ANALYSIS

From Gamble to Calculation: How Your Exposure Decides Who Gets Attacked

May 2026  ·  11 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

Most accounts of a cyberattack begin with the breach: the phishing email that landed, the credential that worked, the system that fell. That is the middle of the story. It skips the part that decides whether you are attacked at all — the quiet assessment an attacker makes before committing anything.

That assessment runs on one input. Your footprint: the data about you that is already findable, already sold, already leaked. The more of it there is, the less the attacker has to guess. And guesswork is most of what protects a target nobody can see clearly.

This is the part vendor write-ups skip. They map the attack from the attacker's tooling outward. We are going to map it from your data inward — from a single email address, the most ordinary thing you own, through every stage of an intrusion. At each stage, hold one question: where did the fuel for this step come from, and was it findable in advance?

The thesis is simple. Exposure turns a target from a gamble into a calculation. An attacker with little to go on is forced to hope something works. An attacker with a rich footprint can forecast what is there to take and how to reach it before spending an hour on the attempt. Visibility does not just create individual risks; it moves you from an unknown into something that can be assessed, and assessment is the precondition for being chosen.

The assessment comes before the attack

Reconnaissance is usually described as the first phase of an attack. It is more useful to think of it as triage. Before an operator builds a lure or buys a credential, they are answering two questions. Is this target worth planning for? And if so, where is the effort best spent?

For an unknown target, both answers are blind, and the attacker can only gamble on a generic run and hope. For a legible target, both are calculable. Public records, people-search profiles, social accounts, and leaked marketing databases together sketch a working picture: who you are, what you are likely worth, what role you hold, and which doors might open.

The raw material is mundane. Data brokers compile and sell records assembled from public filings, purchase histories, and licensed datasets. People-search platforms republish much of it in a form anyone can read without authentication. A breached marketing database — the kind that leaks from a B2B lead vendor — can hand over a working organisation chart: names, titles, reporting lines, direct emails. None of this requires an intrusion. It is the standing layer, and it is the attacker's feasibility study. In ATT&CK terms it is the reconnaissance stage: gathering victim identity and organisation information (T1589, T1591).

The defensive flip here is the bluntest in the whole chain. The less of this there is, the harder you are to assess, and the more an attacker falls back on guessing. A footprint audit — the work behind the Mirror — exists to show you this layer as the attacker sees it, before it is used.

From an email address to a password

Suppose the assessment comes back favourable. The next move is to convert identity into access, and the first place an attacker looks is the credential market.

Here the single email address starts doing work. Credentials tied to an address surface in two overlapping pools. The first is breach corpora: the accumulated dumps of historic site compromises, queryable by email. The second, and now the larger problem, is infostealer logs — the structured output of malware that harvests everything a browser holds on an infected machine.

The scale is no longer marginal. SpyCloud's 2026 Identity Exposure Report recaptured 642.4 million exposed credentials from 13.2 million infostealer infections in a single year, roughly fifty credentials per infected device. Its analysis of underground combolists — the curated lists traded for targeting — found that 51% of records overlapped with previously seen infostealer logs. Criminals are repackaging malware output and selling it keyed to exactly the identifier we are following: the email address.

An infostealer log is worse than a password. It is a dossier. Alongside the credential it carries autofill data (name, address, phone), the list of sites the victim actually uses — their real bank, their employer's single sign-on, the specific tools they log into — and live session cookies. The cookies matter most: a valid session token can let an attacker resume an authenticated session and step past multi-factor authentication without ever entering a code. We walk those mechanics in detail in how infostealers work and what a stealer log contains.

So initial access takes one of two shapes. Where a stolen credential still works against a portal without enforced MFA, the attacker simply logs in — the use of valid accounts (T1078). Where it does not, the recon from the previous stage builds a lure precise enough to harvest a fresh one (T1566): a message referencing your actual bank, your real employer, the tool you genuinely use. Acquiring those accounts and credentials upstream is itself a documented stage (T1586).

The defensive flip: a credential you have rotated and an account behind phishing-resistant MFA are dead weight in a log. The exposure that converts to access is the credential you forgot you had.

The email is the master key

This is the stage most defences underestimate, and the one where a single address does the most damage.

Treat the email account not as one account among many but as the controller of all the others. Almost every service you hold ties recovery to it. That makes the inbox a master key, and the path to it runs through information most people never think of as exposed.

Start with enumeration. Password-reset and login flows often reveal, by their response, whether an account exists for a given address. Probe enough services with one email and you learn where the target has accounts — bank, broker, retailer, employer tooling — without touching any of them. This is account enumeration, a well-documented design flaw; the OWASP guidance on forgot-password flows exists precisely because so many systems leak this signal.

Then read what those flows volunteer. Many reset screens, in the name of helpfulness, display masked recovery hints: a code "sent to j***@gmail.com," a number ending "***89." Each hint is a partial answer. Cross-referenced against people-search records and breach data — both keyed, again, to the original address — the masks fill in. The secondary email surfaces. The phone number surfaces.

