The exposure audit: what you find about yourself in 2 hours

The first time a client runs this audit on themselves, it takes two hours. The second time, it takes two days — because they’re starting to know where to look.

The common trap

“I checked HIBP, I’m clean.” I hear this regularly. It means nothing useful.

Have I Been Pwned indexes publicly disclosed breaches — the ones that were announced, covered in the press, or submitted by researchers. It does not index private market data. It does not index what’s circulating in closed Telegram channels. It does not reflect what brokers have assembled from a hundred opt-out-by-default data sharing agreements you clicked through over the past decade.

HIBP returning zero results doesn’t mean you have no exposure problem. It means you have no documented exposure in the public subset of a much larger leak universe. That’s a meaningful distinction, not a technicality.

The second common mistake: treating an exposure audit as a one-time event. Your exposure surface changes continuously — new breaches, new broker acquisitions, new public filings. An audit done in 2023 tells you what was visible in 2023.

Preparing the audit

Before you start searching, spend 20 minutes building your input list. The quality of what you find is directly proportional to how complete your starting inventory is.

List everything:

• Every email address you’ve ever used regularly. Work addresses from former employers count. The Hotmail address from 2004 especially counts.
• Every phone number you’ve had, including old SIMs you’ve let lapse.
• Every username or pseudonym you’ve used online — forums, gaming accounts, old social profiles.
• Your full name and any variants (maiden name, shortened forms, middle name combinations).
• Current and former physical addresses.
• Any business names you’re associated with as a director or owner.

Use an isolated browser session for this work — private window, or better, a dedicated browser profile with no saved sessions. You don’t want your personal OSINT queries mixing with your normal browsing profile or being logged to an account.

Take notes in a simple spreadsheet. You’ll use this as your source list throughout the audit.

Layer 1 — Leak databases

Start with the tools that index breach data directly.

Have I Been Pwned (free): run every email address from your list. Note not just whether it appears, but which breaches it appears in and what data types were exposed. A 2016 gaming site breach exposing only a username is very different from a 2022 breach exposing your email with a cleartext password.

DeHashed (paid, ~$20/month, cancel after your audit): broader coverage than HIBP, indexes cleartext and hashed passwords, usernames, IP addresses, and phone numbers. Run email addresses, phone numbers, and usernames. Export the results.

Intelligence X (free tier available): searches across breach data, dark web content, public document leaks, and paste sites. Run your name, email addresses, and phone numbers.

Snusbase (paid): focuses on credential pairs. Useful for confirming whether old passwords from known breaches are still circulating in usable form.

Constella Intelligence: enterprise-grade, but offers individual plans. Better coverage of non-English breach sources and corporate credential leaks.

Layer 2 — Google dorks

Structured Google queries that surface indexed content you wouldn’t find with a plain name search.

Useful operators:

• "firstname lastname" site:linkedin.com — confirms what LinkedIn exposes publicly
• "your@email.com" in quotes — finds pages that explicitly display your email
• "your phone number" with and without country code
• "firstname lastname" filetype:pdf — CVs, conference rosters, court documents
• "firstname lastname" site:companies-house.gov.uk — UK corporate filings
• "firstname lastname" inurl:forum OR inurl:board — old forum participation
• site:web.archive.org "firstname lastname" — Wayback Machine indexed content

Work through your full name, all email addresses, all phone numbers, and all pseudonyms. Log every result that returns non-trivial information. You’re building a map, not making a judgment yet about what to do.

Layer 3 — Reverse image search

If you have a professional headshot or any publicly used photo, run it through reverse image search. This surfaces:

• Sites that have republished your photo without your knowledge
• Old profiles or accounts you’d forgotten about that still display it
• News coverage or conference listings that have indexed you

Use Yandex (best coverage for non-English sources), TinEye (specializes in exact image matching), and Google Images. They return different results — run all three.

Layer 4 — Public registries

This layer is underestimated by almost everyone. Your professional history is permanently archived in ways you can’t control.

