I put my old Gmail accounts on websites like haveibeenpwned.com osintleak.com pentester.com and osint.industries
And the results had a lot of personal info like old usernames I used, old passwords, IP addresses and other info
What can I do now?
I deleted all of my old Gmail accounts. I changed all of my usernames everywhere or deleted the accounts associated with them and changed all the passwords. I use Proton and Email aliases when signing up for services and random generated passwords with fake info everywhere(if possible) and I do use a VPN on all of my devices.
Is there anything more I can do?
Because those Emails had my full real name in them and I used them literally everywhere.
Something I haven’t seen mentioned yet - if you’re in the US, lock down your credit at all 3 agencies. It takes 10-15 minutes and is free, it’s easy to do.
The issue is that many of these leaks include things like your full legal name, phone number, parents’ full legal names, your social security number, and your entire address history. This makes it trivially easy for somebody to steal your identity and start opening up credit accounts in your name. You need to lock down your credit before that happens. If you need your credit run in the future (opening a bank account, getting a credit card or loan), just ask them which agency they pull the report from and temporarily unfreeze it so they can run the report, then re-freeze it when they’re done. It adds 5 minutes of work once or twice a decade, but could be priceless later on when someone tries to steal your identity.
delete all your social medias and online accounts
Nothing much you can do except make it harder for nefarious parties to get your information. If you’re in the U.S. most of your information is public. With two pieces of info about you, you’re one Google search away from your name, physical address, schools you went to, where you’re employed, etc. You can’t stop this, so just make it harder when your data does get leaked.
Here are my best practices:
- Own my email domain name and use it for generating unlimited random aliases.
- Update old accounts using a random alias.
- If an old account email can’t be updated or changed, spoil the information in their system by using fake info and then abandon the account (Anon O’Moose, 1234 Fake Street, Beverly Hills, CA 90210).
- One alias per account - never shared.
- Unique passwords via a password manager (e.g., passwords like ‘Obtuse4-Entangle-Matrix’).
- Leverage virtual credit card numbers if your provider offers it. One virtual card per account - never shared.
- Create accounts only if you have no choice.
- Submit your formal request in Opt Out Prescreen to minimise the sale of your info.
- Delete all centralised social media accounts. Instruct people to text or call you.
- Switch to Linux completely if you can. Get off Windows and Mac where possible.
- Get off iOS if you can and try to run a proper trusted degoogled OS where possible. You can experiment with Linux phones in the future but right now it’s not mature enough yet.
- Get all your data on prem only. If you choose to backup some data for protection online, encrypt it before you upload it.
- If your phone number has been leaked and you’re getting multi factor code requests, excessive spam, etc. consider getting a new phone number. Then update all your accounts to point to the new phone number. Once satisfied, deactivate your old phone number.
Only other piece I would add to your great list: have at least one on-site and one off-site backup of your password manager, you’re 2FA codes, and your data.
Can you explain the VPN part a bit more? What do you mean with discretion here?
Cash in your free two years of identityworks from whichever company leaked it, wait a while, cash in another two years from the next company that leaks it, wait a while, cash in another two years from the next company — you get the idea
Be as uninteresting as possible. Millions if not billions of people’s information of this sort is out there.
You could change your name. Otherwise, not really.
