The Accounts You Need To Secure Before Everything Else

account security, password manager, SIM swap, two-factor authentication, email security, credential stuffing, online safety

A friend of mine lost access to her entire digital life in about forty minutes. She wasn't hacked by a sophisticated criminal. Someone just called her phone carrier, pretended to be her, and got her number transferred to a new SIM. From there, they reset her email. From her email, they got into her bank. It was over before she even noticed her phone had gone silent.

What she didn't realize — and what most people don't — is that a few specific accounts sit at the top of a hierarchy. Compromise one of them, and everything else falls like dominoes. Protect them well, and the rest of your digital life becomes dramatically harder to reach.

Your Email Account Is the Master Key

Every "forgot my password?" link goes to your inbox. This makes your primary email account the single most dangerous thing an attacker can own. It's not just a communication tool — it's a recovery mechanism for almost everything else you use.

The fix here is non-negotiable: turn on two-factor authentication (2FA), but use an authenticator app, not SMS. Text-message codes can be intercepted or redirected through the kind of SIM swap attack that hit my friend. Apps like Google Authenticator or Authy generate codes locally on your device, which is a meaningfully different security model.

Use a strong, unique password — one you've never used anywhere else. If you've had the same email password for five years, change it today.

Your Phone Number Is More Powerful Than You Think

Here's the counterintuitive part most articles skip entirely: your phone number is probably your weakest security link, even though it feels like a security tool.

When companies send you a verification code via text, they're treating your phone number as proof of identity. But phone numbers can be hijacked — through SIM swaps, through SS7 protocol exploits, through social engineering at a carrier store. According to the FTC, SIM swap scams have caused substantial financial losses, and carriers have been slow to implement effective safeguards.

The actionable step: call your carrier and ask if they offer a "port freeze" or a "SIM lock" that requires a PIN before any changes can be made to your account. Most carriers offer this. Almost nobody uses it.

Your Password Manager

If you don't use a password manager, you're almost certainly reusing passwords. And password reuse is how most account takeovers actually happen in practice — not through Hollywood-style hacking, but through credential stuffing: attackers take a leaked password from one breach and try it everywhere else.

According to Have I Been Pwned, billions of credentials from past breaches are freely available to anyone who wants them. Your old LinkedIn password from 2012 is probably in a database somewhere.

A password manager like Bitwarden (free) or 1Password lets you use a unique, random password for every account without memorizing any of them. Protect the manager itself with a strong master password and an authenticator app — not SMS.

Your Apple ID or Google Account

These accounts control your phone backups, your photos, your app purchases, and often your physical device itself. If someone gets into your Apple ID, they can locate your devices, wipe them, or lock you out entirely. Google account access means access to Gmail, Drive, Photos, and potentially your Android phone.

Enable 2FA on both. For Apple, also set up a Recovery Key — it's an option in your account settings that disables the standard account recovery process, which has been abused by attackers in the past.

Your Financial Accounts — But Not the Ones You're Thinking Of

Most people worry about their bank. Banks are actually relatively well-defended, and they have fraud protection and chargebacks. The accounts that actually matter more are the ones that feed into your financial life: your primary email (already covered), your phone number (covered), and — critically — your brokerage or investment accounts.

Brokerage accounts often have weaker consumer protections than banks. Wire transfers from investment accounts can be harder to reverse. Prioritize these alongside your bank, not after.

The Honest Limitation

Here's where I have to be straight with you: even if you do all of this perfectly, you're still not immune. Some attacks target the institutions themselves rather than you individually. Data breaches happen at companies with no fault on your part. And the social engineering problem — a convincing phone call, a fake email — exploits human psychology in ways that technical controls don't fully solve.

What good security hygiene actually does is raise the cost of attacking you high enough that most opportunistic attackers move on to easier targets. It doesn't make you invincible. The goal is to not be the easiest person in the room to rob.

Sources:

  • FTC — SIM Swap Scams
  • Have I Been Pwned

What A SIM Swap Attack Is And Why It Can Destroy Your Life

SIM swap, identity theft, phone security, two-factor authentication, account takeover, cybersecurity, social engineering

Your phone goes silent. No bars, no signal — just that hollow "No Service" message sitting in the corner of your screen. You assume it's a network glitch and keep scrolling. Twenty minutes later, your email password stops working. Then your bank app locks you out. By the time you understand what's happening, someone else has already drained your account.

