Page 209 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 209
Secondary Identifiers: The Overlooked Keys to Your Digital Identity
Modern online services commonly use email addresses and phone numbers as unique identifiers for user
accounts. They function as convenient usernames or verification tools—but this convenience comes at
a cost. Because people tend to reuse the same email and phone number across many platforms, these
identifiers become an interlinking thread tying all their accounts together. In fact, the average internet
user today has roughly 240 online accounts that require a password, yet often only a couple of email
addresses (or just one) to manage them. This means one email inbox is the gateway to hundreds of
services. If that email or a linked phone number is exposed, it essentially provides half the puzzle to an
attacker for every other account (it reveals the username for those accounts).
Phone numbers play a similar role. Many apps and platforms request your phone number for account
creation, two-factor authentication, or social connectivity. Over time, your primary number may be
associated with banking apps, messaging services, social networks, and more. It’s an open secret that
phone numbers are widely used as a lookup key: if someone knows your number, they can often find
your profile on social media or messaging apps (unless you’ve adjusted privacy settings). By default,
some platforms even allow this kind of discoverability. For example, until recently, services like Twitter
let anyone find an account by phone or email by default (except in jurisdictions like the EU that require
opt-in). The result is that a single phone number or email address can unlock access to a wealth of
information about an individual.
Fact: Investigators and malicious actors alike use OSINT (Open Source Intelligence) tools to leverage
these secondary identifiers. A phone number can serve as a gateway to an individual’s online activities,
revealing linked social media profiles, associated usernames, and even data breaches tied to that
number.
Most users underestimate how much of their digital footprint is tied to just one or two identifiers. A recent
security analysis found that only about 0.03% of breached accounts in circulation used any form of email
alias – indicating that almost everyone relies on the same real email for multiple services. Likewise, few
people use secondary or “burner” phone numbers for everyday accounts. This consolidation means our
secondary identifiers have effectively become master keys to our digital identities.
One Exposed Identifier Can Unravel the Whole Web
It only takes one exposed node in the network of your digital identity for a determined party to start pulling
on the thread. If a hacker, scammer, or even a curious researcher learns just one of your identifiers (say
your primary email or cell number), they can begin mapping out your entire online presence. This chain
reaction often unfolds in a few ways:
• Data Breaches & Leaks: If your email or phone number appears in a data breach, it often
comes bundled with other personal info. The 2021 leak of 533 million Facebook users’ data is a prime
example: attackers exploited a flaw and scraped phone numbers linked to profiles, exposing names,
locations, and more. Similarly, an API vulnerability in Twitter allowed malicious actors to submit an email
or phone number and learn the associated account name, affecting 5.4 million users. In both cases, a
single piece of contact info became the index to a larger profile.
209
