Hyper-telling, Weak Passwords, and Digital IDs Incite Cybercrime

Gregory Zuckerman
By Gregory Zuckerman
Technology
8 Min Read

And your digital trail has never been more valuable — or more abused. From Instagram posts that telegraph your itinerary, to flimsy logins that crumble under a guessing assault, to new digital ID systems that many governments are likely to create and approve, everyday online activity is forming a wealth of searchable data about you — something hackers will only continue exploiting. The latest findings from analyses of passwords leaked in data breaches, non-transparency reports and transparency reports all point the same way: the easiest way in is information you give away and credentials you reuse.

Oversharing Is Open-Source Intelligence

Attackers don’t begin with code; they start with context. Public posts can tell where you work, how your team is structured, where you’re headed on the next business trip, even what kind of pets you own, what your favorite sports team is, and which tools your company uses. That’s sufficient to write convincing phishing letters, reset security questions, or time an attack while you’re on vacation. The VZ Data Breach Investigations Report has been adamant that the human element (phishing, misuse, and errors) is far and away the largest attribute involved with breaches, and oversharing fuels all three.

Table of Contents
An illustration comparing a compromised ID card with an alert symbol to a secure user profile with a password.

Real-world examples abound. Soldiers who used a fitness app accidentally revealed secret base locations. Travelers who have shared photos of their boarding passes online with scannable barcodes have had their frequent flyer accounts stolen. Recruiters and conference badges commonly feature titles, vendors, and email formats that adversaries project against in spear-phishing. Add the “mosaic effect” — in which innocent crumbs come together to yield precise profiles — and “just a selfie” can grow into an entire dossier.

What to do: geolocate in photos, delay posting of travel plans, lock down contact lists, and treat security questions as a second set of passwords with fake answers stored in a manager. If you’re a manager or public figure, presume enemies are recruiting your posts to pose as you to your team.

Weak Logins Are Still the Easiest Door In

Credential theft is still the bread and butter of cybercrime. Readings by NordPass and other password managers routinely find the same top offenders like “123456,” “password,” and birth years showing up in millions of dumps. Worse, a review by NordPass of top sites showed that many continue to allow short passwords or ban the use of special characters, undermining basic hygiene. When you lower the bar enough, it no longer takes a jump for attackers to succeed.

The way forward is straightforward: passkeys, and phishing-resistant multifactor authentication. FIDO Alliance-backed and supported by the major platforms, passkeys are essentially cryptographic keys tied to your device and biometrics rather than a password — hence nothing to phish, nothing to reuse. In cases where passkeys aren’t available, use a password manager to create distinctive logins and enable some app- or hardware-key 2FA. After automatically enrolling millions of people into two-step verification, Google found that the new process reduced account compromises by 50% — a surefire example that nudges work for liberation.

An illustration comparing an identity card with an exclamation mark to a user icon with a password field, set against a purple background.

Organizations must meet users halfway. Require strong credential policies, block known-breached passwords, implement passkeys for the workforce and customers, and deliver transparent password-strength indicators. Stolen credentials fuel some of the longest detection times and most expensive remediation costs, according to IBM’s Cost of a Data Breach study — security that prevents reuse more than pays for itself.

Digital IDs: A Web of Convenience, or Intrusive Surveillance?

Mobile driver’s licenses and national digital wallets are being released from US states to Europe as part of eID pushes. It’s seductive, the thing they are selling: one tap to establish age or identity, fewer plastic cards to carry around, less hassle. But privacy groups such as the EFF and ACLU caution that without strong guardrails, digital IDs can become mobile tracking beacons. If one ID app logs each verification event, or if verifiers require more attributes than they need, everyday checks can turn into regular surveillance.

Data brokerage makes this worse. Independent reports and government investigations cited by the US Government Accountability Office have found that agencies are purchasing commercially available app and location data to get around warrant requirements. Add to that the digital IDs metadata, and the mosaicking turns into a panorama. Standards bodies like NIST and ISO have promulgated principles for things like selective disclosure and minimal retention; without those being enshrined in law, convenience will just drift to collection.

Insist on redeemable claims — verifiable credentials to share without oversharing (such as that you are over 18, but not your full birthdate) — and transparency reports for verifying who has asked for your data, what is saved, and for how long. Regulators should mandate privacy-by-design audits, local storage by default, and hard limits on law enforcement access.

How do I reduce my attack surface today?

  • Trim breadcrumbs: prune old public posts, un-geotag yourself, and rethink the details of your job in bios. Treat anything that’s out there as able to be scraped, correlated, and sold.
  • Enhanced authentication: utilize passkeys where available; otherwise, use a password manager plus hardware- or app-based 2FA. Retire SMS codes when possible.
  • So harden your most-valued accounts: your email, cloud storage, bank, cell provider, and the like. These are valuable so-called targets for account takeovers and SIM swaps.
  • Protect your identity: freeze your credit, switch on account alerts, and look for stolen information. If your state has a mobile ID, look for versions with support for selective disclosure and the ability to store logs locally.
  • Continue to be suspicious: confirm payment requests and changes, as well as “urgent” requests, through a different channel. Tech CEOs, ransomware negotiators, and government workers alike have fallen for targeted lures — anyone can.

The internet remembers. Hackers, scam artists, and governments try to take advantage of that. The good news is that a few habits — sharing less, shoring up logins, and pushing for privacy-first digital IDs — can meaningfully tip the odds in your favor.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News