Subtle Information Hackers Find in the Background of Your Social Media Photos
And how you can better protect yourself against accidentally exposing personal information
For hackers, the rise of social media is one of the most important technological advancements in history. Facebook, Twitter, Instagram, and other social media platforms make gaining access to personal and business information extremely easy.
Most people are somewhat aware of the dangers of posting personal information online.
According to a 2016 study by The University of Phoenix, 84 percent of U.S. adults claim to have at least one social media account and, “as the prominence of social media has grown, so too has the number of criminals preying on those who use it.” The same survey showed, “Nearly two in three U.S. adults who have personal social media profiles say they are aware that their accounts have been hacked and 86 percent agree they limit the personal information they post due to the fear of it being accessed by hackers.”
However, many people overlook the danger of posting on social media and inadvertently leaking sensitive personal information. This is especially true when it comes to images.
There are a myriad of methods hackers can use to steal your personal information, but these are typically sophisticated attacks that are tricky for anyone to prevent. But the flood of personal information on social media has attracted a new type of hacker.
This new type of hacker more closely resembles an intelligence analyst or a determined stalker than a tech savvy cyber-criminal. In many cases, the individual may not even be breaking the law in their initial search and subsequent data aggregation on an individual or business.
I know this because I have worked in the OSINT (Open Source Intelligence) field as a political opposition researcher and online reputation management consultant. And the amount of information I have uncovered using publicly available photos (much of it from social media) is staggering.
Below are some of the most common ways people are accidentally leaking personal information on social media:
Cars/Vehicles
New Cars
People love to post photos of their cars on social media. Especially new cars:
The problem with posting your car is that you immediately expose a ton of personal information. If you have the license plate, you can easily trace the owner of a car.
Most states allow you to file a Request for Record Information at your local DMV. This contains information relating to the registration of a vehicle in the state, as well as any motoring convictions and reportable accidents that are public record.
There’s usually a form to fill out, and you must sign on the application that you are requesting the information for a “permissible use.” Generally, under the federal Driver’s Privacy Protection Act, this includes verifying someone’s driving record for employment purposes, information required in connection with an accident, or for use in a lawsuit.
Even without contacting the DMV, if you have access to any sort of decent public data aggregation database, you can use the license plate to determine:
- Make/Model of Car
- Vehicle Identification Number (VIN)
- Owner’s Name
- Owner’s Address
Employees at Office
ID Badges
Interns and new employees frequently post their ID badges with hashtags such as #WorkLife, #Intern, #IDBadge, and #FirstDayofWork.
This badge below is one of ten of thousands posted (publicly) to social media. This could be used by someone looking to find out where you work, stealing your identity, or even breaking into your company.
Sensitive Company Information:
In an attempt to showcase their work, and create a sense of authenticity, they post pictures of their desks which contain sensitive information, including passwords:
Personal Information:
While this post does not show any passwords, it does show enough information to allow someone to use social engineering to pose as this person or potentially create a targeted phishing campaign.
How to Spot a Phishing Email
Sample phishing attempts from suspect “PayPal” email account
medium.com
Location Data
Most modern smartphones store the exif data from an image file. This data can tell you the device used to take the picture, the camera’s shutter speed and lens type, the date and time the picture was taken and, sometimes, even its location in the form of GPS coordinates.
In Windows, all you have to do is right-click a picture file, select “Properties,” and then click the “Details” tab in the properties window. Look for the Latitude and Longitude coordinates under GPS.
In macOS, right-click the image file (or Control+click it), and select “Get Info.” You’ll see the Latitude and Longitude coordinates under the “More Info” section.
This problem is probably most pronounced on Instagram. People post pictures of their cars, luxury goods, and essentially document their spending. This is all conveniently geotagged so anyone can know your whereabouts.
Geotagging is a technical term for storing the latitude and longitude of your current location with your photo. This data is collected by the GPS device in your phone or tablet and is accessible to Instagram. This presents a number of risks:
- Stalkers can use this information to harass people or obsess over every personal detail of someone else’s life.
“Six years later, I’m still ‘stalking’ Reena on social media — by which I mean I’m not stalking her in the criminal sense, I’m just obsessively following her online updates. I found her Instagram, her friends’ accounts, and even her sister’s account to see what her upbringing was like.”
- Lawyers/creditors/ex-spouses can use this to locate assets that they may later claim ownership of due to a financial dispute.
Daniel Hall, director of global judgment enforcement at Burford Capital, said their targets in such cases tended to be people “of a slightly older vintage” who were not prodigious users of Instagram, Facebook and Twitter, but whose children, employees and associates often were. The firm recently managed to seize a “newly acquired private jet” in a fraud case because one of the two fraudsters had a son in his 30s who posted a photograph on Instagram of himself and his father standing in front of the plane.
- Robbers can track your location, know precisely what luxury goods you have in your home, where your home is, whether you are home or not, and even establish a layout of your home and its security systems.
Duff, 29, posted a short video to her 8 million Instagram followers four days ago. In it, the star can be seen doing a handstand off a pier, a vision of holiday relaxation. “CANADA,” she captioned the video, letting the world know she was many thousands of miles away from her Beverly Hills home. TMZ reports that the very same day, someone broke into Duff’s house, making off with jewellery and valuables to the tune of several hundred thousand dollars.
This threat is not limited to high profile celebrities:
Albany Police say home burglaries are increasing as Christmas approaches. Police warn that thieves could be looking at social media for victims.
