/ Technology

How much of your personal information is available online?

When you think of hackers and criminals operating online, you might think of the so-called ‘dark-web’. But scammers and criminals don’t need to delve this deep to steal your information. Faye Lipson explains more…

The ‘dark web’ is seen as a nefarious internet underworld where whole identities are traded for a few pounds each; but in truth, it’s simply a part of the internet which can’t be accessed by conventional browsers such as Internet Explorer, Chrome, Firefox or Safari. Instead, you must use a specialist browser called Tor (short for ‘The Onion Router’) which has been modified to keep its users anonymous.

Many of us fear what the dark web knows about us, though we have precious little control over it and would struggle to access it safely without expert help.

Yet what we should really worry about is actually how most of us use the web on a day-to-day basis: the strength of our passwords and the amount of personal information we freely make available on easily accessible websites.

A decade of being us being overgenerous with our personal data, and companies failing to secure it, has made the ‘everyday’ web a paradise for fraudsters and hackers.

Information security expert Troy Hunt famously founded haveibeenpwned.com – a directory of major data breaches that victims can search using their email address – and said that ‘almost every single record [on the site] came off the clear web’.

Staying safe online

With this in mind, we set out to discover the damage that can be wrought by criminals using only the public internet.

Working with expert cybersecurity firm SureCloud, we recruited 14 volunteers as ‘targets’ and combed social media sites, forums, shopping sites, digitised public records and large deposits of information stolen in company data breaches to build as comprehensive a picture of their lives and personal information as we could.

The results were shocking. We were able to discover passwords and password hints, email and postal addresses, dates of birth, phone numbers, middle names and even signatures. We also uncovered a wealth of ‘softer’ information on people’s interests, hobbies, religion and political preferences.

The information could have been used to perpetrate a wide range of frauds, from applying for a bank account in someone’s name to taking over their existing mobile number and bank account, or ‘socially engineering’ them into divulging online banking details.

And passwords stolen in particular company data breaches could easily give you the keys to victims’ accounts on other sites as many people reuse passwords. For more on this investigation see our news story.

Seizing your digital destiny

If you’re feeling alarmed about your own online security, the good news is that there are steps you can take to make yourself safer:

Follow our tips on how to create and store strong, unique passwords for every site.

Delve into your social media settings and make sure fraudster-friendly personal details such as your birthday, middle name and contact details aren’t visible to the public.

Opt out of the open electoral roll, make your landline number ex-directory and ask to be deleted from online directories.

Your mother’s maiden name is a matter of public record. If asked to use it for a security question, make up a completely fake decoy answer (providing you can remember it).

A new data law has just strengthened your right to find out what organisations know about you and control how it’s used – brush up on your new rights.

Do you feel truly in control of your digital identity, or do you fear you’ve exposed too much of your data online? Are you doing anything differently in light of recent stories such as the Cambridge Analytica scandal?


I know “everybody ” knows my data as I always use my real name but as I never click on any rogue emails like the one from “BT Mail ” (nice try ) today secrecy in that aspect doesn’t bother me but tracking for profit certainly does , I resent it intensely –many dont but that is their choice . BT why did your US email service let that malware email through while my Russian one with good AI and virus control blocked it ? I agree with the basics of this convo but even as we speak I have been notified that Facebook has perpetrated a type of fraud in its presentation of its GDPR email to its users and already complaints have been filed with the -European Centre for Digital Rights by a Facebook user against “Facebook Ireland LTD (Eire to be exact -tax dodging ) by requiring the user to agree to the entire privacy policy and new term in one document including a clause that allows Facebook to provide TARGETED ads thus -EMPOWERING ( remember that legal definition ) as it applies to many of those emails –the company to process personal data as necessary to fulfill its “contractual obligations ” -not making it clear they dont have to agree and delete their account only giving you a big I AGREE to click on other options hidden /blocking accounts if they dont agree at 25-5-2018 . Leaving fake “red dots ” to try to make you think you have messages . With all this happening to you by a massive US social network conglomerate taking “safeguards ” elsewhere has to be put into perspective.


I sometimes wonder how we came to allow the social minefield called Facebook to take over our lives and put our security in jeopardy. I have never been there but most people have and I know many who wish they could rewind and rewrite their history. It must be one of the most phenomenal lifestyle experiments in social history and I cannot make up my mind whether Zuckerberg and the others saw its full potential at the outset [pure genius if so] or whether they astonished themselves at how it exploded way beyond its ‘innocent’ origins and expectations into the all-pervading monster it has become.

Patrick Taylor says:
31 May 2018

Agree JW.

I do wonder how much leverage through a content hungry media allows some ideas to escape beyond the original concept. Looking at AirBnB which was for people to let spare rooms we now have a monster where landlords buy and operate portfolios of properties in major cities whilst avoiding H&S and other regulations. Not to mention taking out of use flats for local people.

Perhaps there is a lack of critical evaluation at the early stages by those entrusted to govern on the significant downsides that could follow in the wake of very well-financed and connected ventures.

In case you would like some insight into the way it evolved and the serious money invested ..