That's not a horror story. That's Tuesday for SIM swap victims.

Someone Talked Your Phone Company Into Handing Over Your Number

Here's the mechanics, without the textbook language: your phone number is attached to a small chip called a SIM card. That number is also the key to almost every "forgot my password" flow you've ever used. Attackers know this.

So they call your carrier — T-Mobile, AT&T, Verizon, whoever — and pretend to be you. They've already scraped your name, birthday, maybe your address from a data breach or your public social media. They tell a customer service rep that they "got a new phone" and need the number transferred. If the rep believes them, your number moves to their device in minutes.

You lose service. They get your calls and texts. Every two-factor authentication code you've ever trusted now lands in their hands.

The Real Damage Isn't Just Your Bank Account

Most people imagine the worst case is a wire transfer. It's worse than that.

Your email resets via your phone number. Your email is the master key to everything else — every subscription, every social account, every cloud backup. Once an attacker chains your phone → your email → your password manager, they can spend days methodically stripping your digital life before you even file a police report.

According to PIRG Education Fund, SIM swap victims lost more than $26,400 on average in 2024 — and that figure doesn't include lost wages, business costs, or the time spent trying to resolve the damage. PIRG

The recovery process is brutal. You'll spend weeks on hold with carriers, banks, and credit bureaus. Some people never fully recover their accounts. Credit damage can follow you for years.

The Counterintuitive Part Most Articles Miss

Here's the thing almost no one tells you: enabling two-factor authentication via SMS — the thing every security guide has told you to do for years — is exactly what makes this attack so devastating.

You turned on SMS-based 2FA to protect yourself. The attacker turned it into a master key.

The more accounts you secured with your phone number, the more power you handed to anyone who can steal that number. The security feature became the attack surface. This isn't an argument against 2FA — it's an argument for the right kind of 2FA, which we'll get to.

How Attackers Get Your Information First

A SIM swap doesn't start with a phone call. It starts weeks or months earlier.

Attackers gather your personal details from data breaches (your information has almost certainly been in one), LinkedIn, Instagram, and public records. They're looking for answers to carrier security questions: your birthdate, mother's maiden name, last four of your SSN, billing zip code.

A 2020 Princeton University study found that five major carriers — AT&T, T-Mobile, TracFone, US Mobile, and Verizon — used insecure authentication challenges to verify customers, and that in every successful SIM swap attempt, the attacker passed at most one authentication scheme. Meaning: a partial picture of your life was enough. PIRG

What You Should Actually Do

Vague advice like "be careful online" helps no one. Here's what moves the needle:

Call your carrier today and set a port freeze or account lock. Most major carriers now offer this — it blocks any SIM transfer or number port until you explicitly unlock it. This is your single highest-leverage action. Ask specifically for a "SIM lock" or "number lock," not just a PIN.

Set a strong, unique carrier PIN. Then use a password manager to remember it, because you'll forget it. The PIN only helps if your carrier actually requires it for SIM change requests — ask them directly whether it's enforced at the account-change level, not just for billing calls.

Move your 2FA off SMS. Use an authenticator app like Authy or Google Authenticator for your email, bank, and any crypto accounts. Better yet, get a physical security key (like a YubiKey) for your most critical accounts. These are immune to SIM swaps because they're not tied to your phone number at all.

Search your email for "verification code" and "confirm your number." Every account you find that uses SMS-based verification is a liability. Spend an afternoon switching them to app-based 2FA. It's tedious. Do it anyway.

The Regulatory Response (And Why It's Not Enough)

In November 2023, the FCC adopted new rules requiring wireless providers to use secure authentication methods before completing any SIM swap or port-out request, and to immediately notify customers when such changes are made to their accounts. This was a real improvement. Carriers can no longer verify you using just your mother's maiden name or billing ZIP code. Federal Communications Commission

But the rules don't eliminate the human element. Customer service reps can still be socially engineered. Insider threats — carrier employees bribed by criminal networks — remain a documented problem. Regulation sets a floor; it doesn't seal the ceiling.

