this post was submitted on 29 Apr 2025
53 points (96.5% liked)

Privacy

37371 readers
477 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
53
What should I do after finding my info on a Data Breach searching website? (lemmy.world)
submitted 1 day ago by A9b382ks@lemmy.world to c/privacy@lemmy.ml
12 comments fedilink hide all child comments
 

I put my old Gmail accounts on websites like haveibeenpwned.com osintleak.com pentester.com and osint.industries

And the results had a lot of personal info like old usernames I used, old passwords, IP addresses and other info

What can I do now?

I deleted all of my old Gmail accounts. I changed all of my usernames everywhere or deleted the accounts associated with them and changed all the passwords. I use Proton and Email aliases when signing up for services and random generated passwords with fake info everywhere(if possible) and I do use a VPN on all of my devices.

Is there anything more I can do?

Because those Emails had my full real name in them and I used them literally everywhere.

top 12 comments
sorted by: hot top controversial new old
[–] CatZoomies@lemmy.world 28 points 1 day ago* (last edited 1 day ago) (2 children)

Nothing much you can do except make it harder for nefarious parties to get your information. If you’re in the U.S. most of your information is public. With two pieces of info about you, you’re one Google search away from your name, physical address, schools you went to, where you’re employed, etc. You can’t stop this, so just make it harder when your data does get leaked.

Here are my best practices:

  • Own my email domain name and use it for generating unlimited random aliases.
  • Update old accounts using a random alias.
  • Generate random usernames using a proper username generator. Unique username per account.
  • If an old account email can’t be updated, changed, or deleted, spoil the information in their system by using fake info and then abandon the account (Anon O’Moose, 1234 Fake Street, Beverly Hills, CA 90210).
  • One email alias per account - never shared.
  • Unique passwords via a password manager (e.g., passwords like ‘Obtuse4-Entangle-Matrix’).
  • Enable TOTP multi-factor authentication wherever possible.
  • For legacy security questions, always use a passphrase generator for the answer, and save both the question and answer into your password manager. “In what city did you go to school?”Answer: “Bandit4-Topic-Guardian”.
  • Save recovery codes for your accounts into your password manager.
  • Leverage virtual credit card numbers if your provider offers it. One virtual card per account - never shared.
  • Create accounts only if you have no choice.
  • Submit your formal request in Opt Out Prescreen to minimise the sale of your info.
  • Delete all centralised social media accounts. Instruct people to text or call you.
  • Switch to Linux completely if you can. Get off Windows and Mac where possible.
  • Get off iOS if you can and try to run a proper trusted degoogled OS where possible. You can experiment with Linux phones in the future, but right now it’s not mature enough yet nor is it as secure as something like Graphene OS on Pixel phones.
  • Get all your data on prem only. If you choose to backup some data for safeguarding online, encrypt it before you upload it.
  • If your phone number has been leaked and you’re getting multi factor code requests, excessive spam, etc. consider setting up a new phone line with new number. Then update all your accounts, employer, government records, etc. to point to the new phone number. Let your contacts know. Once satisfied, deactivate your old phone number.
  • Minimise posting any personal details about yourself online. Never identify physical locations. Make up fake details about yourself, your employment, etc. Make yourself a little more anonymous by providing fake information. One day you have a pet, another day you’ve never had pets, one day you’re divorced, another day you’re 18 years old, etc. Strive to be consistently inconsistent with the data you post about yourself online. Lots of things I’ve said on Lemmy about myself are untrue, while some things are true. It’s important to not reveal personal identifiers as it is trivial for a determined actor to correlate data and pinpoint who you are.
  • Never, ever have any usernames, passwords, email addresses, or security questions that have any meaningful information related to you. ALWAYS use random generators. There is only one password you need to remember, and that is the one password to your password manager. Write it down on paper using pencil (graphite lasts longer than ink) and stick it in a safe.
  • Use a VPN properly and with discretion, based on your privacy threat model.
[–] guest@feddit.org 7 points 1 day ago (1 children)

Only other piece I would add to your great list: have at least one on-site and one off-site backup of your password manager, you're 2FA codes, and your data.

[–] CatZoomies@lemmy.world 2 points 1 day ago

Great input and you’re absolutely correct. Very important to safeguard backups.

[–] guest@feddit.org 1 points 1 day ago (1 children)

Can you explain the VPN part a bit more? What do you mean with discretion here?

[–] CatZoomies@lemmy.world 4 points 1 day ago (1 children)

Use of a VPN depends on your privacy threat model.

Using VPN at all times while using the internet like one normally does is beneficial only to the extent that you encrypt your traffic and prevent your ISP from spying on you… mostly. But if you’re logging into known accounts associated with you, then it’s a moot point. Your traffic is encrypted, but your use of services leaves an easy to follow cookie trail of where you’ve been.

