Executive Exposure Checklist

A structured self-diagnostic covering the ten public and semi-public surfaces an adversary uses to assemble an executive target profile. Work through it on screen, print it for a board binder, or use it to scope where a deeper audit is needed. Risk weighting reflects typical severity in the contexts we see — people-search profiles, broker presence, breach fragments, filings, and credential leaks all land at the high end.

Last updated: April 2026 Designed for: executives, board members, privacy-conscious professionals See also: NIS2 Risk Vector

Who this is for

Executives, board members, senior professionals, HNW individuals, and anyone who wants a clear picture of what a targeted adversary can assemble about them from public and semi-public sources. No technical background is required — each check is something you can run yourself, and most take only a few minutes.

What you gain from working through it

Visibility into your own exposure. The ten categories below mirror the order a professional reconnaissance workflow follows in practice — brokers first, then breaches, filings, family, dark-web credentials, social-engineering surface.
Lower personal discoverability. Each listed action removes a pretext ingredient an attacker would otherwise build on. Fewer ingredients mean fewer usable attack paths against you and the people around you.
A harder target for targeted fraud. Whaling, CEO fraud, SIM-swap, and vishing all depend on cheap background research. Remove the raw material and the economic return on targeting you drops sharply.
A repeatable baseline. Exposure drifts — new breaches, new people-search hits, new filings. Re-run the checklist every six to twelve months to catch drift before it turns into an incident.

Executive

Role / Title

Organisation

Date of Self-Audit

0 of 23 checks completed 0%

01 Data Broker Presence High

Search yourself on the major people-search brokers. Run "Your Name" site:spokeo.com on Google, then repeat for whitepages.com, beenverified.com, radaris.com, peoplefinder.com. Note every hit.Action: Any listing = file an opt-out. Fragmented data (name + city + age) is sufficient to build a targeted pretext.

Check the EU-focused brokers. Search for yourself on 4iq, Lusha, ZoomInfo, SignalHire, Apollo. These aggregate professional + personal data specifically for B2B targeting.Action: EU brokers require a GDPR Article 17 erasure request. Log each request with a reference and a 30-day follow-up.

Run a broad identity query. Search "Your Name" "Your City" on Google and review the first three result pages for any people-search, directory, or aggregator listings beyond the major ones above.Action: Long-tail brokers are where most residual exposure lives after a headline removal round.

02 Breach Database Exposure High

Enter your work and personal emails at haveibeenpwned.com. Include every email used for professional registrations (LinkedIn, conference signups, vendor accounts) and every personal email used on any device you access work systems from.Action: Any hit = assume the associated password is on credential-stuffing lists. Reset, rotate to a password manager, and enable FIDO2 hardware keys on the critical accounts.

Check for password fragments or session material in secondary indexes. Search for your email at dehashed.com (paid) or intelligence-x.com (free tier) and note any plaintext, hashed, or fragmentary password returns.Action: Fragments let attackers correlate your accounts across services. Treat any fragment as a full compromise for that account family.

03 Social Media Privacy Exposure Medium

Open your LinkedIn profile in an incognito window. Without your account, can a stranger see your full work history, education years, reporting chain, contact details, or activity feed?Action: LinkedIn is the single most common reconnaissance source for whaling and CEO-fraud. Restrict connection visibility, hide activity feed, remove reporting-chain inference where possible.

Audit Facebook and Instagram privacy. Use the privacy shortcut / “View as public” option. Check tagged photos, friends list, past check-ins, and about-page fields (employer, school, hometown) for public visibility.Action: Each public field is a pretext element. Set visibility to friends-only for tagged photos, friends list, and location history at minimum.

Review the last 24 months of public posts across all platforms. Look for: home-city mentions, workplace photos, family names, vehicle plates, holiday plans, conference check-ins, travel patterns.Action: Delete or lock down any post that names a location, a family member, or a travel pattern. Old posts are low-cost to remove and high-cost to leave public.

04 Corporate Filings & Public Registers Medium

Search your name in the relevant Chamber of Commerce / company register. For NL: KvK.nl handelsregister. For UK: Companies House. For DE: Handelsregister. Check whether home address, date of birth, or signature are visible in board or shareholder entries.Action: Most EU jurisdictions allow a registered-office substitution for directors. If home address appears on any filing, request substitution and resubmit the filing.

Check non-corporate registers and public bodies. Associations (verenigingen / e.V.), foundations, charity trustee rolls, sports federations, and professional licensing bodies often publish officer details beyond what corporate law requires.Action: Request redaction where the publishing body has discretion. Where they do not, consider whether the role still needs to be held in your own name.

05 Property & Land Registry Records High

Run a title search against your primary residence. For NL: Kadaster. For UK: HM Land Registry. For DE: Grundbuch (via notary). Note whether ownership is registered to your personal name or to a holding structure.Action: Direct personal registration means any member of the public can tie your name to your home address for a small fee. Restructuring into a holding entity is the durable fix.