One Honest Caveat

Even if you do everything right — port freeze, authenticator app, strong PIN, account lock — you're not immune. A determined attacker with an insider contact at your carrier, or one who has compromised your email through an entirely separate attack, can still work around most of these defenses.

The goal isn't perfect security. It's making yourself a harder target than the next person. Most SIM swap attacks are opportunistic, not targeted. The defenses above will stop most of them. For the targeted kind — the attacks on crypto holders, executives, or people with public profiles — the threat model is more serious and the countermeasures need to match.

That's not a comfortable ending, but it's the accurate one.

Sources:

  • FBI Internet Crime Complaint Center (IC3)
  • PIRG Education Fund – SIM Swap Scams Can Be Devastating
  • FCC Report and Order FCC 23-95

How To Know If A Website Is Stealing Your Information

cybersecurity, phishing, online privacy, data theft, website safety, identity theft, digital scams

Is That Website Stealing From You Right Now?

My neighbor once spent forty minutes on what she thought was her bank's login page. The URL looked right. The logo looked right. The login form looked right. What wasn't right: she'd clicked a link from an email, and the site was a clone built to harvest her credentials. She only found out when her real bank called about unusual login attempts from another country.

That story isn't rare. And the uncomfortable truth is that most of the advice you've heard — "just look for the padlock" — is dangerously outdated.

The Padlock Lie

Here's the counterintuitive part almost no one tells you: the padlock means nothing about whether a site is trustworthy. It only means the connection between your browser and the site is encrypted. A scam site can have a padlock. A phishing site designed to steal your login can have a padlock. According to the FBI's Internet Crime Complaint Center, nearly half of all phishing sites use HTTPS — meaning they have the padlock — specifically because people have been trained to trust it.

The padlock tells you nobody is eavesdropping on your data in transit. It says nothing about who's waiting for it at the other end.

What Actually Signals a Dangerous Site

Start with the URL — not the logo, not the design. Your eyes are easy to fool; the address bar is harder to fake if you know what to look for.

Look at the domain itself, not just what comes before the slash. A site at paypa1.com or amazon-secure-login.net is not PayPal or Amazon. Scammers buy domains that look similar, swap letters for numbers, or add words like "secure" or "official" to seem legitimate.

Then ask yourself: how did you get here? If you arrived by clicking a link in an email, a text message, or a social media ad, be suspicious regardless of how normal the site looks. Directly typing a URL into your browser is meaningfully safer than following links. This habit alone cuts your exposure dramatically.

Three Checks Anyone Can Do in 30 Seconds

1. Paste the URL into Google's Safe Browsing checker. Go to https://transparencyreport.google.com/safe-browsing/search and enter the URL. Google flags sites known for malware and phishing. It's not perfect, but it catches the obvious offenders.

2. Check who owns the domain. Go to https://lookup.icann.org and search the domain. If a site claiming to be a well-known company was registered two weeks ago, that's a serious red flag. Legitimate businesses have domain history.

3. Look at what the site is asking for. A site that requests your Social Security number, full date of birth, and credit card number to "verify your identity" for something routine is overreaching. Data thieves don't just steal — they collect. The more a site asks for, the more it can sell or exploit.

The Slow Leak You Don't Notice

Not all data theft is dramatic. Some sites don't steal your passwords — they quietly sell your behavior. They embed trackers that follow you across the web, log what you search, what you buy, what you read, and package that into a profile sold to data brokers.

According to Mozilla's Privacy Not Included guide, many apps and websites with friendly interfaces have privacy policies that explicitly allow them to share your data with "partners" — a word that means virtually anyone willing to pay.

You don't have to be hacked to have your information stolen. You just have to click "agree" without reading.

To slow this down: use a browser extension like uBlock Origin (free, widely trusted) which blocks many trackers by default. It won't stop everything, but it removes the easiest collection mechanisms.

When Something Feels Off, Trust That

Legitimate sites don't pressure you. They don't pop up countdowns saying your account will be deleted in ten minutes. They don't send urgent emails that can only be resolved by clicking a link. They don't offer prizes that require your banking details to claim.

