Personal Security After Data Breaches

Yep. I have changed and compartmentalized phone numbers and (lots of new) email addresses, and my physical address, fortunately. Maybe I should finally just change my name: “Amarok Smith” has a nice ring to it…


If you are serious about it, then I highly suggest that you do so when you have ample time, as renewing every identification document and public credentials is time-consuming. It is also a great opportunity to reflect upon these dependencies and whether or not they should continue to exist after your name transition.

1 Like

Going off-grid, so to speak, would make for an interesting discussion. You should start a thread.

1 Like

Maybe, but I already have “off-grid” practices and objectives in my life, so I do not need to create a thread for it. If the thread is created by someone else, I will contribute practical suggestions no differently than this one.

FWIW, I’m working (albeit slowly) on a data retention policy for Purism and will consider publishing it once it is more mature (and I verify legal data retention requirements). In general, the current operating policy is that customer data is retained for the shortest amount of time possible that still allows for product warranties (i.e. if we don’t store your info, we don’t have a method to know who you are or RMA your equipment) and follows legal requirements (i.e. tax returns, etc etc). As Purism ships products globally, legal requirements get a bit messy since different countries have different legal requirements regarding data retention, invoice information accountability, and taxes.

1 Like

I wonder if data breachers are in league with security companies so they can offer the “2-years free” sales pitch?

I’ve never accepted any of these offers for credit monitoring after all the data breaches I’ve been caught up in, because I felt that it was kind of unhelpful, especially after data theft by foreign state actors (as opposed to run-of-the-mill criminals), and that the cure might be worse than the disease (propagating my private information here, there, and everywhere in order to “protect” it).

And, too, I get real-time credit alerts from my credit card issuers anyway.

Now, though, with data theft occurring ever more frequently, everywhere, I think I might as well start accepting every offer of monitoring that comes along, and have active “protection” in perpetuity. At the very least, it racks up costs for the entities that failed to provide adequate safeguards for my data.

The government here is certainly doing nothing meaningful for consumer protection, as far as fines and penalties.


Your personal security is your responsibility, not the government or other third-party entities. It is up to you to assess whether or not trusting you or them will solve your own issues; I am firmly of the former stance.

Just change the caption on this old pic, "My data has been stolen and NSA won’t arrest the culprits."


(Warning: I’ve used this pic before.)

1 Like

I recommend The Ransomware Hunting Team by Renee Dudley and Daniel Golden to learn of the codependency of data breachers, insurance companies, and commercial ransomware mitigation “services” and how some government agencies in some countries ignored the problem when it was still small enough to do something about precisely because it was “too small”. (And the story of a small international band of ransomware crackers and police in a smallish European country successfully partially mitigated attacks.) The Ransomware Hunting Team - Wikipedia


The companies sometimes used info actually from the amateurs to break the encryption of ransomware victims but mostly acted as “negotiators” fir “reduced” ransoms. Usually the negotiated ransom was less than the cost of recovering from backup so insurance companies would pay up.

1 Like

This looks interesting:

  • Free to use.
  • Source code hosted on GitHub; buildable yourself, if desired.
  • Works internationally.
  • Completely automated.
  • Sends formulaic deletion request to brokers, with your name and address (only), plus your provided email address (for direct responses from the data brokers).
  • Repeatable every 45 days.
  • Only your email address is stored at Visible once it has been hashed (SHA256), and is deleted after 45 days; name & address is only used to generate the one-time deletion request emails.

I’m testing it.

EDIT: Already getting confirmations of data deletions or “data not found” replies from the brokers.


You should also inspect the other side of the coin.

1 Like

The California DELETE Act is now law! It will be a while before the actual opt-out “button” is available to California consumers, though.

This article contains the timeline:


10 Minutes of Delete:

Just needs an army of Cybermen to go through Big Tech … DELETE DELETE DELETE DELETE …


Security researcher Brian Krebs (KrebsOnSecurity[.]com) has been writing a series of articles on data brokers and data deletion services, and the sometimes suspicious entities behind them.

For instance, the personal data deletion service OneRep[.]com is headquartered in Belarus and Cyprus, not in the state of Virginia, U.S.A., and its founder also launched multiple people-search companies himself.

This article exposes the PRC company ( Shenzhen Duiyun Technology Co.) behind several U.S.-focused people-search sites, apparently created for affiliate revenue purposes, as they redirect to other major, “legitimate” search sites such as Spokeo.

Krebs’ report on Radaris reveals apparent links to:

…multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.


That’s wild


Response to Krebs’ report, from OneRep, plus Mozilla drops OneRep integration into Firefox: Mozilla Drops Onerep After CEO Admits to Running People-Search Networks – Krebs on Security


7 posts were split to a new topic: Firefox search by default

You’ve set a different search engine… Right? :wink:

1 Like