Avoiding Digital STDs
Practicing safe digital activity to protect your personal privacy
Welcome to another issue of Secrets of Privacy where we discuss personal privacy related topics and provide practical tips to enhance your personal privacy.
If you’re reading this but haven’t yet signed up, join the growing Secrets of Privacy community for free and get our newsletter delivered to your inbox by subscribing here 👇
While the title of this post is intentionally sensational, the metaphor is appropriate.
The internet can be an exciting place, but these days, it’s also increasingly risky. If you’re not careful, severe, long lasting consequences can result. That’s not an exaggeration as we’ll show below.
Not too long ago, “severe” would be overblown. The worst thing that could happen was you got spyware on your computer or your hard drive was bricked. Some of our readers will remember those dreaded pop-up windows on desktop computers.
But as more of our life moves online, we’re entering a new phase where the harms from unsafe digital activity are more impactful and long lasting. Our offline lives are even at risk if we’re not careful.
Tim’s Facebook Hijacking Story
We recently reached out to an old colleague on LinkedIn (let's call him Tim) because he had an odd phrase in his bio about crypto. We were intrigued. We won't give the actual phrase to avoid doxing. But here's a redacted screenshot of the conversation:
Tim doesn't know how hackers gained control of his Facebook account. But here’s a strong possibility: Tim was reusing the same login credentials across multiple websites.
According to Haveibeenpwned, Tim's primary email address and password were part of at least 4 different breaches in the last few years. A clever Bad Actor likely took those credentials and tried them on popular websites. Eventually the Bad Actor got to Facebook and hijacked Tim's account, proceeding to establish a sophisticated and realistic crypto scheme using Tim's goodwill as a successful corporate executive.
The kicker: Bad Actor changed the password on Tim’s Facebook page and Tim can't access the account any longer. Meta, Facebook’s parent company, is unresponsive. The scammer is using Tim's real photos, including those of his wife and kids, to promote a financial scam. They changed the banner image on his page and even created a photoshopped image with his face!
Tim’s situation is legitimately frightening. And you’ve probably already thought of additional scenarios where it can be replicated. Here’s one to think about.
Tina’s Instagram Hijacking Story
A Bad Actor hacks into a mom’s Instagram account. Let’s call her Tina.
Tina’s account is ordinarily used for posting every day photos and short videos. Maybe the occasional travel, cooking or mom’s night out photo.
A Bad Actor gains control of Tina’s Instagram account by using stolen login info. The Bad Actor uses Tina’s real Instagram images to create new images and deep fake videos using Tina’s likeness. This is easy to do with readily available AI software, even for teenagers (source). But instead of promoting crypto scams as in Tim’s case, the Bad Actor repurposes Tina’s Instagram account for something different.
Maybe he uses Tina’s account to promote cheap home goods. Just as possible, the Bad Actor uses Tina’s account and likeness to promote p*rnography and/or to catfish unsuspecting men. This seems like the more likely scenario since there’s more money to be made.
As Tim’s situation shows, Meta is nearly impossible to get a hold of. So it’s likely Tina’s account will remain hijacked for weeks if not months before getting someone at Meta to fix it. In the meantime, Tina is experiencing substantial reputational harm. Her mental and physical health may deteriorate as well.
Wrap Up and Solutions
While we don’t know for sure how Tim’s Facebook account was hacked, we do know the recent 23andMe hack resulted from the technique described above. It’s called “credential stuffing”, and involves Bad Actors testing stolen login credentials on multiple sites. It’s effective because people tend to use the same user names and passwords.
As Tim’s situation shows, along with 23andMe, poor privacy and security practices have real life consequences. Using 123abc as your password or even af7fdsjkljk2201 on every site is convenient, but it's playing Russian Roulette. Especially in the current AI age where scams will get more complex and effective. Privacy and security practices that worked in 2020 no longer work in 2024. You'll get rekt unless you adapt.
If you're a business executive, business owner, or HNWI, start practicing safer digital activity today. Learn from Tim's mistake and start with something easy and highly effective like a password manager. You can then build from there until you have a formidable personal privacy stack. Our Privacy Stack is available here which you can replicate or modify to fit your needs.
We use Proton Pass, which is included in our Proton privacy suite subscription. Proton Pass is available as a standalone service, free for basic usage or $4/month for the full plan. Paid Proton plans can include mail, VPN or both and throw in Pass for free. Browse plans and sign up here. Bitwarden is another great option we use as a backup.
If you’re intimidated by the thought of a major switch like using unique login credentials for every website, check out these resources to help you get started:
Thanks for reading Secrets of Privacy! Subscribe for free to receive new posts and support our work.
Disclaimer: None of the above is to be deemed legal advice of any kind.
Connect with us on LinkedIn here.
Learn about disposable/anonymous/temporary email addresses here.
If you have a LinkedIn profile, you’ll want to read this.
Proton is running a limited time promotion right now on their core offerings like Proton VPN and Proton Mail. Up to 60% off select packages for our readers.
Worried about a Bad Actor using your personal information from a data broker or people search site but don’t know what to do about it? We use Privacy Bee to keep our personal information off Google and other search engines. You can DIY, but only if you have hours of spare time. Make yourself a harder target today by signing up here.