Find Out What's Already Out There: Auditing Your Digital Footprint
Before you fix anything, you need to know exactly what already exists about you online. Here's how to find out in under an hour.
A few years ago, a security researcher found an open database sitting on the internet with over a million people's names, addresses, and phone numbers in it. No hacking was involved. A data broker had simply gathered all that information from public records and other sources, stored it carelessly, and forgotten to lock the door.
That's the real privacy problem most people face. It's not a hacker trying to break into your laptop. It's a quiet industry that collects your information piece by piece — your email, your phone number, your shopping habits, your location — and turns it into a profile that gets bought, sold, and occasionally leaked.
You can't make that profile disappear completely. But before you can shrink it, you need to know exactly what's in it, where it lives, and how serious each piece is. That's what this first part covers — a full, structured audit, broken into clear technical steps, that you can realistically finish in an afternoon.
Why the audit comes first
Most people start by installing a VPN, deleting an old Facebook account, or buying a "privacy" subscription they saw advertised. That's backwards, and it usually wastes both time and money. Without a clear picture of what's actually exposed, you'll end up polishing the parts that don't matter while the real risk — an old forum profile listing your home city and birth year, say — sits there completely untouched.
Think of this audit as triage. By the end of it, you'll have a structured list ranking your exposure from "barely matters" to "deal with this immediately," and that list becomes the backbone of every later part in this series.
Set aside roughly two to three hours, ideally in one sitting, and have a notes app or spreadsheet open as you go.
Step 1: Run a structured search on yourself
Don't just type your name into a search engine and skim the first page. Run a deliberate set of searches, each designed to surface a different category of exposure. For each one, open a private/incognito browser window first, so your existing search history and saved logins don't skew the results toward what the search engine already thinks you want to see.
Run these searches, one at a time, recording every result that includes your real information:
"Full Name"— your name in quotation marks, exactly as it appears on official documents"Full Name" + city— narrows results to ones that are actually about you, not someone with the same name"Phone number"— in international format and local format both, in quotation marks"Home address"— street name and number together, in quotation marks"Old usernames"— every handle you can remember using, even briefly, on forums, games, or old social platforms"Email address"— search the part before the @ symbol together with your name
For each result, record three things in your notes: the website it appeared on, exactly what information it shows, and how sensitive that information feels to you (low, medium, high). A directory listing your name and city is medium. A forum post with your home address and a photo of your front door is high.
Step 2: Check your exposure in known data breaches
Go to a free, reputable breach-checking service such as Have I Been Pwned and enter every email address you've used regularly over the years — not just your current one. For each address, the service will show you which past data breaches included it, and often what kind of information was exposed in each one (passwords, security questions, physical addresses, etc.).
This step does two things at once:
It tells you which of your accounts have already been compromised, which directly feeds into Part 5 of this series, where we cover securing the accounts you keep.
It often reveals services you'd completely forgotten you ever signed up for — which feeds directly into Step 3 below.
Write down each breached email, the service that leaked it, the date, and what type of data was exposed. This becomes a priority list: anywhere your password was exposed in plain text needs to be changed immediately, regardless of anything else in this series.
Step 3: Reconstruct your full account history
This is the slowest step, and also the one that pays off the most later. The goal is a complete list of every account you've ever created — including the ones you haven't thought about in a decade.
A few practical techniques to jog your memory:
Search your email inbox for words like "welcome," "verify your email," "confirm your account," and "password reset." These searches surface sign-up confirmations going back years, even from services you've completely forgotten.
Check your password manager or browser's saved passwords, if you have either — both tend to quietly accumulate a record of every site you've ever logged into.
Look through old phones, laptops, or backups for installed apps you no longer use; many of them required an account.
Think chronologically, decade by decade or job by job: what forums did you use in school? What did you sign up for during your first job? What apps did you install when you got your first smartphone?
For each account you identify, record: the service name, roughly when you created it, whether you still use it, and whether you remember what information you gave it (real name, real phone number, home address, etc.).
Step 4: Check what major platforms know about you directly
Several large platforms now offer tools that show — and sometimes let you remove — information they hold or surface about you. Search for terms like "[platform name] privacy checkup" or "[platform name] download your data" for the major services you use regularly (your email provider, your social media accounts, your phone's operating system account). These tools often reveal saved location histories, ad-interest profiles, and linked devices that most users never realize exist.
You don't need to act on any of this yet — just note what you find. Several of these tools will become directly useful again in Part 5, when we go through tightening account security and permissions.
Step 5: Organize everything into a single, ranked list
By now you should have a substantial pile of notes. Turn it into one simple table with four columns:
| What you found | Where it is | How sensitive it is | What it likely connects to |
|---|---|---|---|
| Example: home address listed publicly | Example: a "people search" directory site | High | Example: matches the same address used on an old forum profile |
The fourth column matters more than it looks. Privacy risk rarely comes from a single exposed detail — it comes from being able to connect several details together into a complete picture. An address on its own is just an address. An address that can be linked to your real name, your daily schedule, and a photo of your house is a very different kind of exposure.
Sort the table so the highest-sensitivity, most-connectable items are at the top. That sorted list is now your action plan for the rest of this series.
What you should have by the end of this part
A single, organized document containing: every public mention of your personal details that you could find, every account you could remember creating, every breach your email addresses appeared in, and a ranked sense of which of these matters most. That's a genuinely useful map — and it's also more than most people ever do, which is exactly why most people stay far more exposed than they realize.
Coming up in Part 2
Once you know what's exposed, the next step is dealing with the companies that collect and resell that information without you ever signing up for it — data brokers. In Part 2 (Coming Soon), we'll go through the technical process of finding these sites, submitting removal requests correctly, and tracking your progress so the work actually sticks.