Companies House (UK): search your full name. Every directorship, past or current, is indexed and publicly accessible. Historical filings include your registered address at the time of appointment.

SEC EDGAR (US): if you’ve been involved in any SEC-registered entity, your name may appear in filings.

OpenCorporates: aggregates company data from over 140 jurisdictions. Run your name and any company names you’ve been associated with.

OpenSanctions: indexes sanctions lists, PEP lists, and related databases globally. Relevant if you’re doing due diligence on yourself before someone else does.

The Wayback Machine: search site:youroldwebsite.com and browse snapshots of your own digital presence over time. Also search for old employer pages, conference pages, and anywhere you’ve been listed by name. Pay particular attention to content you thought you’d removed — deletions are often not archived, but the archived version predating the deletion persists.

Property records: publicly available in most UK and US jurisdictions. Your current and historical home addresses may be indexed.

Electoral roll: in the UK, the open electoral register is sold to commercial data brokers. Your name and address, at your registered voting address, is likely in multiple commercial databases as a result.

Layer 5 — Consolidation tools

If you want to go deeper, or if you’re doing this audit for a professional context:

SpiderFoot (open source): automates OSINT queries across dozens of sources. Run against email addresses and names. Takes time but surfaces connections you’d miss manually.

Maltego Community Edition (free): visualizes relationships between data points. Useful when you have a lot of findings and need to see how they connect.

Recon-ng and theHarvester: command-line tools used by penetration testers for email and domain enumeration. Useful if you’re technically comfortable.

mosint: focused on email address OSINT — verifies accounts across services, searches breach data, and checks social media presence for a given address.

Building the personal exposure table

Don’t just collect findings — organize them. Create a table with six columns:

Identifier	Type	Source	Approximate date	Criticality	Action
your@email.com	email + password	DeHashed / Breach X	2019	Critical	Rotate, check linked accounts
+44 7700 000000	phone number	Data broker, electoral roll	Unknown	Sensitive	Accept / note for monitoring
firstname.lastname	username	Forum archive (Wayback)	2012	Benign	Accept

Criticality levels:

• Critical: enables account takeover, identity theft, or physical risk (address + routine + schedule)
• Sensitive: professionally or personally damaging if surfaced in the wrong context
• Public: already known, indexed, no harm in current state
• Benign: technically exposed but practically irrelevant

For each critical finding, you need a decision before this audit closes. Not “think about it later.” A decision: rotate this identifier, pursue removal, or accept it with a documented response plan.

Common mistakes

Single audit, done forever. Your exposure surface changes continuously. New breaches happen. Brokers acquire new data. Set a calendar reminder for a repeat audit in 6 months.

Checking only your current email. The email address you stopped using in 2017 is still in breach databases and still linked to accounts you may have forgotten about. Old addresses are often more exposed than current ones, precisely because security hygiene around them has lapsed.

Forgetting aliases and pseudonyms. A forum username you used for years, even without connecting it to your real name, may have been cross-referenced with other data. Run every alias.

Skipping public registries. People focus on breach data and forget that Companies House, property records, and old conference listings are often more revealing than any breach dump.

Not keeping a record. An audit you don’t document is an audit you’ll repeat from scratch. Your findings table is an asset — maintain it.

• N1 List all email addresses you've used in the last 10 years, including old work addresses
• N1 Check every email address on Have I Been Pwned
• N2 Subscribe to DeHashed for one month and run all emails, phone numbers, and usernames
• N2 Run targeted Google dorks for your name, email addresses, and phone numbers
• N2 Reverse image search your professional photo on Yandex, TinEye, and Google Images
• N2 Search your name on Companies House, OpenCorporates, and SEC EDGAR
• N2 Audit your historical presence on the Wayback Machine
• N3 Build your personal exposure table with criticality ratings and action decisions for each finding
• N3 Schedule the next iteration of this audit in 6 months