Your data is already public. What that really changes.

The client signs the NDA, locks the contract in his safe, and his historical inbox has just been dumped on a Russian forum. I see this scene every year. The NDA never protected his data. It only protected the feeling that his data was protected.

The usual trap

The dominant discourse on cybersecurity in 2026 looks like the one from 2013: it starts with “protect your data”. It assumes an initial state where your data is yours, where it lives in your devices and in the accounts you control, and where security consists of preventing it from leaving.

That state no longer exists. It has not existed for a long time.

Your historical email addresses, your phone numbers, your hashed passwords (sometimes in cleartext), your contacts, your date of birth, your purchases, your approximate movements, your estimated household composition, your inferred net worth — all this information already circulates in databases you have never consulted, with actors you don’t know, in jurisdictions where the GDPR does not apply.

The privacy-first fiction — the idea that your data is private by default and that protecting it is enough to keep it that way — serves everyone except you.

It serves regulators, who produce law (GDPR, CCPA, LGPD, PIPL) by presupposing a confidentiality to be restored, which gives them a continuous mandate and an appearance of effectiveness.

It serves SaaS vendors, who sell encryption, DLPSolution detecting and blocking sensitive data leaks (emails, files, clipboard).See glossary, CASBIntermediary between users and cloud apps enforcing security policies.See glossary, MFAMulti-factor authentication: combining two independent proofs of identity to log in.See glossary, and bill these products to organizations that think they’re buying protection when they’re buying a compliance posture.

It serves users, who can continue to live as if their data were private, because it is more comfortable to close a safe than to look at what has already escaped.

The result:

We harden safes while the front door has been open for ten years, and no one is looking through that door.

An honest inventory of what has already leaked

Your data does not leak in one place. It leaks in five overlapping layers, each of which obeys different rules.

Layer 1 — Data brokers

The data brokerage industry is old, massive, and largely invisible to the general public.

Acxiom, acquired by LiveRamp in 2018, maintains profiles on about 2.5 billion people, with an average of 1,500 attributes per profile. Experian, LexisNexis Risk Solutions, Oracle Data Cloud (formerly Datalogix then BlueKai), Epsilon — these names appear in every sector report from the past decade.

What they hold on you: name, address, phone, email, date of birth, household composition, marital status, children, estimated income, estimated wealth, real estate ownership. More, and this is where it gets uncomfortable: purchases, web browsing, approximate geolocation (collected via mobile apps that resell), media consumption habits. More still: predictive scoring — purchase probability by category, divorce risk, financial risk, life stage, estimated political affinities.

How your data reaches them: supermarket loyalty cards, mundane web forms (newsletter, contests, white paper), mobile apps (weather, flashlight, free games — the gold medal in opaque collection), opaque partnerships between SaaS vendors, opt-out by default on pre-checked boxes.

The GDPREU Regulation 2016/679 on personal data protection, in force since May 2018.See glossary imposes a right of access and erasure, but in practice: European brokers (Mediascope, Schober, Klarna data products) respond partially, US brokers operating in Europe respond within timeframes that border on legal limits, and cascading resellers make auditing impossible — you request erasure at Acxiom, your profile is reinjected three months later from a secondary source.

Layer 2 — Leak databases

Have I Been Pwned, the most visible public service, indexes approximately 13 billion accounts spread across several hundred breaches by 2026. This is the tip of the public iceberg — the service only collects publicly disclosed leaks.

Below that, there’s DeHashed, Intelligence X, Snusbase, Constella Intelligence. These paid services ($5 to $300 per month depending on tier) give access to much more: older dumps never indexed by HIBP, cleartext passwords from poorly hashed breaches (notably 2010s sites using unsalted MD5), and sometimes data collected from now-defunct dark web forums.

The marketplaces where these dumps circulated have been seized or shut down — RaidForums (seized by the FBI in 2022), Breached (closed in 2023 after its administrator’s arrest) — but the dumps themselves have survived. They are bought, repackaged, and continue to circulate among less visible actors.

