Page 211 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 211
• Credential Stuffing and Account Takeovers: If an email address is found in a breach, often
accompanying it are hashed or even plaintext passwords used on one site. Attackers will try those
email/password pairs elsewhere. Even if the passwords are different, knowing your primary email gives
them a username to target. Many people reuse passwords or slight variations, making the attacker’s job
easier. And if they get into one account, they will quickly check your email or profile info for clues to
access others, snowballing their access. When threat actors seize one account, they often pivot to more
valuable accounts via notifications or contacts found inside.
• Social Engineering and Impersonation: With bits of your personal data pieced together
(from profiles, signatures in email leaks, etc.), attackers can impersonate you or someone you know.
They might call your mobile provider pretending to be you (armed with your name, number, maybe
address) and convince them to issue a new SIM card (a SIM swap), hijacking your phone number to
intercept verification codes. Or they could impersonate a service rep to you, citing some info as
“verification.” The more connected data points they have, the more credible they seem. This is how a
single clue can bypass security questions or trick support desks into resetting credentials.
• Privacy Erosion and Doxxing: Beyond immediate financial harm, there is a personal
privacy impact. A determined individual could use one identifier to doxx someone—aggregating public
and private info to expose their identity or location. We ve seen cases where something as simple as a
’
leaked phone number of a journalist or activist led to their entire online history being dug up and
publicized. The psychological toll and safety risk can be severe, especially for those who assumed their
various online personas were separate or anonymous until the dots got connected.
It is clear that interlinked digital identities have broadened the attack surface. Security professionals note
that users often reuse and recycle personal information across sites, which attackers count on. Even
years-old leaked data can be re-purposed in new attacks; nothing truly “expires” once it’s public. This is
why protecting secondary identifiers is now as crucial as protecting passwords. They are the weakest
link in many cases. As one security researcher wryly observed, an email address today is like an index
to a person’s entire digital file cabinet. If you wouldn’t hand a stranger your entire file cabinet, you should
be just as wary about that one email or number that unlocks it.
Mitigations: Masking and Managing Your Digital Footprint
The good news is that both individuals and organizations can take steps to break the chain and protect
these critical identifiers. A growing movement in cybersecurity and privacy circles advocates for masking
or aliasing our digital identifiers to limit exposure. Here are some strategies and best practices to consider:
• Use Multiple Email Addresses or Aliases: Don’t use one email address for everything.
Instead, segregate your identity by purpose (e.g. one email for banking and important accounts, another
for social media, another for online shopping). This way, a breach of one won’t automatically link to all
your other services. You can also use email aliases or forwarding addresses – unique addresses that all
deliver to your main inbox. For example, creating an address just for a specific service (like
[email protected]) can help contain and identify exposure. Privacy experts note
that relying on different addresses greatly limits how much of your profile a single leak can expose. In
211