Urgency is a manipulation tool. The moment a site makes you feel you must act right now, slow down instead.

If you've already entered information on a site you're now suspicious of, change your password immediately on that site and anywhere you use the same one. If you entered payment information, call your bank directly — not via a number on the suspicious site — and report it.

One Honest Caveat

All of this helps, but it doesn't make you immune. Professional phishing operations now use AI to generate convincing fake sites at scale, sometimes indistinguishable from the real thing even to technically literate people. According to Verizon's Data Breach Investigations Report, phishing remains the leading initial attack vector in data breaches, which means the problem is getting more sophisticated, not less.

The tools above reduce your risk significantly. They don't eliminate it. The only honest advice is: be skeptical by default, not just when something looks suspicious.

Sources:

  • FBI Internet Crime Complaint Center
  • Mozilla Privacy Not Included
  • Verizon Data Breach Investigations Report

The Real Reason Hackers Want Your Old Backup Phone

old phone security, SIM card theft, SIM swapping, factory reset data recovery, two-factor authentication, identity theft, phone data privacy

Your sister upgraded last spring and handed you her old Samsung "just in case." You threw it in a drawer. Then your phone cracked, you used it for two weeks, logged into your email, your bank app, your Google account — and then your new phone arrived, so you shoved the backup back in the drawer. It still has your SIM card in it. You haven't thought about it since.

That phone in the drawer is not a paperweight. To the right person, it's a master key.

It's Not About the Phone. It's About the Number.

Most people assume hackers want your device for what's on it — photos, saved passwords, that kind of thing. That's not wrong, but it misses the bigger threat. What's actually valuable is your phone number, and specifically, its role as a trust signal.

Think about the last time you logged into your bank from a new device. It probably sent a text to verify it was really you. That text went to your phone number. Your phone number is your identity for dozens of services that don't know any better way to confirm who you are.

SIM swapping — also called SIM hijacking — is a form of identity theft where attackers deceive or bribe mobile carriers into transferring a victim's phone number to a SIM card they control, giving them the ability to intercept calls, text messages, one-time passcodes, and other multi-factor authentication methods. And if your old SIM card is sitting in that drawer phone, still active, without a PIN lock? They may not even need to call your carrier. Bitsight

The "Factory Reset" Trap

Here's the counterintuitive part that almost no one talks about: wiping a phone doesn't actually wipe it.

When you tap "Factory Reset," your phone marks that storage space as available — but the data itself often stays physically on the chip until something overwrites it. From a forensic perspective, a factory reset removes user access to data and restores default settings, but residual files can persist in unallocated storage sectors, low-level system partitions, and as recoverable fragments of photos, videos, and documents — especially if storage blocks haven't been reused. Salvation DATA

This isn't theoretical. Researchers investigating modern Android devices running Android 11 and 12 found that user data has reportedly been recovered after a factory reset by applying forensic data recovery techniques. The software to do this is commercially available. It's the same tooling used by phone repair shops. ScienceDirect

Some of those shops are not trustworthy.

What "Backup Phone" Actually Means to a Thief

You've used that phone as a backup at least once, which means it likely has:

  • Login sessions that weren't explicitly signed out
  • Cached messages that synced before you logged off
  • Your carrier's SIM still seated inside, possibly still active
  • Saved Wi-Fi passwords — which can reveal where you live and work
  • Fragments of app data that survived the reset

A functional old SIM can expose your contacts and message history, enable impersonation, and make you vulnerable to targeted fraud — and if it doesn't have a SIM PIN enabled, someone who gets hold of it can use it in another device. Saily

The SIM card is the worst overlooked piece. It's not glued in. It takes three seconds to remove and slip into another phone. No password required.

