Nobody hacked you. Nobody followed you. Nobody had to.
Your digital profile — name, address, phone number, employer, relatives, financial indicators, and in many cases passport number or medical history — was assembled quietly, automatically, from fragments you left in a hundred different places over a decade or more. It exists right now. Anyone with an internet connection and twenty minutes can access most of it for free. The implications for executives and public figures are covered in our Executive Digital Privacy hub.
Major data breaches do not create your profile. They complete it. The Ashley Madison hack. The AT&T leak. The Change Healthcare breach. The Marriott intrusion. The Odido dump. Each one adds a layer that was previously harder to reach, and that layer never disappears once it is out.
This article maps exactly what that profile contains, where each piece comes from, and what becomes possible when the layers are combined.
What Comes Up When Someone Googles You?
Most people have searched their own name at some point. They see a LinkedIn profile, maybe an old social media account, perhaps a mention in a local article. They think: that is not much. They close the tab.
That reaction misses most of what is actually there.
What appears in a basic Google search is only the indexed surface layer. Beneath it sit data broker profiles that search engines do not fully index, breach databases that require direct lookups, image search results that cross-reference your face across platforms, and archived versions of pages you deleted years ago. None of this shows up on page one of a self-search. All of it is accessible to anyone who knows where to look.
The gap between what I see when I google myself and what strangers researching me can actually find is where the real exposure lives. This article maps that gap — layer by layer, source by source.
Layer 1: The Open Web
The first layer costs nothing and requires no special tools. It is what any person — strangers, potential employers, journalists, stalkers, fraudster — finds by typing your name into a search engine.
Social media history
People think of their current profile. They forget:
- Posts from 2011–2018 when privacy settings were looser or ignored entirely
- Photos with embedded location metadata or visible geotag
- Check-ins at gyms, restaurants, workplaces, and holiday destinations
- Tagged photos posted by others — which you cannot always remove
- Comments on public pages, news articles, and community groups
- Bio fields listing employer, city, relationship status, and phone number
- Old usernames that cross-link to forum accounts, gaming profiles, and early blogs
Facebook's default privacy settings changed multiple times since 2004. Posts you made when the default was 'public' remain public unless manually restricted. Most people have never done that audit.
LinkedIn and professional data
LinkedIn is one of the richest freely accessible personal databases in existence. A standard profile contains: full name, employer, job title, work history spanning years, educational institutions, approximate age from graduation dates, city of residence, and often a photograph. People publish this deliberately — but rarely think of it as exposure.
Forum posts, old websites, and cached content
The internet has a long memory. Archive.org preserves websites. Google's cache holds deleted pages. Forum posts from old accounts often contain real names, email addresses, and personal details shared in a context long forgotten. A username used on a gaming forum in 2010 may link directly to a current email address, a Reddit account, and a real name.
Reverse image search
Tools like Google Images, TinEye, and PimEyes can identify a person from a single photograph and return every other context where that image or face appears online. A LinkedIn profile photo can be matched to a dating profile, an old forum avatar, and a news article from a local paper. This takes under two minutes.
Layer 2: Data Brokers
Data brokers compile, aggregate, and sell personal information without your knowledge or consent. They pull from public records — property registries, voter rolls, court filings, business registrations — and combine them with data purchased from loyalty programmes, retail chains, and apps.
A typical data broker profile contains:
| Data Type | Source |
|---|---|
| Full name and aliases | Public records, electoral roll |
| Current and previous addresses | Property registry, utility records |
| Phone numbers (mobile and landline) | Telecom records, form submissions |
| Email addresses | App registrations, loyalty schemes |
| Relatives and household members | Address co-habitation matching |
| Employer and job title | LinkedIn scrape, company filings |
| Date of birth | Public records |
| Property ownership and value | Land registry |
| Vehicle registration | DMV / DVLA / RDW equivalent |
| Purchase behaviour and income band | Retail data, credit referencing |
Major operators including Acxiom, LexisNexis, Spokeo, Whitepages, and BeenVerified hold profiles on hundreds of millions of people across the US, UK, Europe, and Australia. Most people have never heard of these companies. A profile exists regardless.
Layer 3: Breach Data
Every major data breach adds a new category to what is already freely available. Once published, that data never fully disappears. It circulates across breach forums, gets bundled into credential databases, and is indexed by tools like Have I Been Pwned. These are not edge cases — they are some of the most significant data events of the past decade.
Ashley Madison (2015)
The Impact Team hacked the extramarital affairs platform and published 36 million account records including names, email addresses, home addresses, physical descriptions, and sexual preferences. The fallout was immediate and severe: documented blackmail campaigns targeting individuals by name, professional careers ended by public exposure, and multiple suicides linked to the publication of personal data. The lesson was not about infidelity — it was about what becomes possible when intimate personal data reaches people with the intent to cause harm. That data is still searchable today.
AT&T Data Breach (2024)
AT&T confirmed that records for approximately 73 million customers were leaked, including full names, email addresses, home addresses, phone numbers, dates of birth, and Social Security numbers. A separate incident exposed call and text metadata for nearly all AT&T customers — a record of who called whom, and when, for a period of six months. Combined, these two breaches hand an attacker the identity verification data needed to pass most US carrier security checks and the social graph needed to make impersonation convincing.
