is this a high-value account? Prioritize email, banking, healthcare, and anything tied to your real identity.

3. Close what you don’t need. Old accounts are liabilities. They sit in breach databases, they’re searchable by OSINT tools, and they add to your attack surface. If you haven’t logged in for a year, you probably don’t need it. Sites like justdelete.me can help you find the delete option (some companies bury it on purpose).

Prioritize the High-Value Targets

If you’re short on time, this section lays out how we recommend prioritizing the accounts.

• Email accounts — The skeleton key to your digital life. If someone gets into your email, they can reset passwords everywhere else.

• Financial accounts — Banks, credit cards, investment platforms.

• Healthcare portals — Contain sensitive personal data.

• Social media with your real identity — LinkedIn, Facebook, anything with your actual name attached.

• Your password manager itself — If you’re using your email as the username, consider changing it.

Everything else, like old forums, random shopping accounts, that app you tried once, can wait for your next cleanup day.

There is one problem you will run into rather soon:

many websites won’t let you change your username.

If you encounter that, your options are, unfortunately, not great. If you need to have an account with the website, you can try reach out to tech support to request a manual username change. That probably won’t work, but it’s worth a shot.

Another option is to start over with a fresh account, though those use cases are limited. Closing a bank account and then opening a new one, for example, probably isn’t worth the effort. In the end, don’t go crazy here unless you have a high risk profile or enjoy the challenge.

The Bigger Picture

If you want to go deeper than usernames, our How Exposed Are You Online? guide walks you through a full self-audit using the same OSINT techniques that investigators and doxxers use. It covers key exposure areas and links to the tools (many free) so you can see exactly what’s findable about you, and fix it.

But even without the full audit, scheduling a cleanup day twice a year will put you ahead of most people. Small upgrades snowball into big wins over time.

Your past doesn’t have to stay searchable forever. The important part is to start pulling those threads on your time, before someone else does.

🔖 Bookmark Our Username Generator

Don’t forget to bookmark our free username generator. You can even add a shortcut to your mobile phone home screen for easy access. That helps remove the friction with creating unique usernames and puts you ahead of 99% of the population.

Friendly Ask

If you found this helpful or informative, chances are your friends and family will as well. Please share it with them to help spread awareness.

Share

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Do you own a Smart TV? If so, you won’t want to miss this reader fav post Smart TV Privacy Settings: How to Disable Tracking on Every Brand.

If you’re reading this but haven’t yet signed up, join for free (4.4K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇

Subscribe now

If you ask about planning a vacation, expect travel ads. Mention a health concern, and pharmaceutical companies are paying attention. The feature is rolling out to free users and the $8/month “Go” tier in the coming weeks.

Here’s what makes this different from every other ad platform you’ve encountered:

ChatGPT doesn’t just know what you clicked or what page you visited. It knows why. It knows your doubts, your questions, your vulnerabilities. It knows the context that led you to search for something, not just the search itself.

As one privacy commentator put it, “prompts inside ChatGPT can reveal intent, uncertainty, and vulnerability in ways that traditional advertising platforms don’t see.” (source)

Subscribe now

Reframing Advertising in the AI Era

Conversational AI exploits something fundamental about human psychology, which is we overshare when we think we're having a private conversation. This creates an “intimacy trap” to the disadvantage of the human and the benefit of the AI. This scenario does not exist in the same way for traditional digital advertising.

Traditional digital advertising works on breadcrumbs. For example, you visited a shoe website, so shoe ads follow you around. That’s surveillance, but it’s one-dimensional.

Conversational AI advertising works on confessions. You told ChatGPT you’re struggling with insomnia and asked for natural remedies. You explained your budget constraints and mentioned you’re skeptical of prescription drugs. That’s fundamentality different from the breadcrumb trail type tracking we’re all used to.

Put simply: Google gets the question while ChatGPT gets the story.

Google knows you searched for “insomnia remedies.” ChatGPT knows you’ve tried melatonin, it didn’t work, you’re worried about dependency, and you have a wedding in three weeks.

One is a keyword. The other is a marketing goldmine.