What You Actually Need to Do

This is the part most articles get soft on. Here's what matters specifically:

Before you give away, sell, or store any old phone:

  1. Remove the SIM card first. Don't reset, don't sign out — do this before anything else. Cut the SIM with scissors if you're not transferring the number. If the card is still active, call your carrier and deactivate it.
  2. Enable full-disk encryption before resetting (Android users especially). On Android, go to Settings → Security → Encryption, run it, then factory reset. This means any residual data left over is scrambled without the key. iPhones encrypt by default when you have a passcode set.
  3. Sign out of every account manually before resetting — Google, Apple ID, Samsung account, banking apps, anything. Don't rely on the reset to do this.
  4. After reset, run a data-overwriting app like iShredder (Android/iOS) or use the "Erase All Content" option on iPhone, which properly destroys the encryption key rather than just clearing the index.
  5. Never store an active-SIM phone in a drawer. If you want to keep a backup phone, use it with a fresh SIM or no SIM at all.

The Thing Nobody Mentions About Two-Factor Authentication

Here's the insight that gets buried: SMS-based two-factor authentication — the kind where a code gets texted to you — is the weakest form of 2FA, but it's the default for most banks, email providers, and social platforms.

Threat actors can bypass common security questions by researching personal information shared online, and can also access your mobile account on the provider's website to initiate and authorize a SIM swap using credential stuffing — plugging in stolen usernames and passwords to answer security questions during authentication. The fact that you enabled 2FA doesn't protect you if someone can hijack the number receiving those codes. Canadian Centre for Cyber Security

The real fix, where your accounts allow it: switch from SMS codes to an authenticator app like Google Authenticator, Authy, or a hardware key like a YubiKey. These are tied to a physical device you control, not a phone number that can be transferred by a customer service rep who got socially engineered.

The Honest Limitation

Here's what this article can't fix: most people won't do all of this, and some of it is genuinely complicated on older Android phones where encryption isn't automatic. If you have a very old device — anything running Android 6 or earlier — full encryption may not be available or effective, and even an encrypted reset may leave recoverable traces. In that case, the safest option is physical destruction of the storage chip, which is extreme advice that most people reasonably won't take. The risk isn't zero even if you do everything right; it's just significantly lower. Know that going in.

Sources:

  • Bitsight: What is SIM Swapping 
  • Saily: What to Do With an Old SIM Card 
  • Salvation Data: Factory Reset and Data Security 
  • Canadian Centre for Cyber Security: Security Considerations for SIMs 
  • ScienceDirect / Forensic Science International: Assessing Data Remnants in Modern Smartphones After Factory Reset 

Why Your Password Manager Could Actually Be A Security Risk

password manager security, data breach, LastPass, cybersecurity, master password, phishing, credential theft

A friend of mine — smart, works in finance, uses a password manager religiously — got a call from his bank about suspicious activity. Turns out someone had accessed his crypto exchange account and cleaned it out. The attacker hadn't guessed his password. They already had it.

He'd been a LastPass user.

This isn't a story about him being careless. He did everything right: long master password, unique logins for every site, MFA enabled. And he still got hit — because the risk wasn't in what he did. It was in where he put his trust.

The Single Point of Failure Problem

Password managers solve a real problem. The average person now manages around 168 passwords, according to research cited by ESET's security blog WeLiveSecurity, a figure that's grown 68% in just four years. Nobody can hold that in their head, so we hand it all to one app. Which means we've traded dozens of small risks for one enormous one.

The same centralization that makes password managers convenient also concentrates risk. For attackers, they are an attractive target with a high payoff. ElcomSoft

That's not an argument against using one. It's an argument for understanding what you're actually signing up for.

What LastPass Taught Us (And What Most People Missed)

The LastPass breach of 2022 is the clearest case study we have, and most people learned the wrong lesson from it.

The common narrative: "Passwords were encrypted, so it was fine." The reality is messier.

In a second stage of the attack, a senior DevOps engineer's personal computer was compromised, and the attacker used a keystroke logger to obtain the employee's credentials and access an internal vault holding further keys — enabling access to and exfiltration of a backup database and copies of some customers' password vault data, which included both unencrypted fields (such as some website URLs) and encrypted fields (such as usernames and passwords). Wikipedia

Here's the part that most coverage glossed over: the unencrypted URLs. Attackers could see which sites you had accounts on — without cracking a single password. That let them prioritize. Vaults containing cryptocurrency exchange URLs got attacked first. According to Wikipedia's account of the breach, researchers have linked thefts of more than $35 million to victims whose seed phrases were stored in LastPass. A larger heist of $150 million was also later connected to the same data theft.

