It’s been said a million times, but it’s worth saying again: Once you put something on the internet, it’s on the internet for good. This includes content that may one day damage your reputation, including photos or videos posted to social media, radical opinions published to blogs under your name and personally identifiable information such as a contact info, your address, credit card data or Social Security numbers.
Part of the reason for this is just how easy it is to share information on the web. The second you post something online, there’s a chance that someone else has seen it. Even if it’s only been up for a few brief moments, try as you may, it’s all but impossible to rescind your offering to the world wide web.
Furthermore, just because a content provider tells you that something was deleted doesn’t necessarily mean that it’s been sent to oblivion. Take the example of Facebook photos. In 2012, Jacqui Cheng, editor at Ars Technica made an interesting discovery. Photos that she had deleted from Facebook in 2009 and 2010 could still be accessed online by anyone who had the direct link to the picture. This is because, while the photos had been taken down from the site, they had not yet been removed from Facebook’s servers. In fact, in response to the question of what happens when content is deleted from a Facebook page, the social media giant offers the following answer:
“When you choose to delete something you shared on Facebook, we remove it from the site. Some of this information is permanently deleted from our servers; however, some things can only be deleted when you permanently delete your account.”
Needless to say, if you believe there is even a remote chance that you’ll regret posting something, don’t do it. But what about the information that you upload without the intent of sharing? For example, there’s some data or content that you might be willing to share privately with certain social media contacts, but wouldn’t post openly on your Facebook page or to Twitter. Is this technically on the internet? Do the same rules apply for email?
Unfortunately, the answer to both of these questions is yes. This is because the only thing that stands between every internet user in the world and your email and social media data is often a password. Anyone who steals that password can readily access information that you thought was “private.”
Thus, we lead into the first lesson of understanding your digital footprint: Content’s life on the internet begins the moment it’s uploaded, not the moment it’s shared.
The problem of forgotten accounts
Digital footprint is the term used to describe traces of online information or data. The important thing to understand about this footprint is that you take it with you everywhere you go on the internet. Every time you sign up for something, create a new service account or join a social media network, you are stepping into that web server. All of the information you share stays there, unless you, or someone else, deletes it, and even then, assurance of its destruction is tenuous at best.
The problem, however, is that as people sign up for new services and social networks, they often forget about the old ones. Interests and trends change, but the data you leave behind stays the same. Rather than deleting these abandoned accounts, users simply go on to the next thing. While they might forget that they ever had 400 friends on Myspace, the internet never will.
In fact, there’s a good chance that a user will forget his or her password for older social media accounts. Perhaps they’ll even abandon the email address that they used to create the account as well. It’s out of sight, out of mind – but not for hackers.
If, for instance, hackers manage to break into a social media account that has not been active for a long time, but was never actually deleted, data such as contact information, names and any private or potentially incriminating information is then available to them. They could then use this personal information to extort the account holder – be it private pictures, messages that allude to illegal activity or infidelities, or something else.
An example of this occurred recently when extramarital affairs web service Ashley Madison was leaked, resulting in the email addresses of tens of millions of users being captured by a hacking group. The cyberattackers responsible demanded that the website be taken offline, or that it would publicly list all of the email addresses. In this case, there was no monetary gain from the blackmail. However, after Ashley Madison’s parent company refused to meet the demands, the data was dumped – and we can only imagine, so too were a lot of cheating spouses.
In fact, it’s possible that many of the email addresses that ended up on that list were from account holders who hadn’t used the site in years. But as mentioned above, once you upload information to the web, it’s there for good. This is especially apt to remember in the Ashley Madison case. As it turns out, the website offered users a one-time fee in exchange for the promise that all trace of them using the site would be deleted. Apparently, they didn’t keep their word.
Once hackers have your data, they have it forever
Just as data that was once on the internet is most likely always on the internet, a hacker who manages to steal user data can keep it as long as they’d like, or until that data becomes irrelevant. This is true for any and all data, including stolen passwords.
In a recent blog post about an online extortion scheme, Trend Micro pointed out “an intriguing trend” that involves the use of old internet accounts to gather information about potential cyberattack victims. The first and most notable example the author cited was a recent leak of LinkedIn that resulted in the theft of emails and passwords belonging to 167 million LinkedIn users dating back to 2012. According to Motherboard, at the original time of the leak, only 6.5 million passwords were posted online, and LinkedIn never disclosed the full extent of the leak.
This came back to haunt the professional networking site this May, when a hacker known only as “Peace” began trying to sell 117 million sets of LinkedIn account credentials. Any users that have not changed their password since 2012 are therefore at risk. Scarier yet is the fact that whoever stole these passwords technically has free access to these accounts.
It’s not just LinkedIn that’s been targeted for old login credentials. Several other popular social networking sites have recently had to deal with similar attacks:
Shortly before the LinkedIn incident came to light, popular media sharing platform Tumblr announced that way back in 2013, as many as 65 million account passwords and email addresses were stolen. These credential only became available on the dark web recently, and Tumblr has encouraged its users to immediately change their passwords.
The same hacker responsible for both the LinkedIn and Tumblr leaks, Peace, has also claimed responsibility for the leak of the has-been social media platform, Myspace. More specifically, the hacker is believed to have possibly stolen 360 million passwords from accounts created prior to June 2013, which according to Trend Micro, makes it one of the largest password leaks of all time. Granted, Myspace accounts are not hot-selling items per se. However, if other information can be ascertained from these accounts, such as contact information or content that can be used for the purposes of extortion, users who haven’t checked their Myspace profile since 2013 could find themselves in a very Kafkaesque situation.
Data that was stolen from the adult dating website, Fling, including “email addresses, plain text passwords, usernames, IP addresses, dates of birth and even sexual preferences, sexual desires, among others,” has also been found to be on sale on the dark web for more than $400. Once again, all of the information dates back to 2011, and as pointed out by Trend Micro, it “makes for an effective bait to make a target cave in on an extortionist’s demand.”
The bottom line
Your digital footprint is far more comprehensive than you probably ever imagined. Something as forgettable as an old account – and even more seemingly extraneous, the passwords to these accounts – can quickly turn into fodder for cyber crime.
The bottom line is that forgetting about an old account could allow hackers to easily steal personal information. If you’re reading this, we advise you to go delete any accounts that you may not use anymore. Hopefully, you can remember the password to these accounts before someone else steals them.
Also, as a general best practice, try to change your passwords at least once every few months. Finally, avoiding sign up for any services, or creating any data that you know you aren’t proud of. And if you have to, clean up your tracks. If you don’t, hackers will trace your digital footprint right back to you.