Police warn people putting pictures of all their presents under the Christmas tree on social media like Facebook or Twitter could be an invitation for crooks.
Keys
Although it has been possible to copy keys from photos for decades, new apps and image software have made the process even easier.
Many people forget that they have keys in the background when posting photos of themselves, friends (especially at work), and while in cars:
Apps like KeyMe have made it ridiculously easy to steal someone’s house keys. It works like this:
With the free app for iOS and Android, users scan a key and send it to KeyMe to have a new one created and mailed to them. The service can save you a trip to the locksmith and let you customize your key with cool designs.
Users must place the key on a white sheet of paper and shoot it from both sides. On request, KeyMe uses the scans to create an exact duplicate which they mail to you, or anyone else making the request. They even do car keys.
“Avoid repeat trips to the locksmith,” reads the company’s website. “Traditional locksmiths manually trace your keys. Our patented technology digitally scans your key and creates a perfect duplicate aligned to factory specifications, guaranteed to work. Your key, only more accurate.”
The service is simple to conduct because of a thing called key bitting, which refers to how the “teeth” on a key are cut and arranged to lift individual pins to a correct height, at which point the lock is opened. The bitting tells a locksmith how to cut a key to make an additional copy.
Each manufacturer offers its own key bitting with unique properties so as to create a wide variety of possible combinations, ensuring that no other key (or at least not many other keys) can open the same lock.
But even though all transactions are verified with a credit card and email confirmation, that doesn’t prevent a complete stranger from creating their own account, scanning a key that doesn’t belong to them and requesting a copy be sent to their address.
Washington Post Inadvertently Leaks TSA Master Keys
PErhaps the most egrtegious example of posting keys withut thinking of the possible reprecussions was a Washington Post article “The secret life of baggage: Where does your luggage go at the airport?” In the original article, they included the following image of the master keys:
What the Washington post didn’t realize is that having an image of a key is almost as good as having the key itself. For thousands of years, key impressions have been used to covertly copy keys without the owner noticing.
One you have the impression, making a new key is easy. While the Washington post picture wasn’t exactly an impression, it wasn’t far off from one. Almost immediately, people figured out how to 3D print the master keys. Even though the Washington Post took the image down, it was too late. Once things are out on the internet, they don’t disappear so easily. You can even find the TSA master keys on eBay now made with real metal.
Pets
A 2010 survey by ID Analytics found that almost 20 million Americans have revealed the names of their pets on social networks. I can only imagine that number has grown since then.
Pets names are a frequent security question. And a cursory search of most pet owners’ social media accounts will uncover their pet’s name:
Memories
People love to share throwback posts with images explaining their personal history. For example, in the post below, a doctor is showing all of her old ID badges, from medical school to her first attending role.
She most likely does not perceive this posted photo as a threat because all of these are old “expired” form of ID.
The problem is that whether or not these IDs are active, they reveal a ton of information to potential hackers:
- First job (common security question)
- Her signature
- Graduation dates
- Progression of aged photos
- Detailed history of here employment
- Clear templates for the production of fake IDs for any of these facilities (many companies keep the same design on their IDs for years if not decades)
What Can You Do To Better Protect Your Privacy?
Reduce your overall use of social media
- Social media makes it exponentially easier for people to obtain personal information about you. While there are some positives of remaining active on social media, reducing your overall usage can dramatically improve your privacy. This is especially true for heavy users of social media who may be providing hackers with nearly every data point possible by essentially live streaming their entire lives online.
Change passwords and do not use the same password for important accounts
- To ensure the security of your accounts and data, it is a good idea to periodically change your account password. It is also important to ensure that you do not use the same password for multiple platforms. In the event of a data breach, hackers can usually start with one leaked password, and by identifying your related profiles, access all of your accounts, if the passwords are not unique.
Create dummy accounts
- Setting up dummy accounts are a great way to reduce your personal information exposure. Never link your real/primary email address to your social media accounts.
Make up answers to security questions
- As explained above, answers to security check questions can be easily found through social media. One way of thwarting hackers is to make up answers to your security questions. For instance, when asked about what street you grew up on, enter your favorite sports team. Or take your answer and add a random string of characters to the answer. For example, My Home Street+ “92er!.” — just remember to keep a backup of the random characters, in case you forget.
Understand that once something is posted online, it is never truly gone
- Once you upload something to the Internet (including Facebook), you no longer have complete control over what happens to it. That means you should consider the very real possibility that anything and everything you post online could very well end up residing on the Internet forever. Online is forever. But with all of this content and constant noise, it’s easy to forget that anything written online can and will be found for the foreseeable future.
Thanks for reading this article! Leave a comment below if you have any questions, and if you want to learn more about blogging, content marketing, and social media strategy, be sure to sign up for the Blogging Guide Newsletter!
If you liked this article, here are some other articles you may enjoy:
Casey Botticello is an internet entrepreneur and the founder of Blogging Guide, an online community of writers with an award-winning newsletter. He is also the creator of the popular Medium Writing Course and the Substack Newsletter Course.
Casey previously worked at several tech startups, a lobbying & strategic communications firm, and has created several businesses of his own. He is a graduate of The University of Pennsylvania, where he received his B.A. in Urban Studies.
You can connect with him on LinkedIn, Twitter, Facebook, follow his Medium publications, Digital Marketing Lab and Medium Blogging Guide, or reach out to him directly on his personal website.