Your data is already public. What that actually changes.

The client signs the NDA, files the contract in the safe, and their historic email inbox just got dumped on a Russian forum. I see this every year. The NDA never protected their data. It just protected the feeling that it was protected.

The common trap

The dominant narrative goes like this: protect your data. Build walls around it. Get compliant. The entire framing presupposes a confidential starting state — that your information is, by default, private, and that the task is to keep it that way.

That state doesn’t exist. It hasn’t existed since roughly 2013, when mass surveillance infrastructure, data broker industrialization, and the first wave of mega-breaches all converged. The fiction persists because it serves almost everyone except you: regulators produce law around it, SaaS vendors sell “compliance” tools against it, and most users would rather not look closely. Comfortable fictions outlast the facts that debunk them.

The practical consequence: organizations and individuals spend enormous energy hardening safes while the front door has been wide open for a decade. This article is about what honest security thinking looks like once you accept that.

Honest inventory of what’s already out there

Data brokers

Acxiom, Experian, LexisNexis, Equifax, Oracle Data Cloud, LiveRamp, Epsilon. These aren’t fringe operations — they are multibillion-dollar companies whose core product is detailed dossiers on individuals. Acxiom alone claims data on over 2.5 billion people globally. Their databases include name, address history, phone numbers, email addresses, age, household income estimates, property ownership, purchasing history, political affiliation, religious affiliation, health interest categories, and behavioral predictions derived from all of the above.

The psychographic layer is where it gets uncomfortable. Brokers don’t just hold facts — they hold inferences. Shadow credit scores used by landlords and employers who can’t legally use your official credit rating. Shadow insurance scores. Behavioral predictions about when you’re likely to make a large purchase, experience a life transition, or be emotionally vulnerable to certain types of marketing. You never consented to any of this, because it was never framed as a consent decision.

The acquisition channels are everywhere: loyalty cards (every swipe), web forms (every newsletter signup), apps (location, contact access, behavioral telemetry), opt-out-by-default data sharing clauses buried in terms of service, and opaque partner networks that resell data across dozens of intermediaries before it reaches its final buyer.

Leak databases

Have I Been Pwned indexes roughly 13 billion accounts across public breach disclosures. That number sounds alarming — and it is — but it represents only the publicly acknowledged, publicly available portion of the leaked universe. The darker layer is much larger.

DeHashed, Intelligence X, Snusbase, and Constella Intelligence go further: they index cleartext passwords from old dumps, historical credential pairs, leaked internal databases, and material from forums that have since been seized or gone dark. A credential pair from a 2016 gaming site breach might sit in Snusbase today, fully searchable by anyone with a $10/month subscription.

RaidForums and Breached rose and fell — both were seized by law enforcement. But the data they hosted didn’t disappear. Dumps survive in torrents, Telegram channels, private Discord servers, and dark web markets. Seizure kills the marketplace, not the inventory.

Landmark cases that give scale: Collection #1 in 2019 (773 million email addresses, 21 million cleartext passwords, assembled from thousands of smaller breaches). LinkedIn in 2021 (700 million profiles — nearly its entire userbase at the time, scraped and aggregated). Facebook in 2019 (533 million phone numbers, now trivially searchable). 23andMe in 2023 (genetic data and family relationship graphs for nearly 7 million people). The US Office of Personnel Management breach in 2015 (security clearance background check files — some of the most sensitive personal data the government holds — on 21 million federal employees and contractors).

Public registries

Companies House in the UK, SEC EDGAR in the US, OpenCorporates globally, OpenSanctions. If you’ve ever been a company director, filed a regulatory document, or appeared in a legal notice, your professional history is mapped in searchable, permanently archived public databases.

For executives specifically: Dun & Bradstreet builds commercial profiles. Property records are public in most jurisdictions. Historical regulatory filings don’t expire. A legal notice published in 2011 about a dissolved company you co-founded is still indexed, still findable, and still appears in search results a decade later.

Archives

The Wayback Machine holds over 860 billion web pages. Your personal website from 2008. Your LinkedIn profile from 2019 before you removed that job. Your company’s old “team” page that listed home cities. The terms of service that the platform has changed three times since you first accepted them.

archive.today captures pages on demand — including by third parties who want a permanent record of something you published and later deleted. There is no right to erasure over archive.today; it operates outside EU jurisdiction and processes no erasure requests.

Indexed social media

Sixteen years of public tweets. Your full LinkedIn career history, including companies that might signal a confidential project. Public Facebook posts enriched with EXIF geodata from photos. Friend list graphs that reveal your actual social network even if your profile is nominally “private.” Location metadata embedded in images posted years before you thought to disable geotagging.

Why you can’t take back control

The architecture of this problem makes unilateral control recovery essentially impossible. This isn’t defeatism — it’s the starting premise for an honest operational strategy.

