Stop leaking your identity
Are you inadvertently sharing sensitive information online? We reveal how to identify data leaks and plug the holes in your privacy
It’s becoming increasingly difficult to maintain your privacy online, however hard you try or whatever powerful protections you have in place. Nobody willingly surrenders their email address and password to a data breach, for example, but the frequency and scale of website hacks means it’s almost impossible to avoid getting caught in one.
Fortunately, there are steps you can take to identify when, where and how your personal information has been – or is likely to be – compromised, so you can plug the leaks before it’s too late. In this feature, we reveal the best tools for detecting hidden holes in your online privacy, and explain how you can fix and prevent these vulnerabilities.
We also reveal the shocking truth of just how much your personal data is actually worth to the criminals who are trying to steal it (spoiler alert – it’s nowhere near as much as you’d think).
Have your passwords been stolen?
Everyone knows it’s important to follow proper password etiquette and use unique and difficult-to-guess logins on every site you visit on the web. A combination of letters, numbers and symbols – rather than dictionary words or the names of family members or pets – should mean that attackers won’t be able to easily crack your passwords.
The problem is that websites are hacked almost every day and passwords are leaked or stolen through no fault of the user. When that happens, the affected site should inform you and advise you to change your login details. However, sites often aren’t as forthcoming as they should be, and they might not even discover the break-in for months, or even years, after it happens.
For this reason, it pays to change your password regularly – just in case – and use some of the many tools available that check whether your online accounts have been compromised, or are likely to be. Here’s our pick of the best.
Check if your accounts have been breached
Have I Been Pwned is probably the best known privacy-leak checker and can tell you instantly if your email address was exposed in a breach and when that breach occurred. It also notifies you when your email account is compromised by future breaches.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The site can also check if any passwords you use appear on the web. Have some fun by entering some common (and easy to guess) passwords to see how often they’ve been leaked – ‘password’, for example, has appeared in data breaches 3.7 million times, while ‘123456’ crops up a whopping 23.5 million times.
Firefox Monitor is a similar tool that checks to see if your email address has been compromised and gives details regarding the breaches that affect you. If you use Firefox, you’ll receive a notification when you visit a site that’s been breached.
Monitor multiple online accounts for leaks
Unlike many leak checkers, Spybot Identity Monitor is a downloadable tool. Setting it up is simple – just click My Accounts, then click the buttons at the top to add as many email addresses and usernames as you like. It monitors your details against the Have I Been Pwned database but delivers its results in one simple interface, rather than you having to check each account individually by entering the details on the Have I Been Pwned website.
Find out if your email address has leaked
Avast Hack Check is a very thorough tool that lets you discover which, if any, of your passwords have been stolen. Enter your email address, click Check Now and the site will email you a link to your personal report, which will show you all the instances where your email address was purportedly found on the dark web, alongside any accompanying passwords. Hack Check will also alert you every time your email address and passwords leak in the future.
Check if your passwords are compromised
Another way to check the strength and security of your passwords is to use Google’s new Password Checkup tool, which you’ll find in your Google account. Go to the Password Manager page and select the ‘Check passwords’ link toward the top of the page, then click the ‘Check passwords’ button on the next screen and log into your Google account again. After a few seconds, you’ll be shown a total of the compromised passwords that were found, the number of reused passwords and how many of your online accounts are protected with a weak password. Clicking the down arrow under each section shows which sites are affected.
Click the ‘Change password’ button to visit the site in question or click the three-dot icon to the right of this button to view the troublesome password, and update it or delete it.
Test the strength of your passwords
If you’re confident that your passwords are so tough that no hacker stands a chance of cracking them, How Secure is My Password and Kaspersky Password Check will quickly disabuse you of this notion. Enter any password into either site and they will tell you how long it would take a computer to crack it. The results, however, can vary wildly – we entered ‘4camelshave8humps’ and How Secure is My Password said it would take 227 million years to crack, while Kaspersky’s tool said eight days, then later changed this to 6,920 centuries!
Fake your email address and identity
One way to ensure your email address and passwords don’t get compromised is to limit the number of places they appear on the web. You can use a temporary email address from the likes of Temp Mail on sites where you don’t need to enter or share any real personal data, or that you’re only likely to use once.
Another option is to create a fake identity to use when you register with websites and have to create profiles on them. Fake Name Generator can build you an entirely fictitious identity, complete with a fake name, address (in a country of your choosing), phone number, email address (that actually works), date of birth and employer. Other information generated could include a fake credit card number, bank account and cryptocurrency address (don’t try to use these for real!), as well as favourite colour, car make and model, and height, weight and blood type!
Is your data being sold on the dark web?
