In What Is OPSEC, I covered the underlying principle: operational security depends more on personal discipline and the trails people leave online than on any specific tool.

This article takes that principle to the practical level. The ten mistakes below are the ones I run into most often when auditing the digital footprints of entrepreneurs, investors, executives, public figures, and the people close to them.

Most incidents do not begin with a hack. The cause is usually mundane: a reused password, one mailbox for every service, a forgotten account, an exposed cloud folder, a photo carrying location data, a document carrying revision history, or a business excerpt pasted into a free AI tool.

What digital hygiene is#

Digital hygiene is the baseline discipline for handling accounts, devices, email, cloud storage, files, and public profiles. It cuts down the volume of data about you sitting in the open and reduces the chance of routine leaks.

It covers the common risks:

  • reusing passwords across services;
  • weak two-factor authentication;
  • credential dumps from database leaks;
  • phishing and social engineering;
  • open sessions left across devices;
  • excessive app permissions;
  • accidental disclosure of personal data;
  • sensitive material handed to third-party services.

Digital hygiene remains the first layer of personal security. It is not a substitute for OPSEC.

Digital hygieneOPSEC
Covers common, generic risks.Built around a specific threat model.
Works at the level of passwords, 2FA, email, devices, and cloud.Accounts for assets, public exposure, surroundings, business, and the cost of a mistake.
Suitable for everyone as a baseline discipline.Needed when a mistake can lead to financial, reputational, or operational damage.

Hygiene answers one question: How clean are my baseline digital habits?
OPSEC asks a different one: What can someone deliberately collecting information about me actually see?

Why these mistakes are dangerous for businesses and public figures#

The cost of the same mistake depends on who makes it.

For an ordinary user, a reused password usually ends with a hijacked social account. For a business owner, that same reused password opens the mailbox holding contracts, negotiations, lawyers' details, and financial documents.

A geotag on a vacation photo is a minor curiosity for a private person. For a public figure, it becomes a fixed point that gives away the home neighborhood, regular routes, the people they spend time with, and the daily schedule.

Weak 2FA on an executive's account is rarely a personal problem. It opens the door into the corporate environment. A compromised investor mailbox does more than leak messages. It costs you position in a live deal.

Generic advice is useful as a starting point. It rarely accounts for the actual cost of a specific mistake. That is why digital hygiene for an entrepreneur, public figure, or high-net-worth individual is best treated alongside a footprint audit and a real threat model.

The 10 digital hygiene mistakes#

These are the patterns I see most often in the digital footprints of high-risk individuals.

  1. Reusing passwords.
  2. Missing or weak two-factor authentication.
  3. One mailbox for everything.
  4. Forgotten old accounts.
  5. Excessive sessions and access on personal devices.
  6. Sloppy cloud storage.
  7. Personal details in public profiles.
  8. File and photo metadata.
  9. Inattention to phishing and social engineering.
  10. Sensitive information handed to AI services and third-party platforms.

1. Reusing passwords#

One password, or a slight variation of it, ends up in a personal mailbox, a work account, a cloud, a marketplace, an old forum, a delivery app, and a booking service.

The danger here is not personal targeting. It's that old service breaches happen constantly. When a password from one of those breaches matches your current one, access to a throwaway account turns into access to one that matters.

A typical chain looks like this:

  1. An old account shows up in a breach dump.
  2. The password, or something close to it, opens your current mailbox.
  3. From the mailbox, the attacker resets access to your cloud, messengers, work systems, and financial dashboards.

From an audit last year: a company owner's 2017 password for a long-forgotten forum differed from his current email password by a single digit. That variation was enough to pass mailbox recovery and reach the cloud where his financial documents lived.

What to do:

  • use a password manager;
  • generate a unique long password for each service;
  • stop using manual variations like Password2024, Password2025, Password2026;
  • apply extra protection to the root accounts: mailbox, primary cloud, work systems;
  • audit old accounts for password overlap.

A password manager isn't primarily about convenience. It exists to sever the chain between services: a leak in one place shouldn't unlock your whole digital perimeter. Solid options are catalogued in the independent Privacy Guides shortlist, from Bitwarden and 1Password to Proton Pass.

2. Missing or weak two-factor authentication#

2FA is often either disabled or set to SMS. For critical accounts, that's not enough.

SMS codes can be intercepted, forwarded, or pulled off through a SIM swap. The FBI logged $68 million in losses from this scheme in 2021 alone among US victims. If you're publicly visible, hold significant assets, or run a business, your phone number becomes a target on its own.

The attack pattern is brutally simple: your phone loses cell service, and within minutes recovery codes start arriving at the attacker's SIM. By the time you reach your carrier, several accounts may already be gone.

What to do:

  • enable 2FA on every critical account;
  • replace SMS with a TOTP authenticator wherever possible;
  • use a hardware security key for email, banking, crypto services, and work accounts;
  • store backup codes separately, ideally offline;
  • audit which accounts are still tied to your phone number.