The encryption held. The metadata gave it all away anyway.

The Counterintuitive Risk Most Articles Skip

Here's what nobody talks about: a password manager can make you worse at security, not better.

When every password is auto-filled, you stop noticing when something feels wrong. You stop recognizing whether you're on the real site or a convincing clone — because you never type anything manually anymore. The friction that used to slow you down and make you think is gone.

Phishing pages that trigger autofill have become a known attack vector precisely because users have been trained to trust whatever their manager fills in. If the form is on the wrong domain and your manager doesn't catch it, you just handed over your credentials without a second thought.

There's also the master password problem. If a user's master password is weak, reused, or compromised, an attacker could gain full access to their vault. This is why a strong, unique master password is non-negative. Yet most people treat the master password like any other password — something to remember easily, maybe with a small twist on an old favorite. SpecopsSoft

What Actually Reduces Your Risk

Knowing the threat model changes what advice is worth following. Here's what genuinely moves the needle:

Use a strong, truly random master password — and write it down physically. Yes, write it down. A piece of paper in your home is not accessible to attackers in Russia. Your brain's tendency to pick predictable passwords is. Store the written copy somewhere safe, not Post-it-on-your-monitor safe.

Enable MFA on your password manager and treat MFA codes like passwords. Don't use SMS-based MFA if you can avoid it — SIM swapping is a real attack. Use an authenticator app, or better yet, a hardware key.

Pay attention to what your manager doesn't fill in. If you're on a site you use regularly and your manager hesitates, stop. Check the URL manually. That hesitation is the system working.

Never store cryptocurrency seed phrases in a cloud-based password manager. Ever. That lesson has been paid for in real money by real people. Seed phrases belong on paper, in a fireproof safe, offline.

Consider whether you need a cloud-synced manager or a local one. Local managers like KeePassXC don't expose your vault to server-side breaches. The tradeoff is convenience — you manage your own backups. Whether that tradeoff is worth it depends on your threat model, not on which product has the nicest UI.

The Risk You Can't Fully Control

Here's the honest part: some risk lives outside your hands entirely. You can have perfect hygiene and still be affected by a vendor's security failures — their unpatched servers, their employees' personal laptops running old software, their misconfigured alert systems that miss GuardDuty notifications for weeks.

The UK Information Commissioner's Office found that LastPass "failed to implement sufficiently robust technical and security measures," and the impact of the breach was felt by customers as late as December 2024 — when hackers stole $12.38 million in cryptocurrency from LastPass users. IT Pro

Password managers are still, on balance, better than the alternative of reusing passwords or keeping them in a spreadsheet. That's a low bar, and clearing it doesn't mean they're safe. They move risk around; they don't eliminate it. Knowing that is what lets you make genuinely informed choices — like which manager to use, what to store in it, and what to keep off it entirely.

The one caveat worth sitting with: even with all of this in place, you're still trusting a third-party company's internal security culture. You can't audit that. You can only watch how they respond when something goes wrong — and decide whether their track record earns your vault.

Sources:

  • WeLiveSecurity (ESET)
  • ElcomSoft Blog
  • IT Pro (LastPass ICO Fine)
  • Wikipedia – 2022 LastPass data breach
  • Specops Software

 

How To Find Out What Google Knows About You Right Now

Google privacy, data tracking, online surveillance, digital footprint, Google Takeout, ad profiling, personal data

What Google Actually Knows About You (And How to See It Yourself)

A friend once applied for a job and got ghosted after what she thought was a great interview. Weeks later, she found out the hiring manager had googled her and found a cluster of political comments she'd forgotten she'd made in 2019 — tied to her real name through an old Google+ account she didn't even remember creating.

That's the thing about Google. It's not an abstract surveillance machine. It's a very specific file on you, built quietly over years, and you can actually open it.

The File Exists. You Can Read It.

Google stores your data across a handful of dashboards that most people have never visited. The two most revealing ones are My Activity and Google Dashboard.

My Activity is the one that tends to make people go quiet. It shows every search you've made, every YouTube video you watched, every Google Maps route you asked for — with timestamps. Not just "you searched things in 2022." The specific query, the exact minute.