The Rollout Is Already Underway

Internal documents reviewed by The Information in December 2025 revealed OpenAI employees discussing giving sponsored results “preferential treatment” over non-sponsored ones. (source) In one example, a user asking about ibuprofen dosage might see a promoted Advil ad, while actual dosage information gets buried.

Even paying customers aren’t safe from the erosion.

In early December 2025, ChatGPT Pro subscribers (people paying $200/month) started seeing “app suggestions” that looked suspiciously like ads. One user posted on X:

“ChatGPT has started posting ads on Pro accounts. I hope this is just testing/a mistake, else it’s an instant unsubscribe from me.”

OpenAI claims ads won’t influence ChatGPT’s responses and conversations will remain “private from advertisers.” But that sounds like a half-truth to us and legal weasel wording.

While advertisers may not see your specific chats, OpenAI must process your conversation content internally to decide which ads to serve. That means your conversations-including sensitive queries about health, relationships, finances, and personal struggles-are being analyzed, categorized, and used to determine what products to push.

The company has committed over $1.4 trillion to AI infrastructure deals and needs $20 billion in annual revenue to break even. That’s not going to come from the ~2% of users paying for Plus or Pro subscriptions. It’s coming from the 800 million people using the free tier-which makes their conversations the product.

Share

The Creep That’s Coming

Here’s what OpenAI’s PR team and other privacy pros won’t tell you: this is just the beachhead.

OpenAI says ads will be “separate and clearly labeled.” They say personalization is “opt-out.” They say they’ll “never” sell your data to advertisers. Maybe that really is the intent. At least for now.

But look at the financial incentives.

Every major tech company that introduced advertising with restrictions and promises has, over time, loosened those restrictions as revenue pressures mounted. Here are two of the most obvious ones:

• Facebook started with “targeted ads based on profile information.” Now they track you across the entire internet.

• Google started with text ads next to search results. Now they inject Shopping results directly into your search, often pushing organic results below the fold.

The pattern is always the same:

Start conservative, build dependency, expand gradually, claim it’s what users want.

What makes AI advertising particularly insidious is that conversational data creates something unprecedented: the ability to target emotional states in real-time. Someone asking ChatGPT for help with anxiety isn’t just “interested in mental health products”. They’re likely anxious right now, in this moment, seeking help. The advertising potential isn’t just more precise. It’s predatory by design.

Here’s a prediction:

within 18 months, OpenAI will introduce “helpful suggestions” that blur the line between organic responses and sponsored content. The justification will be user experience: “We’re showing you this product because it genuinely solves your problem.” The reality will be that the product got shown because someone paid for preferential placement.

Subscribe now

Practical Solutions and Counter Measures

People will tell you to “just pay for Plus” or “switch to [Competitor X]” to avoid advertising. That’s a reasonable short term solution, but it does nothing to address the direction things are going.

And the real solution isn’t about avoiding ChatGPT or paying your way out. It’s about fundamentally changing how you interact with AI tools. Below are some things that actually work. One is so simple and effective we’re genuinely surprised it’s not more widely recommended.

Read more

You’re browsing a website. You start filling out a form, then change your mind and close the tab.

No harm done, right? Not quite, as it turns out.

There’s a good chance that website recorded everything you did: your mouse movements, your scrolling, that half-typed credit card number you deleted, even that embarrassing search query you backspaced over.

We’re all familiar with increased AI driven surveillance in bricks and mortar retail stores. We’ve reported on that before.

And of course we all know about tracking pixels and cookies in the digital world. But most don’t know that websites are recording what you do live like an IRL security camera.

Welcome to the world of session replay tools.

Subscribe now

What Are Session Replay Tools?

Companies like FullStory, Hotjar, LogRocket, and dozens of others offer a simple pitch to website owners: Watch your users like they’re sitting right next to you.

These tools embed invisible JavaScript on websites that captures:

• Every mouse movement and click

• Everything you type (including deleted text)

• How far you scroll

• Where you hesitate

• Your entire journey through the site, reconstructed as a video

The marketing copy sounds benign: “Diagnose UI issues, improve support, and get context on nuanced user behavior.” And yes, these tools can legitimately help companies fix broken checkout flows or confusing navigation.