Change Healthcare (2024)
The ransomware attack on Change Healthcare — a healthcare payment processor handling one in three US patient records — exposed data on an estimated 100 million Americans. The leaked information included names, Social Security numbers, dates of birth, home addresses, health insurance IDs, diagnoses, prescription details, and treatment histories. Medical identity fraud — using stolen health credentials to bill insurers or obtain prescriptions — is among the hardest forms of identity fraud to detect, because victims often do not discover it until they receive a medical bill for a procedure they never had or are denied coverage due to a fraudulent prior claim.
Marriott International (2014–2018)
Marriott disclosed in 2018 that an intrusion into its Starwood reservation system — which had gone undetected for four years — exposed records for up to 500 million guests. The data included names, addresses, phone numbers, email addresses, dates of birth, passport numbers, and travel history. For intelligence services and targeted threat actors, travel history combined with passport numbers and home addresses is exceptionally valuable. For criminals, it creates a precise targeting list of individuals who travel frequently, stay in premium hotels, and are therefore likely to have significant assets.
Odido (2026)
ShinyHunters published the complete Odido dataset on March 1, 2026 — 6.2 million Dutch customers including names, dates of birth, home addresses, phone numbers, email addresses, IBANs, and for approximately 5 million individuals: passport numbers, driver's licence numbers, and Odido account challenge words. For Dutch residents, this breach completed the profile in a way that makes every downstream attack — SIM swap, social engineering, identity fraud — significantly easier to execute.
What the Combined Profile Enables
These breaches do not exist in isolation. Criminals cross-reference them. A name and email from Ashley Madison combined with an address from a data broker and a phone number from AT&T is a complete social engineering package. A Marriott travel history combined with a Change Healthcare medical record identifies high-value targets with precision. The Odido dataset combined with Dutch public records completes every piece of information a criminal needs to pass Odido's own identity verification.
Social engineering
An attacker calls your bank. They know your full name, date of birth, home address, and account details from a breach. They pass the identity check. They request a password reset or add a new payee. The bank has no reason to doubt them — every question was answered correctly. This is not theoretical: the MGM Grand breach in 2023 was initiated by a 10-minute phone call to the IT helpdesk using data from LinkedIn.
SIM swapping
Your phone number is the master key to your digital life. Banks, email providers, and government services send authentication codes by SMS. An attacker who can convince a carrier that they are you — using your name, date of birth, and account details from a breach — can transfer your number to their SIM. Every code goes to them. For Odido customers, the leaked challenge words make this process trivial: those are the exact phrases Odido's helpdesk asks for.
Identity fraud
With name, date of birth, address, and either a Social Security number or passport number, a criminal can apply for credit, open utility accounts, register businesses, or file fraudulent tax refunds. The US Federal Trade Commission received 5.7 million fraud reports in 2024, with identity theft as the leading category. The Netherlands has the highest digital payment fraud volume in the EU by absolute number.
Medical identity fraud
Change Healthcare made this category mainstream. Stolen health credentials are used to bill insurers for procedures never performed, obtain prescription medication, or fraudulently claim disability benefits. Victims typically discover it when denied insurance coverage or presented with a bill for care they never received.
Targeted blackmail
Ashley Madison demonstrated this at scale. When sensitive personal data — affairs, health conditions, financial difficulties, past legal issues — is combined with a home address and a real name, it creates a precise blackmail instrument. The campaigns that followed the Ashley Madison publication were automated: thousands of personalised emails sent by script, each referencing the recipient by name and threatening exposure unless payment was made.
Physical targeting
Home addresses are in the data broker layer. Daily routines are visible on social media. Vehicle registrations may be in public databases. Travel patterns are in the Marriott dataset. For executives, high-net-worth individuals, or anyone with a contentious personal or professional situation, the combined profile creates a physical security risk most people do not consider until something has already gone wrong.
How Complete Is Your Profile Right Now?
Most people do not know. They think of their online presence as what they have deliberately published. They do not account for the data broker layer they never opted into, the breach databases their information has been added to without their knowledge, or the complete picture that emerges when those sources are combined with their social media history.
The only way to know what exists is to look at it — using the same sources and methods that an investigator, a journalist, or a criminal would use.
That is what a professional digital footprint audit does, and it is what The Mirror delivers.
See Your Profile Before Someone Else Does
The Mirror is a full digital footprint audit. We run the same search on you that an OSINT investigator would — open web, data brokers, breach databases, dark web exposure, image footprint, and professional data — and deliver a complete picture of what is publicly available about you, with specific recommendations for each category.
You cannot reduce an exposure you cannot see. The Mirror gives you the complete picture first.
View The Mirror →Reducing What Exists
Knowing your profile is the first step. Acting on it is the second.
Some of what exists can be removed: data broker listings can be opted out of or legally challenged under GDPR and CCPA, old social media content can be deleted, search engine results can be suppressed using right-to-erasure requests. Breach data cannot be deleted from the internet — but its impact can be mitigated by locking down the accounts and credentials it exposes.
The further your data has already spread — across brokers, across breaches, across aggregators — the more systematic that removal process needs to be. Understanding the full scope first is what The Mirror is built for — a systematic open-source investigation that maps every layer before removal begins. A piecemeal approach to removal will not keep pace with the rate at which data is repackaged and redistributed.
The Eraser handles the removal process end-to-end: locating all instances of your data across broker databases and aggregator sites, submitting removal and erasure requests under applicable law, monitoring for re-listing, and providing documented proof of removal for each source.
The profile exists. The question is whether you let it stay complete.