The dark web is a collection of websites on an encrypted network that can only be accessed using the Tor Browser. It’s home to lots of criminal activity – you can buy drugs, guns and counterfeit currency, as well as credit card numbers, stolen subscriptions, bank logins and usernames and passwords.
Dark websites look similar to regular sites, but they’re harder to find (regular search engines don’t index them) and end in ‘.onion’, rather than ‘.com’ or ‘.co.uk’. However, some companies claim they can scan the dark web and alert you if your personal information is found there. The trouble is that free scans don’t usually reveal much, and many companies offering ‘dark web scans’ require you to sign up for a paid-for service. The truth is that the dark web is – by its very nature – very hard to scan, and most if not all of these services are probably just checking to see if your details appear on regular security sites such as Have I Been Pwned (see above). If your personal data was leaked in a breach, you can pretty much guarantee it will be somewhere on the dark web and, infuriatingly, you won’t be able to remove it.
Are you sharing too much data?
The answer to the above question is pretty much guaranteed to be a resounding “yes!”, although there’s a good chance you won’t know exactly how much data you’re sharing. Browser add-ons, mobile apps and websites routinely request all sorts of permissions and most people blindly wave them through because denying them can create obstacles. If you say no to a permission requested by an app, for example, then it may not work as intended, or might not work at all. Sometimes, though, these permission requests are spurious and used to gather user data for advertising – or even malicious – purposes.
Find out which apps can access your data
If you haven’t done so recently – or indeed, ever – it’s worth running an audit to see what data you’re sharing and revoke access to anything you don’t like the look of. MyPermissions is a free privacy cleaner for Android and iOS that aims to show you which apps are accessing your personal data, and what permissions they have. Recent reviews have been rather scathing about the app’s effectiveness, however, so another option worth considering is aSpotCat – Permission Checker for Android.
Prevent unwanted access to your accounts
Privacy Cleaner for Chrome, also from MyPermissions, scans major services, including Facebook and Twitter, for third-party tools that have been given permission to access your private info, so you can revoke unwanted permissions. Like the mobile app, we’ve found it to be a bit hit and miss, but it managed to uncover a couple of unwanted services when we used it, so it’s worth a try.
For Firefox users, there’s Project Insight, which shows you the permissions granted to your installed add-ons, as well as the domains they are allowed to access. Once installed, just click the toolbar button in your browser and it will check all your add-ons and search sites (including the likes of eBay, Wikipedia and Amazon) with requested permissions. In many cases, websites will appear in the list purely because they are allowed to run in Private Browsing Mode.
Discover which websites are tracking you
Who’s Watching You doesn’t check which permissions you expressly granted, but rather looks into the privacy policies of some of the web’s biggest companies – including Facebook, Google, Amazon, Instagram, LinkedIn and Twitter – to see what details they track. Just click one of the icons to display a breakdown of the sort of things that site records. You can filter the list of sites to see which ones track your location, ignore Do Not Track requests, have access to your messages, record device information and usage, and actively engage with third-party sites (such as Facebook with its ubiquitous Like buttons).
Tighten your privacy settings on Facebook
In the wake of last year’s Cambridge Analytica scandal, Facebook earned a reputation for not caring about user privacy and has been trying to win back trust by giving users more control over their data. One thing you can now do is run Facebook Security Checkup, which lets you see unused apps and browsers that you’ve logged into and gives you the chance to log out of them. You can enable Login Alerts, which will cause Facebook to let you know if your account gets logged into from an unrecognised device and browser, and you can also get some tips on password protection.
If you scroll down to the bottom of the window, you can open your Security Settings and, from here, see where you’re currently logged in from, change your password, enable two-factor authentication (2FA) and access privacy settings. This last option lets you control who can see your posts, see your list of friends and view your email address.
Review the security of your Google account
Google also offers a Security Checkup tool, which shows you all devices that have accessed your Google account in the past, and lets you review any recent security events, in case there is cause for concern. Google is usually very good at alerting you via email when a new or unknown device accesses your account. You can also enable 2-step verification here, see which third-party apps have access to your data and remove any you’re unhappy with, and view and manage blocked email addresses (and other ‘sensitive’ settings) in Gmail.
Is your browser leaking personal information?
Even if you take care to use strong login credentials and change them at the first sign of a security breach or after a set period of time, and even if you’re very careful about what you share online and what permissions you grant, your personal information could still be at risk – without you even knowing. That’s because your browser and other software could be revealing identifiable data about you. There are lots of tools you can use to check and stop this, and it’s worth trying the following ones to detect and plug the leaks in your browser privacy.
