Page 212 - Cyber Defense eMagazine RSAC Special Edition 2025

P. 212

practice, very few users do this yet (only ~0.03% of breached accounts contained a custom alias,
according to one analysis), but it’s a highly effective shield.

• Employ Secondary Phone Numbers: Just as you might use multiple emails, consider getting
a secondary phone number for less critical uses. This could be a prepaid SIM, a VoIP number, or a
number provided through an app or privacy service. Use your primary personal number only for things
that truly need it (family, secure accounts, work), and give out a secondary number for everything else
(online forms, app signups, etc.). This way, if that secondary number gets spammed, leaked, or
compromised, your main phone remains unaffected. Keeping your primary number private is a strong
deterrent to mass scraping or random attacks.

• Limit Discoverability: Review privacy settings on social networks and other platforms. Turn
off the option that lets people find you by your email or phone number, if available. This simple step
prevents casual lookup of your accounts by unknown parties. For instance, ensuring the “let others find
me by phone/email” setting is off on platforms like Facebook, Twitter, and others puts a roadblock in the
way of opportunistic data harvesters. While it won’t stop a determined hacker using stolen data, it will
stop your neighbor or a stranger with your number from easily pulling up your profile.

• Practice Data Minimization: The less you share each identifier, the safer it is. Avoid posting
your email or phone in public forums or social media bios. Be cautious when asked for personal contact
info—provide it only when necessary and to trusted parties. If a website or app demands a phone number
and you’re not comfortable, see if you can opt out or use an alternative (like an email or an alias number).
Every time you withhold your primary identifiers from yet another database, you shrink the attack surface.
As one industry saying goes, what isn’t collected can’t be leaked.

• Enhance Account Security: Since some sharing of identifiers is unavoidable, mitigate the
impact of a leak by securing the accounts themselves. Use strong, unique passwords for each account
(a password manager can help) so that even if your email is known, an attacker can’t guess their way
into your accounts. Enable two-factor authentication (2FA) wherever possible — and opt for app-based
or hardware 2FA over SMS-based 2FA when you can (to reduce reliance on your phone number for
security). This ensures that knowing your email or number isn’t enough to breach an account. Also,
monitor your accounts for unusual activity and consider using breach notification services (like
haveibeenpwned) to get alerts if your email or phone appears in a new data dump.

On a broader level, companies and service providers are starting to acknowledge this problem. Some
are implementing features like “Sign in with Apple” or other federated identity systems that hide your
email from third-party services by using an email relay. Others offer one-time codes or app-based
verification in lieu of always using your phone number. As users, showing that we value these privacy-
respecting options (by using them when available) sends a clear message to the industry.

Lastly, if you suspect that one of your identifiers has been exposed or is being misused, take action
quickly: change associated passwords, consider retiring that email address or number if feasible, and
notify your contacts or relevant institutions if needed. Early containment can prevent an initial exposure
from snowballing further.

212

207 208 209 210 211 212 213 214 215 216 217