Google your home address inside quotes. Review every result — directory listings, real-estate history, old social posts, news mentions. An exposed address anywhere means the attacker doesn’t need the registry at all.Action: File takedown requests on directory and real-estate sites. Old social posts with addresses are frequent long-tail leaks — treat deletion as a one-off cleanup.

06 Family Member Discoverability Medium

Google each immediate family member by name plus your city. Review results for school pages, sports clubs, youth activity rosters, church newsletters, and news mentions naming them.Action: Request removal from public rosters where possible. Family members are used as pretext multipliers — to pressure you, to impersonate you, or to physically locate you.

Audit your own feeds for posts that name or tag family. Photos of children in school uniforms, posts naming a partner’s employer, or check-ins at a family member’s workplace are high-value identifiers for an adversary.Action: Remove or lock down. Brief adult family members on what they post about you — your OPSEC only works if theirs does too.

07 Photo & Reverse-Image Searchability Medium

Upload your primary headshot to a reverse-image search. Use pimeyes.com, Google Lens, or Yandex. Note every site where the image appears — corporate bios, conference galleries, press photos, old social profiles.Action: A single reverse-image hit can link every pseudonymous or “private” account back to you. Opt out of Pimeyes indexing; request takedowns on stale conference galleries.

Check internal event and conference photo leaks. Search for "your company name" photos and "your name" conference. Event photographers frequently upload to public portfolios after the fact.Action: Request removal from photographer portfolios. Add a photo-use clause to internal event consent going forward.

08 Domain & WHOIS Leakage Low

Run a WHOIS query on every personally registered domain. Family names, vanity domains, old side projects — use whois.domaintools.com or whois yourdomain.com from a terminal. Check for un-redacted name, home address, or phone number.Action: Enable privacy proxy (WHOIS privacy) on every personal domain today. It is a registrar toggle that takes two minutes and removes a direct address leak.

Check historical WHOIS and DNS for legacy leaks. Use viewdns.info or securitytrails.com to see whether older WHOIS snapshots captured pre-privacy data. This archive is permanent and indexed.Action: Historical archives cannot be retroactively scrubbed — but knowing what is there lets you plan around it (e.g., don’t re-use the same address on new registrations).

09 Dark-Web Credential Exposure High

Check your email across stealer-log dumps. Stealer logs (RedLine, Vidar, Raccoon) contain not just credentials but live session cookies, autofill data, and 2FA backup codes. Use a credential-monitoring service or a manual dehashed.com search.Action: Any stealer-log hit requires more than a password reset — revoke all OAuth grants, invalidate sessions across Microsoft/Google/Okta, and assume any device that email was used on may still be compromised.

Check for combo-list inclusion. Combo lists blend credentials from dozens of breaches and are the raw material of credential-stuffing attacks. Scattered Secrets, Enzoic, and Flare offer executive-level lookups.Action: Unique passwords per service + hardware-key 2FA on SSO are the only durable controls. Rotate any credential that appears in a combo list.

10 Social-Engineering Surface High

Audit public-facing calendar and scheduling tools. Calendly, Linktree, public “book a meeting” widgets, or shared EA calendars — do they expose meeting subjects, counterparty names, travel dates, or physical locations?Action: Strip all identifying detail from titles. A booking page should show time slots only, not “Board meeting — Amsterdam — Thursday”.

Review out-of-office auto-replies. Does your OOO name a deputy, specify return date, or mention travel destination? Each field is a pretext ingredient for BEC and CEO-fraud windows.Action: Generic OOO wording only — “I am out of office and will reply on my return. For urgent matters, contact [role] at [generic address].” No names, no dates, no destinations.

Check LinkedIn activity for pre-announced absence. Posts like “Excited to be speaking at X next week” or “Heading to Y conference” are explicit targeting windows — attacker knows you are distracted and your team is waiting on you.Action: Either post after the event, or brief the finance and legal teams before a publicly announced absence so impersonation attempts are caught on pattern.

Notes

Next Steps If Any Row Scored High

A high-weighted category here (data brokers, breach exposure, property registers, dark-web credentials, social-engineering surface) is rarely a single-row fix — it is a signal that the reconnaissance surface is mapped to you personally and that remediation needs to be structured rather than piecemeal.

A Corporate Audit runs this assessment end-to-end for a named executive or for a defined leadership cohort: surface mapping across the ten categories above, documented findings with severity weighting, and a prioritised remediation plan you can hand to legal, HR, or security. No client details are published; the deliverable is a bound report plus a debrief.

Talk to an Analyst

This checklist is for informational and self-diagnostic purposes only. It does not constitute legal or security advice. Your checklist data is stored locally in your browser and is never transmitted to our servers.

← Library

Executive Exposure Checklist

Who this is for

What you gain from working through it

Category 1: Data Broker Presence

Category 2: Breach Database Exposure

Category 3: Social Media Privacy Exposure

Category 4: Corporate Filings and Public Registers

Category 5: Property and Land Registry Records

Category 6: Family Member Discoverability

Category 7: Photo and Reverse-Image Searchability

Category 8: Domain and WHOIS Leakage

Category 9: Dark-Web Credential Exposure

Category 10: Social-Engineering Surface

Next Steps If Any Row Scored High