If your privacy threat model is much more serious, then you wouldn’t login to any known accounts while on your VPN. You wouldn’t use services that can be pinpointed to you.

Hence, use a VPN to your discretion. If you generally don’t want your ISP spying on you, keeping it on is always best practice. If you have more things to hide, you’d want to use Tor while on VPN and of course don’t use any services that could be linked to you.

[–] Auli@lemmy.ca 1 points 21 hours ago (1 children)

So you know what the s means in https right. This B's of VPN is encrypted the net is encrypted now.

[–] CatZoomies@lemmy.world 3 points 21 hours ago

HTTPS with no VPN:

You trust the web site to encrypt your data if and only if the web site has properly implemented encryption along with encrypted DNS traffic. Sometimes you make a connection to HTTP before you're redirected to HTTPS. Your ISP can see what web sites you visit, but the ISP can't see what you're doing because the traffic is encrypted so long as encryption is implemented correctly. ISP knows you went to https://www.website.com/.

Conclusion: Your ISP knows exactly what web sites you visit, but can't see what you're doing on the web site (if encryption is properly configured by the web site provider).

HTTP or HTTPS with trusted VPN (e.g., Mullvad):

You trust the VPN provider. Your connections are encrypted entirely. Your ISP can't see what web sites you're visiting nor can they interpret your traffic.

Conclusion: Your ISP is completely blind to what you're doing and where you're going.

ExpressVPN:

"HTTPS is essential for security, but it can only do so much. Don’t fall into a false sense of security—there are limitations to HTTPS protection:

  • HTTPS doesn’t hide what websites you visit. Your ISP or network provider can still see which sites you access, even if they can’t view what you do on them.
  • HTTPS won’t protect data stored on a website. If a site suffers a data breach, HTTPS won’t prevent hackers from accessing your saved information.
  • HTTPS cannot encrypt all your internet traffic. It only secures connections between your browser and a site—not your entire internet activity.
  • You have no control over HTTPS. The protocol is set by website owners, so if you visit a website without HTTPS protection, there is no way for you to enable it." Source: https://www.expressvpn.com/blog/https-vs-vpn/

PureVPN:

"HTTPS:

  • Encrypts data between your browser and websites.
  • Protects against eavesdropping on web transactions.
  • Activated automatically with 'https://' VPN:
  • Encrypts and routes all internet traffic, including from apps.
  • Protects the entire internet connection. A VPN is used to establish an encrypted connection - also referred to as tunnel - between your device and unsecure network like the Internet. Since all your traffic goes through the VPN's server rather than that of your ISP, nobody can find out what you're up to online. What HTTPS Cannot Do?
  • Hide Your IP Address: HTTPS doesn't mask your IP address. Websites and your ISP can still see your IP and location, whereas a VPN hides your IP, making your online presence more anonymous.
  • Encrypt All Internet Traffic: HTTPS only secures data between your browser and websites. A VPN encrypts all your internet traffic, including apps and services outside your browser.
  • Prevent ISP Tracking: Your ISP can still see which sites you visit with HTTPS, they just can’t see the exact content. A VPN encrypts all your traffic, preventing ISPs from tracking your web activities. https://www.purevpn.com/blog/https-vs-vpn/

Here are more sources I won't quote, but you can read:

[–] suicidaleggroll@lemm.ee 14 points 1 day ago* (last edited 1 day ago)

Something I haven't seen mentioned yet - if you're in the US, lock down your credit at all 3 agencies. It takes 10-15 minutes and is free, it's easy to do.

The issue is that many of these leaks include things like your full legal name, phone number, parents' full legal names, your social security number, and your entire address history. This makes it trivially easy for somebody to steal your identity and start opening up credit accounts in your name. You need to lock down your credit before that happens. If you need your credit run in the future (opening a bank account, getting a credit card or loan), just ask them which agency they pull the report from and temporarily unfreeze it so they can run the report, then re-freeze it when they're done. It adds 5 minutes of work once or twice a decade, but could be priceless later on when someone tries to steal your identity.

[–] thebardingreen@lemmy.starlightkel.xyz 10 points 1 day ago

Be as uninteresting as possible. Millions if not billions of people's information of this sort is out there.

[–] thesohoriots@lemmy.world 8 points 1 day ago

Cash in your free two years of identityworks from whichever company leaked it, wait a while, cash in another two years from the next company that leaks it, wait a while, cash in another two years from the next company — you get the idea

[–] catloaf@lemm.ee 4 points 1 day ago

You could change your name. Otherwise, not really.

[–] eldereko@lemmy.dbzer0.com 0 points 1 day ago

delete all your social medias and online accounts