Never mind the so-called dark web – a Which? investigation has revealed that website passwords, signatures, dates of birth and addresses are all readily available on the everyday ‘clear’ web.
Working with experts from cyber-security firm SureCloud, we set out to discover the damage that can be wrought by criminals using personal details available on the public internet.
We recruited 14 volunteers to act as ‘targets’ and then combed social media sites, forums, websites and large deposits of information stolen in company data breaches to build as comprehensive a picture as we could of their lives and personal information.
Within a matter of hours, we were able to develop detailed personal profiles on consenting individuals, just from publicly available data.
Get expert one-to-one help for your computing and internet problems with Which? Tech Support.
Video: Which? investigates online data risks
Watch our video to discover more about the personal data that you may be inadvertently giving away online – and what you can do to protect yourself.
Personal data on the web
None of the personal data sources we found were on the ‘dark web’ – a phrase that describes websites accessible only by a specialist browser geared up for anonymity.
We were able to discover passwords and password hints, email and postal addresses, dates of birth, phone numbers, middle names and even signatures. There was also a wealth of ‘softer’ information revealing people’s interests, hobbies, religion and political preferences.
Six of our volunteers were found to have published so much information about themselves that they were at a heightened risk of serious fraud – and we fear that millions of other UK citizens may be, too.
We also easily decoded passwords found in large deposits of information stolen in company data breaches. These too were located on the public internet using conventional web browsers.
Our investigation is an alarming reminder that fraudsters and hackers can commit crimes against us without ever venturing into the hidden part of the web. They can often do this using the personal data we have gladly given away ourselves, as well as data belonging to us that companies have failed to protect.
The information we discovered could have been used to carry out a wide range of frauds, from applying for a bank account in someone else’s name to taking over their existing mobile number and bank account, or tricking them into transferring funds or divulging their own online banking details.
Passwords stolen during company data breaches could easily give criminals the clues they need to hack victims’ accounts on other sites, as many people reuse passwords.
Staying safe online
If you’re concerned about your own online security, the good news is that there are steps you can take to make yourself safer.
- Set strong passwords for all your online accounts. Read how to create and store strong, unique passwords for tips and advice.
- Delve into your social media settings and ensure that fraudster-friendly personal details such as your birthday, middle name and contact details aren’t visible to the public.
- Opt out of the open electoral roll, make your landline telephone number ex-directory and ask to be deleted from online directories.
- Your mother’s maiden name is a matter of public record. If asked to use it for a security question, make up a fake decoy answer (providing you can remember it).
- A new data law has just strengthened your right to find out what organisations know about you and control how it’s used – brush up on your new rights.
- Search haveibeenpwned.com to see if you’ve been the victim of a major data breach and are therefore at increased risk.
- If the worst does happen and you find yourself the victim of a company breach, check out our data loss survival guide.
Our full investigation, ‘What does the internet reveal about you?’ appears in the June issue of Which? magazine. To subscribe, join Which? today.