SMS as a second factor is acceptable only where no alternative exists and the cost of compromise is low. The EFF Surveillance Self-Defense guide on 2FA walks through the trade-offs between SMS, TOTP, push approvals, and hardware keys.

3. One mailbox for everything#

A single email handles banking, work correspondence, marketplaces, subscriptions, old forums, personal services, and recovery for every other account.

That mailbox quietly turns into a root node. It's exposed in dozens of services, shows up regularly in breach lists, and acts as the recovery key for everything else.

Once that email is compromised, hacking the rest is rarely necessary. Standard password recovery handles the cloud, the messenger, the work account, and the bank.

What to do:

Split your email into at least three tiers:

  1. Root email. Used only for recovering critical accounts. Never used for sign-ups, newsletters, or public contact.
  2. Work email. For business correspondence, documents, and professional contacts.
  3. Daily email. For marketplaces, subscriptions, one-off registrations, and low-stakes services.

The root email should be the most locked-down of the three: unique password, hardware key, minimal connections, no forwarders, no third-party app integrations.

4. Forgotten old accounts#

Over ten or fifteen years, dozens of registrations pile up: forums, old social networks, marketplaces, delivery services, platforms tied to past projects, corporate dashboards.

The account itself is usually harmless. What I find in audits, regularly, is real data sitting inside: name, phone, address, an old email, order history, occasionally identity documents. The passwords are weak, 2FA is absent, sessions haven't been closed in years.

An old account can still be linked to your current email or phone number. Attackers use it for context, for identity verification, or to build a chain of password resets that ends somewhere meaningful today.

What to do:

  • run an account inventory once a year;
  • search for registrations by your primary email and phone number;
  • delete profiles you no longer use;
  • rotate passwords where needed;
  • close active sessions;
  • enable 2FA;
  • pay special attention to old corporate dashboards and platforms from previous projects.

An old account is easy to dismiss as digital clutter. Sometimes it's a forgotten door into your current perimeter.

5. Excessive sessions and access on personal devices#

A single phone holds everything: personal photos, banking apps, family chats, work email, corporate services, documents, messengers.

Dozens of active sessions accumulate on the device. Apps request access to contacts, location, files, microphone, and camera. Some were installed years ago and the reason for them is long forgotten.

In this setup, the phone becomes a single access node to your entire life. The compromise of one device can reach personal data, work correspondence, banking, cloud storage, and corporate services. At that scale, it's closer to a corporate data breach than a personal incident, even though the entry point was a personal device.

What to do:

  • separate critical and routine tasks across different devices;
  • audit app permissions on a schedule;
  • close old sessions;
  • don't keep work and personal credentials in one uncontrolled app pool;
  • at home, use a separate guest Wi-Fi network for visitors' devices;
  • once a quarter, sign out of every session on critical accounts and sign back in.

For anyone with elevated risk, a single phone "for everything" is fragile architecture.

6. Sloppy cloud storage#

A single cloud often holds everything: personal photos, work documents, passport scans, contracts, financial spreadsheets, presentations, archives, and correspondence.

It's accessible from several devices. Sometimes an assistant has access. Sometimes a contractor, a former employee, or whoever was sent a "temporary" link years ago.

Cloud is convenient, but it's someone else's infrastructure. Its safety depends on a password, on 2FA, on access settings, and on the discipline of everyone working with the files. When personal, work, and sensitive material live in the same bucket, the compromise of one account hands over far too much at once.

What to do:

Split data by sensitivity:

  • personal: photos, household files, low-stakes documents;
  • work: active projects, presentations, routine correspondence;
  • sensitive: contracts, scans, financial data, restricted material.

Each tier needs its own access policy. Sensitive data is better kept in a separate environment, with client-side encryption and regular access audits.

Shared folders deserve special attention. A former assistant, contractor, or lawyer should not still have access a year after the engagement ended.

A typical story from my audits: a client gave an assistant a link to a working folder "for a week" back in 2022. In 2025, that same link showed up in a partner service breach with the folder contents intact. Three years passed and no one had closed it.

7. Personal details in public profiles#

Social media, interviews, corporate bios, and public profiles routinely carry details people don't think of as sensitive: children's names, school, neighborhood, favorite restaurant, car model, assistant's name, vacation spots, regular routes.

Each detail looks minor on its own. Combined, they form a profile assembled entirely from open sources.

A separate risk comes from the people around you. A locked-down personal profile won't help if a spouse tags geolocations, children post photos from inside the house, an assistant publishes the schedule, and employees show office details in stories.

Your surroundings are part of your digital footprint.

What this enables:

  • a map of habits and movement patterns;
  • a clear picture of your social circle;
  • preparation for targeted phishing;
  • social engineering attempts;
  • pressure points through family, staff, and contractors.

What to do:

  • periodically search for yourself by name to see what's visible;
  • review what people around you are publishing;
  • agree with family on geotagging and home photo rules;
  • set publication guidelines for assistants and staff;
  • post sensitive locations with a delay;
  • don't show documents, screens, badges, license plates, or distinctive interior details.

