![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneI was thinking about the guy who just lost his @H Twitter handle. The comment in reply to his post talked about the attacker getting in to his Amazon account, going through his old orders, and finding an old address that was his parent's house. Once he had that, he started hitting public records repositories and building a history of the replier to build up a social engineering attack.
I decided it would be good to delete the two or three extra addresses that I had in Amazon, so I logged on and deleted them. And decided to check my order history. And there, in 1999, my oldest logged order with Amazon (though I don't know that it was my first), was the address of my old condo in Phoenix. My order history also includes my parent's address, and that of a few friends. It's all there.
I'm not sure what I'm going to do about this. I'm not a prime target for people wanting to steal this sort of information for social engineering attacks against me, I'm just not that important. All of the domains that I own are run through a privacy protection service, so you can't get my name and address information from my web sites, though that information is stored on some of my sites for business purposes. I'm thinking maybe set up a domain with a name that is not used anywhere, have no web site for it, and just use a mail service to toughen up the logins for various commercial web sites that I use, so if one is compromised they might have a harder time compromising other accounts.
But is it worth going to that extreme?
I decided it would be good to delete the two or three extra addresses that I had in Amazon, so I logged on and deleted them. And decided to check my order history. And there, in 1999, my oldest logged order with Amazon (though I don't know that it was my first), was the address of my old condo in Phoenix. My order history also includes my parent's address, and that of a few friends. It's all there.
I'm not sure what I'm going to do about this. I'm not a prime target for people wanting to steal this sort of information for social engineering attacks against me, I'm just not that important. All of the domains that I own are run through a privacy protection service, so you can't get my name and address information from my web sites, though that information is stored on some of my sites for business purposes. I'm thinking maybe set up a domain with a name that is not used anywhere, have no web site for it, and just use a mail service to toughen up the logins for various commercial web sites that I use, so if one is compromised they might have a harder time compromising other accounts.
But is it worth going to that extreme?