Test your web browser for privacy leaks
Irrespective of which browser you use – be it Chrome, Firefox, Edge, Vivaldi or something else – BrowserLeaks can show you what personal data is being shared online without your knowledge or permission. The tool offers a number of tests covering IP Address, JavaScript, Flash Player, WebGL, Content Filters and Geolocation API. Just select a test and BrowserLeaks will immediately show you exactly what information is being leaked through your browser. In the case of the IP Address test, for example, it will show your local and public IP addresses, ISP, country, city, connection type, latitude/longitude, DNS servers and browser type. It will also plot your current location on a map to reveal if you’re unwittingly leaking details of where you are.
Ensure your browser is blocking trackers
Most web browsers now offer a ‘do not track’ feature that, when enabled, will tell sites that you want to opt out of behavioural targeting (when adverts are tailored to your interests) and not be tracked. You can check to see whether this is switched on in your browser by looking in the Settings.
In Chrome, click the three-dot button in the top-right corner of the browser and open Settings, then scroll down, click Advanced and, under Privacy, make sure ‘Send a ‘Do Not Track’ request with your browsing traffic’ is enabled. In Firefox, click the three-line menu button and open Content Blocking. Mozilla’s browser gives you two choices: you can send a Do Not Track signal ‘Always’ or ‘Only when Firefox is set to block known trackers’ (the default setting).
While ‘Do Not Track’ sounds like a great way to safeguard your privacy, websites are under no obligation to respect your request, and most don’t. Panopticlick (panopticlick.eff.org), from the Electronic Frontier Foundation, lets you check to see how well your browser and add-ons protect you against online tracking methods. You can run a sample test, or test your browser using a real tracking company. Just click the Test Me button and wait while the scan runs. It will show you if your browser is blocking tracking ads and invisible trackers, and whether it stops those which are in the ‘acceptable ads’ whitelist. It also shows you whether your browser unblocks third parties that promise to honour Do Not Track.
Scan your network’s ports for vulnerabilities
Every IP address has thousands and thousands of ports – numbers which are added to the header of data packets transmitted on a network. These are used for routing traffic to where it needs to go. Certain ports, such as port 80 (HTTP), tend to be locked down but other common ports could be open and vulnerable to hackers. An open port essentially means that it’s active and the computer is listening for connection requests. It’s a bit like an open door to your PC and could potentially allow attackers to exploit vulnerabilities on your system. Most routers have a ‘Stealth Mode’ which is designed to make open ports less obvious to outsiders by hiding their status, and you can enable this in your router settings page (see the manual or underside of the router for instructions on how toaccess these settings).
To check the status and security of your ports, you can use GRC ShieldsUp. This online service runs a number of different tests, including checking for exposed Universal Plug n’Play (UPnP) protocols and the status of file sharing, common ports and all service ports, as well as browser header information.
Check your browser for security holes
Ideally, you should make sure you’re running the newest version of your browser at all times because this will help protect you from the latest threats. Your browser should alert you when a new version is released, although you can manually check for a new update at any time. In Chrome, click the top-right three-dot menu and go to Help, About Google Chrome to check for any updates. In Firefox, click the three-line ‘hamburger’ button and go to Help, About Firefox.
To make sure your browser is properly protected, you can run Qualys Browser Check, which scans your browser and plugins looking for potential vulnerabilities and security holes. If it finds a problem, it will provide information on the issue and give you the chance to fix it by downloading an update. The add-on works with all the major browsers and you have the option of installing a plugin to perform a thorough check or running a quick scan without it.
How much is your personal data worth?
Your personal data is priceless to you, but to hackers and scammers, it’s actually worth surprisingly little. Totally Money has a personal data quiz that lets you put a price on various types of basic personal information, such as your email address and telephone number, and then reveals the actual total worth, which really isn’t much at all.
Top10VPN’s Dark Web Market Price Index – 2019 (UK Edition) looks at the price of some of the data you can find on the dark web, including hacked accounts for services such as Netflix and Fortnite. According to the site’s research, an entire online identity is valued at just £770, while a Netflix account alone is worth £8.19, an Amazon account £14.53 and an Uber account £7.61. Facebook is valued at £6.96 and Twitter at £1.54.
Delete your private data automatically What is your password worth? General Data Protection Regulation (GDPR) GDPR fines: Where does the money go? The best passwords are the ones you can't remember
Personal bank details were priced at £347.68, credit card details at £24.91, PayPal at £14.06, driving licence info at £13.28, passports at £9.93 and Gmail account logins at £4.48.
To arrive at its figures, Top10VPN reviewed tens of thousands of listings across five of the main dark web markets – Dream, Wallstreet, Empire, Berlusconi and Tochka Free. It focused on listings featuring stolen ID, personal data and hacked accounts, and excluded any massive data dumps.