Go there now if you haven't. Scroll back a few years. It's a strange experience.

What's Actually In There

Google Dashboard is less dramatic but more comprehensive. It lists every Google product you've used and how many data points are stored in each: Gmail messages, Drive files, Photos, calendar events, contacts, Chrome browsing history.

According to Google's own support documentation, the Dashboard is meant to give you a "bird's-eye view" of your Google data. What it doesn't tell you upfront is that the numbers can be in the tens of thousands for long-term users.

Pay particular attention to Location History under Maps. If you've ever had an Android phone or kept Google Maps running in the background on iPhone, there's likely a map of everywhere you've physically been — not just places you searched for, but places your body actually went.

The Ad Profile Is the Weird One

Go to adssettings.google.com. This is Google's inferred profile of who you are as a consumer.

It will list your assumed age range, gender, interests, income bracket, and more. Some of it is accurate. Some of it is hilariously wrong. But here's the counterintuitive part most articles skip: the wrong guesses aren't reassuring — they're evidence the profiling is happening regardless of accuracy.

Google is building and selling access to a version of you whether or not that version is correct. A company advertising expensive watches might have paid to target your income bracket even if Google got it wrong. You were still sorted. Still targeted.

Download the Whole Thing

If you want the full picture, request your data through Google Takeout. This is where it gets real.

You can select which products to include — Gmail, Drive, Search history, YouTube watch history, location data — and Google will package it into a downloadable archive. For heavy users, this file can easily exceed 50GB.

According to the Electronic Frontier Foundation, exercising data portability rights like this is one of the most concrete things individuals can do to understand their exposure. Most people never do it because they assume it'll be incomprehensible. It's not. The location data in particular comes as a JSON file that third-party tools can render into a visual map of your movements.

Open it. Look at it once. You'll understand the situation better than any article can explain it.

The Stuff That Doesn't Show Up in Dashboards

Here's where it gets murkier. Google also receives data from third-party websites that embed Google Analytics, Google Fonts, or YouTube iframes — even when you're not logged in.

This is called passive data collection, and it doesn't appear cleanly in your My Activity feed. It feeds into a probabilistic profile that's harder to audit. You can't go to a dashboard and see "you visited these 300 sites in March." That data exists in aggregate and is used for targeting, but it's not surfaced to you the same way your explicit searches are.

This is the honest gap in the "check your Google data" advice. What you can see in the dashboards is substantial — but it's not everything.

What You Can Actually Do

If you want to reduce what Google stores going forward, three settings matter most:

  • Turn off Web & App Activity at myaccount.google.com/activitycontrols. This stops Google from saving future searches and browsing to your account.
  • Turn off Location History in the same menu. Past data stays until you delete it, but new location tracking stops.
  • Delete what's already there — My Activity lets you bulk delete by date range or by product. Location History has its own deletion tool inside Google Maps settings.

Changing browsers helps too. Firefox with uBlock Origin blocks many of the third-party Google trackers on other sites. It's not perfect, but it meaningfully reduces the passive data trail.

One Honest Caveat

Deleting your activity from Google's user-facing dashboards does not guarantee it's purged from all of Google's systems. According to Google's privacy policy, some data may be retained for legal, security, or operational reasons even after you delete it from your account.

That's not a conspiracy — it's standard practice for large platforms, and some of it is legally required. But it means "I deleted my history" is not the same as "this data no longer exists somewhere." The dashboards give you real control over a real portion of your data. They don't give you complete erasure.

Understanding that distinction is more useful than pretending the delete button is a clean slate.

Sources:

  • Google Account Support
  • Electronic Frontier Foundation (EFF) — Privacy
  • Google Privacy Policy

What Happens When You Click Allow On A Sketchy Browser Notification

browser notifications, notification spam, phishing, browser security, malvertising, online scams, privacy settings

You Clicked Allow. Now What?

Picture this: you're watching a recipe video, or maybe reading about a celebrity feud, and a little box pops up asking if the site can send you notifications. You click Allow without thinking — the same way you agree to cookie banners — just to make it disappear. Two days later, your screen is filling up with pop-ups about weight loss pills and crypto investments even when your browser is closed.