With the recovery map drawn, the attacker picks the weakest hinge. If recovery can fall back to SMS, the phone number is the target, and the phone number is reachable. A SIM-swap — convincing or bribing a carrier to move a number to an attacker-controlled SIM — delivers every code sent to it. This is not a fringe risk: in December 2024 the FBI and CISA jointly advised against using SMS as a second factor at all, following the Salt Typhoon intrusions, and Microsoft's identity-security leadership has called SMS the least secure form of MFA available. In framework terms this is modifying the authentication process and intercepting or overwhelming the second factor (T1556, T1111, T1621).

A note on how this is described. The mechanics in this section are set out at the level a defender needs to recognise their own exposure — which accounts a single address reveals, which recovery path is weakest — not as a procedure to run. No individual is profiled, and no live target is referenced.

Notice what defeated the standard advice. "Verify the caller, then ring the official number back" assumes the attacker is outside the verification loop. By this stage they hold your verifying details and may control the channel the codes arrive on. The defensive flip is specific and unglamorous: get off SMS recovery, sever stale secondary addresses and numbers from your accounts, and treat the recovery chain as the asset it is. Mapping that chain — finding the weak hinge before someone else does — is the core of a Lockdown.

The recovery chain behind a single email address is the part of your exposure that most often turns a leaked password into a lost account. A Lockdown maps it the way an attacker would.

Talk to an Analyst

Inside an organisation, the same map redraws

For an individual, the chain may end at the inbox. For a target who is also an employee, the inbox is a doorway, and the footprint that matters widens to the organisation around them.

The same legibility principle applies, with different sources. An attacker profiling a company reads its technology from the outside. Job postings name the platforms a team runs. A developer's public GitHub profile shows which projects they are active in and which languages and frameworks they commit to; an organisation's public repositories reveal the same at scale. Site-fingerprinting tools round out the picture. Together these tell an attacker what software is in use, and therefore which known vulnerabilities are worth trying against an internet-facing system (T1190, T1068).

Developer tooling is part of that surface too, and a token left reachable inside it is simply a credential. In May 2026 the actor tracked as TeamPCP — the group we examined, before it was formally attributed, in how a security scanner breached the European Commission — compromised a GitHub engineer's machine through a poisoned editor extension, lifted the access tokens sitting in the development environment, and used them to clone roughly 3,800 of GitHub's own internal repositories. GitHub reports that customer repositories were not affected; the lesson is the mechanism, not the blast radius. And the mechanism is not rare: GitHub's own scanning found more than 39 million exposed secrets across public repositories in 2024, and most leaked credentials stay valid long after they appear. It is the same shape as the Grafana incident in our CoinbaseCartel profile: an exposed token, a source-code pull, an extortion demand.

The leaked organisation chart from earlier reveals who holds privileged access and who is worth impersonating next — the finance contact, the executive assistant with the principal's calendar (T1087). From a foothold, established remote-access and administrative tooling carry the movement laterally (T1021).

The defensive flip at the organisational level is a mapping exercise, not a product: know what your own staff, filings, and infrastructure disclose before an attacker assembles it for you. That is what a Corporate Audit is for.

Impact, and the loop that feeds the next target

The final stage is the one that makes the news, and it is the shortest to describe, because by now the work is done.

Impact takes two broad forms. Increasingly it is theft alone: data is exfiltrated and the victim is extorted under threat of publication, with no encryption involved — the model groups like CoinbaseCartel run. The older form encrypts as well as steals, adding operational paralysis to the pressure, as Qilin and similar crews do (T1486, T1657).

What matters for our thesis is what happens to the stolen data afterward. It does not disappear. It is published, traded, or folded into the next combolist, and it becomes recon for the next target. The credentials, the internal contact lists, the documents that name third parties: all of it re-enters the standing layer we started from. Today's victim is tomorrow's reconnaissance. The chain is a loop, and exposure is both its first input and its final output.

This is why the footprint side is the one worth defending. You cannot patch your way out of being assessable. You can only reduce what there is to assess.

Run back through the chain and a single discipline appears at every stage. Each step ran on a specific, findable data point. Remove or harden that point and the link to the next step weakens or breaks.

  • Selection ran on broker and people-search records — reduce the standing footprint and you fall toward the line below which a target is not worth planning for.
  • Credential access ran on leaked and stolen credentials keyed to an email — rotate, monitor, and put phishing-resistant MFA in front of what matters.
  • The email pivot ran on enumeration and a weak recovery path — sever SMS recovery and stale recovery contacts.
  • Organisational escalation ran on disclosed technology and an org chart — know what your filings and staff reveal.

None of this makes you invisible. The point is narrower and more useful: most of what protects an unknown target is the attacker's uncertainty, and your footprint is what removes it. Reduce the footprint and you do not just close one door — you can drop below the threshold where the calculation favours an attempt at all.

There is an uncomfortable symmetry in this. The assessment an attacker runs before committing is the same one a defender should run first. Listing what is findable, tracing where one email address leads, mapping which recovery path is weakest, modelling what an organisation discloses: that is the attacker's pre-attack dossier, and it is precisely the work behind a Mirror, a Snapshot Scan, or a Corporate Audit. You will be assessed either way. The only real choice is whether you see your own exposure first, or learn its shape after someone has used it.

Sources

Infostealer and credential exposure

Credential exposure at scale

Developer-tooling compromise

Authentication and SIM-swap risk

Account enumeration

Technique framework

Related analysis

If this is your situation

If your credentials might already be circulating, a Lockdown investigation maps the exposure.

See The Lockdown

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.