Emblematic cases that everyone should know:

• Collection #1 (January 2019, revealed by Troy Hunt): 773 million unique email addresses, 21 million cleartext passwords, aggregate of hundreds of prior breaches
• LinkedIn 2021: 700 million profiles scraped, including emails linked to accounts (sold for $5,000 for the full dump)
• Facebook 2019 (published in 2021): 533 million profiles, including phone numbers
• 23andMe 2023: genetic data of 6.9 million accounts, with consequences on a 50-year horizon
• OPM 2015 (United States): 21.5 million federal employee records, including security clearance investigations

If you used the internet between 2010 and 2020, you are statistically in at least one of these dumps.

Layer 3 — Public registries

What follows is not a leak — it’s legally mandatory public information that no one thinks to include in their exposure mapping.

In France: BODACC publishes legal notices (company formations, judgments, insolvency proceedings), Pappers and Infogreffe make the RCS searchable (officers, mandates, financials), INPI publishes trademarks and patents. In the UK: Companies House, OpenCorporates. In the US: state registries (Delaware, Nevada), PACER for federal court decisions. In Switzerland: Zefix, plus cantonal land registries depending on the canton.

For an executive, these sources map within minutes: your complete professional life (every company where you’ve held a mandate, dates, compensation if you led a listed company), your litigation (any published court decision), your professional moves (changes of registered office), your real estate holdings in some jurisdictions.

GDPR does not apply: this data is public by law.

Layer 4 — Archives

The internet has a memory you did not choose.

The Internet Archive’s Wayback Machine has captured pages since 1996. Your personal website hosted at Free.fr in 2008, your LinkedIn profile from 2012 when you were a junior consultant, the discussion forum where you were active under your real name at 22 — everything is consultable, provided you know where to look.

archive.today (formerly archive.is) offers on-demand capture: anyone can take a permanent snapshot of a page, without you being able to object. No official removal mechanism.

Google Cache historic results have been progressively reduced since 2020, but remain accessible via specific queries for older pages.

Specialized OSINT tools (Maltego, Spiderfoot HX, Bellingcat Toolkit) consolidate these sources within minutes. A serious audit on an identified person takes two to four hours.

Layer 5 — Indexed social networks

LinkedIn is the worst offender for business profiles: your full CV, your contacts (depending on your settings), your mobility history, your public stances over ten years, your “I’m speaking at…” posts that reveal your travel.

Twitter / X retains sixteen years of public statements, a significant portion of which is indexed by Google even after account deletion.

Metadata is sometimes more revealing than content: who you like, who you share, your activity hours (revealing your timezone and therefore your movements), with whom you interact frequently (revealing your inner circle).

Why you cannot regain control

At this point, the temptation is to say: “OK, I’ll do a complete cleanup.” This temptation is legitimate, and largely doomed to fail.

The leak architecture is distributed. Your data is not in one place but in dozens of copies spread across multiple jurisdictions, with actors of divergent interests. Requesting erasure from one actor erases nothing with the others.

The right to be forgotten has limited scope. GDPR Article 17 is conditional (data no longer necessary, withdrawal of consent, etc.) and subject to extensive exceptions (freedom of expression, public interest, legal claims, archives). In practice, EU Google delisting works, deletion from an active GDPR operator works, the rest works poorly.

The Streisand effect exists. Requesting deletion often amplifies exposure. An aggressive GDPR action against a newspaper awakens institutional memory. A request to Google produces a notification to the source page editor, who may decide to highlight it even more.

Resale is perpetual. A dump leaked in 2019 will be resold in 2030. Closed marketplaces are replaced by others. The marginal cost of storing dumps is zero, their value amortizes over decades.

Auditing is impossible. You don’t know who holds what, you can’t ask actors you’re unaware of. Even broker opt-out services (Incogni, DeleteMe, Optery, Privacy Duck) only cover a portion of the identified industry — and have no leverage over leak databases.

The strategic pivot

This is where the mental shift that changes everything else lies.

This shift is not a surrender. It is a realignment with reality.

Compartmentation, not confidentiality

Instead of trying to “protect everything” — an impossible goal — you separate identities by usage. A civil email for the bank, the tax office, the building manager. A professional public email for LinkedIn, conferences, media. A professional sensitive email for M&A files, litigation, negotiations. An operational email for third-party services, subscriptions, online purchases.

A leak on the operational identity (the most exposed, by construction) does not contaminate the sensitive identity. This is the subject of the article Identity compartmentation.

Rotation, not permanence

A password has a lifespan. So does an email address. So does a phone number.