Leaks don’t exist in one place. A breach gets copied, sold, resold, reformatted, merged with other datasets, and redistributed across dozens of jurisdictions before you’ve ever heard of it. You can file a GDPR erasure request against one operator and have zero legal recourse against the fifteen others who received a copy of the same data.

GDPR’s right to erasure (Article 17) is real but narrow. It applies to identified EU-jurisdiction operators, doesn’t cover legitimate public interest data, is subject to “manifestly excessive request” objections, and simply doesn’t reach databases operated outside the EU. The ICO processes complaints. They do not reach into Russian forums or US data brokers.

The Streisand effect is an active risk. Aggressively pursuing erasure from public sources often generates more coverage of the thing you’re trying to remove than the original exposure ever did. Journalists notice GDPR complaints. Deletion requests draw attention to content’s existence.

Data has a longer commercial life than you expect. A 2019 breach dump will be packaged, sold, and re-used through 2030 and beyond. Old credentials get tested against new services constantly. The half-life of leaked data approaches zero only for things that have no ongoing commercial or adversarial value.

You cannot audit your own exposure completely. You don’t know who holds what. You can sample — which is what an exposure audit does — but you cannot enumerate every operator, every copy, every downstream recipient.

The strategic pivot

Compartmentation, not confidentiality

Instead of trying to protect everything under one identity, you separate your activities across distinct operational identities. A breach that compromises your professional email doesn’t expose your sensitive personal life. A data broker profile built on your shopping habits doesn’t connect to the address you use for a sensitive project.

The goal isn’t perfect anonymity — it’s blast radius limitation. One identity catches fire; the others don’t. See the Identity compartmentation article for the full operational model.

Rotation, not permanence

Your identifiers are perishable assets, not permanent infrastructure. A password is a secret with a roughly 3-month viable shelf life before rotation is warranted. An email address, once significantly exposed, should be rotated on roughly a 2-year cycle. A phone number tied to sensitive activity should be evaluated every 5 years.

This is operationally uncomfortable. Most people have emotional attachment to their phone number and primary email address. That attachment is a security liability. The correct mental model: identifiers are disposable tools, not part of your identity.

Resilience, not absolute prevention

You will be compromised at some point. This is not pessimism — it’s base-rate realism for anyone who has been online since 2010. The question isn’t whether, but when and how badly.

Prepare the response, not just the prevention. Who do you call if your primary email is taken over? How do you cut access to linked services? How do you notify contacts without using the compromised channel? How do you recover account access when the recovery email is also compromised? These questions have answers — but only if you’ve worked through them in advance.

Threat modeling from a leaked state

Run your exposure audit first (see that article). For each identified exposure, classify it honestly: critical (enables account takeover, identity theft, or physical risk), sensitive (professionally or personally damaging), public (already known, no further action needed), or benign (technically exposed but practically irrelevant).

For each critical exposure: decide on an action. Rotate (change the compromised identifier). Remove (if removal is actually achievable and worth the risk). Accept (with a prepared response plan for when it gets exploited). Do not leave critical exposures in a state of acknowledged-but-unaddressed limbo.

Mistakes we see all the time

“I have a VPN, so I’m protected.” VPNs encrypt transit between your device and the VPN server. They do nothing about your identity’s historical exposure in breach databases, data broker profiles, or public registries. Transit confidentiality and identity confidentiality are entirely separate concerns.

“I have nothing to hide.” This conflates hiding with controlling. You don’t need a secret to have a legitimate interest in controlling who accesses your medical records, your home address, your salary history, or your social graph. Control matters regardless of content sensitivity.

“I changed my passwords.” Password rotation addresses one specific attack vector: credential stuffing. It doesn’t change your email address’s presence in breach databases, your phone number’s presence in data broker profiles, or your home address’s presence in property records.

“I don’t use Facebook.” You’re not exposed only through your own accounts. Your employer’s old website listed your name and city. Your building management company uses a data broker to screen residents. You appear in a Companies House filing. A colleague tagged you in a conference photo. Exposure is a network property, not an individual one.

Who this matters to

Everyone, but with meaningfully different criticality thresholds.

Especially: executives whose personal information overlaps with professional decisions, journalists whose sources depend on their operational security, lawyers whose client confidentiality is linked to their own personal exposure, dissidents and activists, people with significant assets, and anyone involved in ongoing disputes — professional, legal, or personal.

Critical cases: anyone involved in M&A activity (where adversarial OSINT is standard due diligence practice on the other side), active criminal or civil proceedings, contested divorces, regulatory investigations, or significant media coverage.

• N1 Run your personal exposure audit: HIBP, DeHashed, and targeted Google dorks on your own name, email addresses, and phone numbers
• N2 List every email address and phone number you've used in the last 10 years
• N2 Plan rotation cycles for your most-exposed identifiers
• N2 Map your current identities by use context: personal, professional, sensitive
• N2 Identify your 3 most critical exposures and assign each a decision: rotate, remove, or accept with a response plan
• N3 Write a personal incident plan — one page — covering account takeover, identity theft, and physical exposure scenarios