What these sites don’t mention to visitors, of course, is that you’re being filmed without your knowledge.

The Privacy Problem With Session Replay Tech

1. You probably have no idea it’s happening

Most websites bury session recording disclosure deep in privacy policies, if they mention it at all. There’s no recording indicator. No consent popup specifically for replay tools. You’re just being filmed.

2. Sensitive data leaks are common

In theory, these tools are supposed to mask passwords, credit card numbers, and personal data. In practice? A study by Princeton University researchers (source) found that session replay scripts on major websites were capturing:

• Passwords in plain text

• Credit card numbers

• Medical information

• Private messages

The researchers analyzed seven of the top session replay providers and found these scripts running on 482 of the top 50,000 websites, including sites belonging to The Guardian, Reuters, Samsung, Adobe, and Microsoft. The masking simply wasn’t working, or wasn’t configured at all.

3. Your “deleted” text isn’t deleted

Changed your mind about that angry customer service message? Decided not to enter your social security number? Too late. Session replay captures keystrokes in real-time. That text you backspaced over? It’s sitting on a third-party server.

4. Third parties now have your behavioral data

Your session isn’t just stored by the website you visited. It’s on FullStory’s servers, or Hotjar’s, or whoever else. That’s another company with your data, another potential breach vector, another privacy policy you never agreed to.

How Widespread Is This?

More than you’d think. Session replay tools are embedded on:

• Major e-commerce sites

• Banking and financial services

• Healthcare portals

• Government websites

• News publications

The Princeton study found session replay scripts on nearly 1% of the top 50,000 sites, and that only covered seven session replay providers. The actual number is likely much higher. And adoption is growing: the “product analytics” market is projected to hit $20+ billion by 2028.

What About Mobile?

If you’re thinking “I mostly browse on my phone, so I’m probably fine,” we have some bad news.

Mobile web browsers are just as vulnerable. The same JavaScript runs whether you’re on desktop Chrome or mobile Safari.

Mobile apps can be even worse. FullStory, LogRocket, and other providers offer mobile SDKs that record taps, swipes, and screen contents directly within apps. That banking app? That health tracking app? They could be recording your sessions too.

Blocking is harder on mobile. Most mobile browsers don’t support extensions like uBlock Origin. Safari on iOS and Chrome on Android offer no way to install content blockers that would catch these scripts.

No surprise to regular readers, but Brave mobile browser is the exception. Available on both iPhones and Android devices, it has the same aggressive built-in tracking protection as the desktop version, blocking many analytics and replay scripts without requiring any extensions.

Safari’s built-in Intelligent Tracking Prevention helps with some tracking, but it’s not specifically designed to block session replay tools.

The bottom line:

mobile users have fewer defenses unless they switch to Brave, and may face additional exposure through apps (which have their own session replay SDKs that browsers can’t block at all).

It's hard to grasp how invasive session replay is until you see it for yourself. So we built a tool that lets you experience it firsthand.

Access this interactive tool here.

Once you’re there, type in the form fields (don't worry, nothing is actually recorded or sent anywhere) and watch the "recording log" capture every character, every click, every hesitation. That’s what is happening all the time on major websites and mobile apps unless you have blockers in place.

What Won’t Help: VPNs

Some of you may be thinking (hoping?) that using a VPN will protect you here.

Unfortunately, that’s not the case.

A VPN hides your IP address and encrypts traffic between your device and the VPN server. But session replay scripts run inside your browser after the page has already loaded. The JavaScript executes locally on your device and captures your behavior directly. Your VPN never sees it.

Think of it this way: a VPN protects you from people watching the road between your house and your destination. But session replay is like someone already inside the destination, watching everything you do once you arrive.

What You Can Do About It

We have some good news. You can significantly reduce your exposure with some adjustments to your personal privacy stack. And many of you are already using tools and apps that will help you (so no significant change). Here are some options.

Read more