Password: 3 months for critical accounts, 6 months for others. With a password manager, it’s mechanical.

Operational email: 12 to 24 months. You abandon the address, you redirect important services to the new one, you let the rest die.

Phone number: 3 to 5 years for the public professional number, more stable for civil but with increased vigilance on the operator (see SIM swap).

This rotation is uncomfortable the first time. Then it becomes a discipline, like brushing your teeth.

Resilience, not absolute prevention

You will be compromised one day. The question is not “if” but “when” and “how you react”.

Prepare the response, not the prevention. One-page personal incident plan, identified escalation contacts, critical accounts with FIDO2 hardware (which resists phishing), encrypted backup stored outside the primary jurisdiction.

This is the subject of the article Field incident response.

Threat modeling from a leaked state

The inventory of your known exposure (see The exposure audit) becomes the entry point of any strategy.

For each exposure, you classify: critical (immediate action), sensitive (planned action), public (accepted, documented), benign (ignored).

For each critical, you decide: mutate (change the underlying identifier), remove (close the account, request delisting), accept (with preparation of the response in case of exploitation).

What this means concretely

Who this matters for

Everyone, but with different criticality thresholds.

For the general public: the majority of leaks have a diffuse impact — targeted spam, credible scams, sometimes SIM swap if the profile is exposed enough to be worth the effort. Minimum discipline (secured main email, FIDO2 on critical, annual exposure audit) suffices in 95% of cases.

For exposed profiles: executives, journalists, lawyers, doctors of public figures, dissidents, people with visible wealth, people in conflictual family or professional litigation. Here, compartmentation becomes structural, exposure audits quarterly, dedicated advice for sensitive travel. The personal investment ratio in operational security must be proportional to exposure.

Critical cases: profiles involved in ongoing M&A, criminal litigation, conflictual divorce with significant financial stakes, active media exposure. The threshold shifts. This is the subject of the article Exposed executive.

Mistakes we see all the time

• “I have a VPN, so I’m protected.” Confusion between transit confidentiality (what a VPN protects) and identity confidentiality (which depends on compartmentation, and zero on a VPN).
• “I have nothing to hide.” Confusion between hiding and controlling. You have every interest in controlling what comes out, which does not say it must be hidden.
• “I changed my passwords.” Without rotation of underlying identities — emails, numbers — you only changed the lock on a door that opens through ten other entrances.
• “I don’t use Facebook.” Without considering LinkedIn (the most exposing for business profiles), the previous employer (cached CV), the building manager (residential information), the commercial register (corporate mandates).
• “The company is protected.” Without considering that the natural person running the company is individually exposed, and that the attacker targets the person to reach the company.

Actionable checklist

• N1 Perform the personal exposure audit (HIBP + Google dorks on yourself) — see dedicated article
• N1 Secure the main email and the password manager: FIDO2 hardware, two keys minimum, no SMS recovery
• N2 List critical identifiers (email, phone, financial accounts, cloud accounts) and plan their rotation at 12 months
• N2 Map your identities by current usage (civil / public pro / sensitive pro / operational) — decide the target model
• N2 Identify the 3 most critical exposures and decide for each: mutate, remove, accept
• N3 Build a personal incident plan (1 page A4): who to call, what to block first, where the backups are
• N3 For exposed profile: quarterly exposure audit by a third party (fresh eyes)
• N3 For organization: integrate an 'external executive committee exposure' indicator in the quarterly cybersecurity dashboard
• N3 For organization: rebalance the cybersecurity budget with a clear share for resilience (forensics, response, crisis communication)

Further reading

The structuring sources on the subject (books, reports, journalism) appear in the frontmatter of this article. Three readings to prioritize if you want to dig deeper:

• Bruce Schneier, Data and Goliath (2015) — systemic analysis of commercial and state surveillance. Dated on some figures, timeless on the mechanisms.
• Carissa Véliz, Privacy Is Power (2020) — philosophical and political angle on privacy as a common good. Short, hard-hitting read.
• ENISA Threat Landscape, annual edition — the state of the threat landscape in Europe, updated each year by the European cybersecurity agency. Long read, useful to frame watch.

For actionable practices derived from this framing, see the other articles in the Reality of exposure axis: The exposure audit, Identity compartmentation, Data brokers, The right to be forgotten.