Misc Tech Notes

Sön 20 November 2016

Old accounts and information on the internet

Posted by Peter Reuterås in article   

During the last week I've been closing at least 50 online accounts that I don't use or don't really need. The reason is that I'm trying to limit the amount of places that can be hacked and leak my information. The most high risk accounts are still active since it would have a bigger consequence to close email and some social media accounts. I might reconsider this choice latter.

At the same time that I was closing accounts I got an email message from Have I been pwned? informing me that my information had leaked from a company named GeekedIn that I had never had any connection to. GeekedIn had harvested public information from Github. So the information was already public but someone took it and collected it in a database and could correlate it with other information.

You might wounder why you should care if some information from one site has leaked? What could happen? I had my information dumped from Patreon when they got hacked some time ago. As a result I got a "threating" email. The reason for it? I supported someone that someone else didn't like and that person threatened to contact employers and friends. It wasn't possible for me to take the threat seriously but it taught me a lesson and have been a god reminder ever since, to always think about how information I share can be (mis)used.

If you don't follow news about information breaches you might wounder how common it is that databases are hacked and leaked? Even though I read about hacks almost every day that doesn't tell me how I'm affected. During the last 14 month I've gotten 9 emails from Have I been pwned?. I've also had the possibility to download over 50 database dumps from the internet if I wanted.

The big lesson from this is to be careful with what information you share. Never enter more information then needed and don't always enter correct information. Use different usernames and email addresses if possible. The last recommendation is one that I really need to start to follow. The first question should also be if you really need to register an account? If you use the same email address or phone number on many sites it's easy to automatically correlate your actions on different sites. The same is true for profile pictures and usernames even though someone else you have used them. Many times sites requires users to verify email addresses and phone numbers and the information is verrified in some sense.

For companies this can become a real problem if more people have there personal information leaked and starts to be more concerned about privacy. That isn't really in the business plans for online companies like Facebook and Twitter or brick and mortar stores like ICA (in Sweden). I'm in no way a typical user but I recently opted to not buy stuff from a smaller online retailer in Sweden because the site lacked https and generally looked old and badly maintained.

I can recommend that you check a site that you consider to use with these services as a minimum.

  • https://securityheaders.io/
  • https://www.ssllabs.com/ssltest/index.html