That's not a bug. That's exactly what you signed up for.

The Moment You Clicked, You Handed Over a Key

Browser notifications were originally built for things like Gmail alerts or news breaking from a site you actually trust. The technology itself is neutral. But it operates at the operating system level — meaning notifications bypass the webpage entirely and come directly from your device, the same channel your calendar reminders and text messages use.

That's why those pop-ups appear even after you've closed the tab. You didn't install anything. You just gave a website a persistent line to your attention.

What Sketchy Sites Actually Do With That Permission

Here's where it gets specific. The site that tricked you doesn't necessarily run the notification scam itself. Most of the time, it sells your browser's notification subscription to a network of advertisers — some of whom are operating in outright gray or illegal territory.

According to Malwarebytes, these notification networks are frequently used to deliver malicious ads, redirect users to phishing pages, and promote fake antivirus software designed to frighten you into handing over your credit card.

The notifications look official. They mimic Windows system alerts, antivirus warnings, even messages styled to look like they're from your bank. The goal is to get you to click again — and that second click is where the real damage begins.

The Surprising Part Most People Don't Know

Here's the counterintuitive piece: your antivirus software almost certainly won't stop this.

Traditional security tools scan for malware files and malicious code. Browser notification abuse doesn't involve either. It's a legitimate browser feature being used for illegitimate purposes. You won't get a warning. Your firewall won't notice. From a technical standpoint, your computer is doing exactly what it's supposed to do.

This is why notification spam is so effective — it hides inside normal behavior.

So What Can Actually Happen?

Let's be direct about the range of outcomes, from annoying to genuinely dangerous.

At the mild end, you get flooded with ads. Irritating, but survivable. In the middle range, you're being steered toward phishing pages — fake login screens for your bank or email provider that look nearly identical to the real thing.

At the serious end, According to the FBI's Internet Crime Complaint Center (IC3), fake tech support schemes — many of which use browser notifications as a delivery mechanism — cost Americans over $347 million in 2021 alone. The notification says your computer is infected. You call the number. Someone with an official-sounding voice talks you into giving them remote access to your machine.

That's the pipeline: one casual click, three steps later, a stranger is inside your computer.

How to Actually Fix It (Not Vague Advice — Specific Steps)

The good news is that revoking notification permissions takes about ninety seconds and requires no technical knowledge.

In Chrome: Go to Settings → Privacy and Security → Site Settings → Notifications. You'll see a list of every site you've ever allowed. Revoke anything you don't recognize — and honestly, revoke most things you do recognize too.

In Firefox: Settings → Privacy & Security → Permissions → Notifications → Settings. Same process.

In Safari on Mac: Safari → Settings → Websites → Notifications.

While you're in there, look for the option to block all sites from asking to send notifications in the future. Chrome calls it "Use quieter messaging." Enable it. The permission requests won't disappear entirely, but they'll be downgraded from an aggressive modal popup to a small icon in the address bar that's easy to ignore.

Do this once, do it now, and you won't need to do it again for a while.

One More Thing About Those Notification Requests

According to Google's own Chromium blog, sites that show notification prompts have a dismissal rate above 90% — meaning most people either cancel or ignore them. But the sites keep asking anyway, because the small percentage who click Allow is enough to make the practice profitable.

You're not being uniquely careless if you've fallen for this. The prompts are designed to appear at the moment of highest engagement, when you're absorbed in content and your guard is down. Some sites delay the prompt by thirty seconds specifically to catch you when you're comfortable.

The Honest Caveat

Here's what won't fully protect you: doing all of the above and assuming you're safe. Notification abuse is only one vector. The same impulse that made you click Allow — the desire to get something out of the way quickly — is exploited across dozens of other dark patterns online.

Fixing your notification settings is real and worthwhile. But it doesn't close the gap between the speed at which these schemes evolve and the speed at which most people learn about them. New techniques appear faster than awareness spreads, and the people building these systems are professionally motivated to stay one step ahead.

What you've done by reading this is narrow that gap slightly. That's not nothing — but it's also not a guarantee.

Sources:

  • Malwarebytes
  • FBI Internet Crime Complaint Center (IC3)
  • Google Chromium Blog