Basic e. mail is useful for sending messages quicker than through a post box. One is likely to get a reply sooner too. After that, any other social media seems irrelevant. I have no desire to make instant comments on the world or what I had for breakfast, and, as you may have noticed, I don’t particularly like restricting what I write to a set number of words, just to twit to someone, or even tweet. Since an American began doing that it has debased the currency somewhat. Facebook does allow you to send photos when E. mails crash when overloaded. However all their likes and dislikes put me off. I seem to be able to communicate with relatives fast enough without it, and important photos go on a stick in a jiffy bag with a stamp on it. Anyone with enough time and effort could go through all I’ve put on here over the years and build a pretty good picture of my life and interests. However, I don’t keep any active passwords on here, so they would have to get them from careless sites I communicate with. Not much I can do to stop that. My other safeguard is to do as little as possible financial electronically. If it isn’t on the computer, it can’t be hacked. I also back up files so that they are available if the computer is compromised in any way, or it just breaks down. I appreciate that others have a greater need to use the internet for serious data transfer and the more they do, the more they must find ways of protecting themselves. Ultimately it is a battle between those who wish us harm and those who try and protect us. While the criminals have a free rein and are not caught in significant numbers, they have the edge and the tools to do some serious hacking. We can just hope we aren’t interesting enough to get their time and attention. It’s an unpleasant electronic world and it has been spoiled by those with evil intent. We’re back to Adam, Eden, the serpent and the apple. Eve got hacked.


Phone messaging also works well for me.


I dont know if the public really takes this seriously or bothers about it until they get phone calls telling them all their personal details or emails and are hit by adverts knowing their age , nationality, sex, income, location etc and letters if over 50 with death policies /insurance etc . To help with this I have a USA website that states at length but in plain English the extent of the information gathering and means of doing it by the Markkula Center for Applied Ethics -titled Unauthorized Transmission and Use of Personal Data via the Santa Clara University https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/unauthorized-and-use-of-personal-data/ read it all -no speed reading please. Sorry if you get a 404 I was able to get it with a small Linux type browser .


I can’t get that link to work, Duncan, but here is a document on the same site: https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/unauthorized-transmission-and-use-of-personal-data/


Same one Wavechange but WHY doesnt my link not work when its identical to yours? Which controls things here.


Your link does not contain ‘transmission’. Did you not use copy & paste?


Your right Wavechange, no I didnt use copy+ paste , I am beginning to worry about myself now (“senior moment” ? )


I don’t think I can teach you much about computers but I contribute Ctrl+c to copy and Ctrl+v to paste. 🙂


Control+a to copy all. Contol+x to copy and delete the original. I find when you become senior your brain gets full much more quickly. Don’t worry duncan; what’s in your head is very valuable to us all. 🙂


Thanks to both of you , I really do worry about such things, “losing my mind ” isn’t something I could live with .


Not much sign of that yet, Duncan, but the way that our regulars constantly go off-topic might suggest we are starting to lose the plot a bit.


I use Facebook to help promote a charity that I’m involved with, for example by publicising events. I don’t put any personal information on FB and I have no Facebook Friends. If someone asks a question I’m happy to provide an answer but usually someone gets there before me. It never fails to amaze me how quickly some people read and respond to posts of FB, often replying with supportive comments.


It’s interesting to see what people post on Which? Conversation.

Sometimes contributors have the same username on this and other sites. At one extreme it’s a way of getting round the Terms & Conditions, for example to help make readers aware of a pressure group or a company.

Years ago, one of our former contributors mentioned in different posts the city where he lived and that he was involved in the NGS open garden scheme. In one or maybe more post he gave his full name. It was easy to find his address, phone number and email address. Now there is a personal website describing his interests, so I suspect that the intention was to encourage other contributors to get in touch.


One website I am a member of sent me an email with the latest Facebook/Android/Twitter data gathering read in detail as I still think people aren’t appreciating the depth of the data gathering maybe this will start to open a few eyes instead of posts of –“I don’t believe you ” https://www.hackread.com/android-apps-chrome-extensions-collect-facebook-data/, By the way, thank you again Wavechange and malcolm I used the copy and paste built into Arch Linux to transfer the URL in two quick moves I think I am “mentally lazy ” and just dont bother making life easier for myself .


Derek/Wavechange -heard of Thermanator ? It steals passwords by reading thermal residue on keyboards . Yes its backed by THREE scientists and at least one of them is a Professor. https://www.bleepingcomputer.com/news/security/thermanator-attack-steals-passwords-by-reading-thermal-residue-on-keyboards/ this allows recovering a BANKING pin ,or PASSWORD. Dated 4-7-2018


Interesting, but it relies on a thermal camera being in exactly the right place over a keyboard and presumably some way of identifying the individual who last pressed the keys. Although the keys that had been pressed could be identified after the event by the thermal camera I couldn’t see how it knew in which order they were pressed. Without a bank card in the slot, or knowledge of it or of the cardholder, the PIN or password is useless, surely?


Well you are right John but if the person doing it is in the house at the same time as the card holder it makes it easier to steal his wallet and use his card , a thing done frequently in the USA. A party -a “friend” says John -(after nabbing your card ) I am going out to buy more drink back to the party soon , does the transaction , returns to house, replaces card.


This is more to do with offices, I think. An app on an iPhone could accomplish it pretty quickly and easily, but there are far easier ways of getting passwords. Loggers, for one.