I spend my days securing infrastructure, but I still https://linuxsecurity.com/news/security-trends/search-exposure-linux-security perform a "vanity search" on myself once a quarter. Last month, I found my personal cell number on a site I’d never visited, sitting right next to an old home address. It’s a classic "tiny leak" that turns into a massive incident when a threat actor decides to target you.
If you just Googled yourself and didn't like the results, you aren't alone. This is the reality of the modern identity-driven attack surface. Here is how you clean up the mess and stop the bleeding.
The OSINT Reality Check
Before you start panicking or clicking "delete" buttons, understand what you are looking at. Most of these sites aren't hacks. They are data brokers. They scrape public records, property deeds, social media, and site registrations to build a dossier on you. They monetize your existence by selling that profile to anyone with a credit card.
When an attacker targets a sysadmin or a dev, they don’t start with a zero-day exploit. They start with reconnaissance. They use the same tools I use to map network assets, but they point them at humans. They use Google dorks to find exposed configs on GitHub, then pivot to data brokers to map those usernames to real-world phone numbers and addresses. That phone number is the first step toward SIM swapping or a highly personalized phishing campaign.
Immediate Steps: Public Directory Removal
You cannot make yourself invisible, but you can make yourself annoying enough to target that an attacker moves on to someone else. Reduce your discoverability by systematically stripping your info from the biggest offenders.
1. Use Google’s Removal Tool
Google has made it easier to request the removal of personally identifiable information (PII) from search results. If your phone number is appearing in a way that poses a risk (like linking it to your physical location), use their official removal request form. It won't delete the data from the source, but it stops the link from showing up in the world's most popular search engine.
2. Target the Data Brokers
There is no "master switch" to delete your data. You have to go to the sites directly. Start with the "Big Four" data brokers: Whitepages, Spokeo, MyLife, and BeenVerified. Look for their "Privacy" or "Opt-Out" pages at the bottom of their homepages.
Pro tip: Do not use your primary email address for for these requests. Use a dedicated burner alias. These sites often try to capture more data while you’re "requesting" to have your current data removed.
The "Tiny Leaks" Checklist
Data brokers are just the tip of the iceberg. You are likely leaking info through mundane daily tasks. Stop doing these five things immediately:
- Exposing email addresses in GitHub commits: Check your global Git config. If your personal email is hardcoded into your commits, it’s being indexed by every scraper on the planet. Change your local config to use a "no-reply" address. Registering domains with public WHOIS: Always enable WHOIS privacy. If you don't, your home address and phone number are in the ICANN database for anyone to query. Over-sharing on professional networks: We all want to look good on LinkedIn, but listing your direct office line or specific projects can provide a blueprint for social engineering. Using the same username everywhere: If your Twitter handle is the same as your GitHub handle and your email handle, you have created a "pivot point." Use unique identifiers for different platforms. Ignoring "Terms of Service" on free apps: If the app is free, you are the product. Check what permissions you’ve granted to those "fun" personality quizzes or address-book scanners. Comparison of Privacy Actions Not all actions provide the same level of security. Use this table to prioritize your efforts. Action Difficulty Security Impact Google Search Removal Easy Moderate Data Broker Opt-Outs Hard (Time consuming) High Git Config/Email Scrubbing Easy Very High Changing Phone Numbers Very Hard Extreme What About Paid Services? You might be tempted to use automated "remover" services. Do they work? Sometimes. They act as a shell between you and the brokers. However, they are essentially the same as doing it yourself, just faster. If you go this route, check the company's background thoroughly. You are handing your PII to a company so they can use it to delete your PII elsewhere. If they get breached, you’re back to square one. I’ve checked several common removal services. Regarding their pricing models, I found that there were No prices found in scraped content—most use opaque "get a quote" models or gated trial periods. Be wary of any service that hides its subscription costs behind a sales call. Maintain Your Perimeter If you want to stay up to date on how your data is being used and how threats are evolving, keep an eye on resources like LinuxSecurity.com. They frequently cover the intersection of system administration and individual privacy, which is exactly where most of us live. Privacy isn't a one-time project; it’s a maintenance task. Treat your personal identity like a server. Patch it, audit the logs, and remove unnecessary services (or in this case, profiles). You’ll never be 100% hidden, but by removing the low-hanging fruit, you stop being an easy target. Go run that search again in six months. If your data is back, the cycle repeats. That’s just the cost of doing business in a connected world.