Every LinkedIn update, every "first day at a new job!" announcement is data. And while you're sharing your exciting life milestones, cybercriminals are taking notes.
That's what we unpacked in the second episode of _declassified, where Truman Kain, Principal Product Researcher at Huntress, and cybersecurity educator Caitlin Sarian (aka Cybersecurity Girl) walked through exactly how attackers turn your public information into a playbook against you.
Attackers don't need the dark web to build a dossier
There's a common misconception that attackers need to venture into dark layers of the internet to find useful information about their targets. We’re putting that to rest, and here’s why.
An attacker can pull together a detailed picture of someone using tools most people use (or can easily access) every day: LinkedIn, corporate directories, and breach data sites that live on the open internet. Search an email on a site like dehashed, click through a few records, and within minutes, you might be looking at usernames, old passwords, and even a social security number.
The information just needs to be convincing enough to get someone on the phone or to make a phishing email feel believable. A targeted phishing attempt against Jai Minton, Senior Manager of Detection Engineering and Threat Hunting at Huntress, landed in both his work and personal inboxes within two minutes of each other. The attacker had pieced together his corporate email format and found a personal email tied to a previous breach. Dark web searches weren't required.
The blurred line between work and home
Attackers use the overlap between your personal and professional digital details against you.
Reused passwords and personal devices used for work sit right in the gray zone where most successful attacks begin. Attackers don’t care where they get in. They just want that initial access point to move on with their attack.
A "first day at a new job" post on LinkedIn is a good example of how quickly this can go wrong. That single update gives an attacker your employer, your role, your connections, and the knowledge that you're brand new and probably not yet familiar with internal security processes. That makes you a high-value, low-friction target.
The same logic applies to other posts that feel like fun, harmless life updates. But in reality, a boarding pass photo reveals flight details, a vacation post tells the world your home is empty, and a picture of an office desk reveals a schedule and workspace. Every post is another data point in the attacker’s dossier.
Real attacks, real playbooks
In one real-world case shared during the episode, a Huntress job applicant named "Andrew" turned out to be a catfish using someone else's LinkedIn photo. The interviewer caught it, but the point landed hard: attackers are using public data to steal identities and apply for jobs, potentially gaining access to corporate systems in the process.
High-profile cases show how far this can go. A developer was targeted through a fake Slack workspace, a scheduled meeting, and a prompt to install software that turned out to be a backdoor. The dossier was fully built before the first message was ever sent.
Families aren't off the hook either. The ShinyHunters breach of Instructure, the company behind Canvas, exposed data from over 3,000 schools and millions of students. That breach immediately became fuel for hyper-targeted phishing, because attackers now knew which students were enrolled in which classes and could craft emails that seemed impossible to fake.
Your voice is public data, too
Most people think about open-source intelligence (OSINT) in terms of the photos or words they post. But what they say out loud is fair game too. Using only a few minutes of publicly available audio, a convincing deepfake voice can be generated in minutes. Attackers are already using this tactic to impersonate targets over the phone and manipulate the people closest to them into handing over money or access.
Think like an attacker
The most actionable shift anyone can take is a simple one: ask yourself whether an attacker could use it. "Put your hacker hat on," as Caitlin puts it. Think through what types of information you’re sharing before you hit post.
That's also the idea behind the Huntress OSINT Simulator. This interactive security awareness training simulation puts you in the attacker's seat, using open-source intelligence to build a target profile followed by an attempted social engineering attack over the phone. It's a safe, hands-on way for you and your team to kick the tires on how quickly public information becomes attack fuel.
Tips that actually hold up
Treat security questions like passwords. A random app doesn't need to know your real information. Bend the truth when you get security questions like "what elementary school did you attend?" or "what city were you born in?" Spin up fake answers and store them in a password manager.
Freeze your kids' credit. Kids’ identities can be stolen and used for years before anyone notices. It takes minutes to freeze and can prevent a much bigger headache down the road.
Create a family safe word. Voice cloning is accessible and fast. A convincing deepfake voice can be generated in about five minutes using only publicly available audio. A safe word is one of the few defenses that actually works against it.
Google yourself. Search your name and username in quotes to see what's publicly indexed, including comments on public posts you may have forgotten about.
Understanding what attackers see with the information you post is the first step to giving them less to work with.
Big cybercrime doesn’t stop here. Grab your spot for the next episode of _declassified to hear from John Hammond and Jesse McGraw, a former cybercriminal turned white-hat hacker, on how attackers use timing to disrupt your business.
