How much of your personal information is available online?

The ‘dark web’ is seen as a nefarious internet underworld where whole identities are traded for a few pounds each; but in truth, it’s simply a part of the internet which can’t be accessed by conventional browsers such as Internet Explorer, Chrome, Firefox or Safari. Instead, you must use a specialist browser called Tor (short for ‘The Onion Router’) which has been modified to keep its users anonymous.

Many of us fear what the dark web knows about us, though we have precious little control over it and would struggle to access it safely without expert help.

Yet what we should really worry about is actually how most of us use the web on a day-to-day basis: the strength of our passwords and the amount of personal information we freely make available on easily accessible websites.

A decade of being us being overgenerous with our personal data, and companies failing to secure it, has made the ‘everyday’ web a paradise for fraudsters and hackers.

Information security expert Troy Hunt famously founded haveibeenpwned.com – a directory of major data breaches that victims can search using their email address – and said that ‘almost every single record [on the site] came off the clear web’.

Staying safe online

With this in mind, we set out to discover the damage that can be wrought by criminals using only the public internet.

Working with expert cybersecurity firm SureCloud, we recruited 14 volunteers as ‘targets’ and combed social media sites, forums, shopping sites, digitised public records and large deposits of information stolen in company data breaches to build as comprehensive a picture of their lives and personal information as we could.

The results were shocking. We were able to discover passwords and password hints, email and postal addresses, dates of birth, phone numbers, middle names and even signatures. We also uncovered a wealth of ‘softer’ information on people’s interests, hobbies, religion and political preferences.

The information could have been used to perpetrate a wide range of frauds, from applying for a bank account in someone’s name to taking over their existing mobile number and bank account, or ‘socially engineering’ them into divulging online banking details.

And passwords stolen in particular company data breaches could easily give you the keys to victims’ accounts on other sites as many people reuse passwords. For more on this investigation see our news story.

Seizing your digital destiny

If you’re feeling alarmed about your own online security, the good news is that there are steps you can take to make yourself safer:

Follow our tips on how to create and store strong, unique passwords for every site.

Delve into your social media settings and make sure fraudster-friendly personal details such as your birthday, middle name and contact details aren’t visible to the public.

Opt out of the open electoral roll, make your landline number ex-directory and ask to be deleted from online directories.

Your mother’s maiden name is a matter of public record. If asked to use it for a security question, make up a completely fake decoy answer (providing you can remember it).

A new data law has just strengthened your right to find out what organisations know about you and control how it’s used – brush up on your new rights.

• Search haveibeenpwned.com to see if you’ve been the victim of a major data breach.

Do you feel truly in control of your digital identity, or do you fear you’ve exposed too much of your data online? Are you doing anything differently in light of recent stories such as the Cambridge Analytica scandal?