A line I repeat to clients: privacy doesn't work when only one person in the household practices it.

8. File and photo metadata#

Photos and documents are routinely published or forwarded without stripping their metadata.

A smartphone photo can carry EXIF data: coordinates, date, time, device model, sometimes camera orientation. Many platforms strip this on upload, but not all of them. Send the original file through a messenger and the metadata often survives.

Word and PDF documents carry similar baggage: author, organization, revision history, comments, old versions of fragments you thought you'd deleted.

A single image can reveal a home address. A series of photos reveals a routine. A document with revision history reconstructs the author, internal wording choices, and everyone involved in drafting it.

What to do:

  • disable geotagging in the camera app by default;
  • check metadata before publishing;
  • for sensitive photos, strip EXIF (with a tool like ExifTool) or take a screenshot instead;
  • remove document metadata before sending;
  • avoid forwarding originals when an export will do;
  • review PDF and Word files before sending them to external recipients.

Every file carries a second layer of data alongside its visible content. That second layer is the one most people forget about.

9. Inattention to phishing and social engineering#

Targeted phishing rarely looks like a clumsy email full of typos.

A note from "your lawyer" arrives the day a deal is actually being discussed. A call from "your partner's assistant" sounds convincing because the partner's name is public. A voice in an audio file sounds like a real person because there's enough recorded public speaking to clone them.

The technology behind these attacks matters less than the context. The more data about you exists in open sources, the easier it is to assemble a request that looks completely normal.

This can look like:

  • an urgent request to pay an invoice;
  • updated banking details from a counterparty;
  • a document "for a quick review";
  • a message from someone you know with an unusual ask;
  • a call in a voice you recognize.

What to do:

Set a verification protocol. Any urgent request, change of payment details, money transfer, document access grant, or operation confirmation gets verified through a second independent channel.

Not the same messenger that delivered the message. A known-good phone number, a personal contact, a video call, or an in-person meeting.

A recent case: an accountant at a public company received a message "from a partner" with new payment details one day before a scheduled invoice. The name, context, and writing style all matched the partner's published correspondence in the press. The payment would have gone through if not for an internal rule requiring voice confirmation of any payment-detail change at a known-good number.

In my practice, this isn't paranoia. It's ordinary working discipline for situations where the cost of a mistake is measured in money, a deal, an asset, or a reputation.

10. Sensitive information handed to AI services and third-party platforms#

Documents get uploaded to public AI tools for translation, summarization, editing, contract analysis, or drafting a reply. Financial models get opened in cloud spreadsheets. Business correspondence gets paraphrased to a chatbot.

In terms of convenience, the appeal is obvious. The privacy risk is consistently underestimated.

Data submitted to a third-party service is no longer under your direct control. It can sit in logs, train future models, pass through contractor infrastructure, be reviewed by employees, or end up in a breach of the platform itself.

A separate risk zone: employees who upload corporate documents through their personal AI accounts. The company may formally prohibit it. They do it anyway, because it's faster.

What to do:

  • never upload to a public AI tool what you cannot afford to disclose;
  • before uploading, redact: names, amounts, payment details, addresses, context;
  • for sensitive work, use local tooling or enterprise solutions with transparent data policies (for example, ChatGPT Enterprise explicitly states that inputs and outputs are not used to train models);
  • define for your team which categories of data can be processed through AI and which cannot;
  • monitor employees' personal AI accounts if they handle company documents.

How to check yourself#

Three matches out of ten is hard to dismiss as a minor slip. Usually it's the sign of a pattern.

Check the key points:

  • Are the same or similar passwords used across different services?
  • Is SMS still the second factor on any critical accounts?
  • Are banking, cloud, messengers, and work services all tied to the same email?
  • Can you name every service you've registered for in the past ten years?
  • Are there active sessions in apps you haven't opened in months?
  • Does one cloud hold your personal, work, and sensitive material together?
  • Are the people around you publishing details you wouldn't post yourself?
  • Is metadata stripped before you send photos or documents?
  • Is there a verification rule for urgent messages, payments, and changes to counterparty details?
  • Are work documents uploaded to public AI tools?

When you need a digital footprint audit#

Digital hygiene covers the baseline. It doesn't show how you look from the outside: what can be found about you, what data points connect, and what risk scenarios can be built on that foundation.

A digital footprint audit is closed analytical work. The objective is to map what data about you, your family, your team, or your business is available in open sources, breach data, accounts, cloud storage, documents, and the publications of people around you.

An audit makes sense when:

  • your public profile has grown;
  • a major deal is being prepared;
  • new assets or partners have appeared;
  • assistants, security staff, lawyers, drivers, or contractors have changed;
  • a leak or suspicious activity has already happened;
  • you need to understand what's visible about you, your family, or your business from open sources;
  • you're moving toward a more private way of living and working.

FAQ#

How is digital hygiene different from OPSEC?#

Digital hygiene covers common, generic risks: passwords, 2FA, email, devices, cloud, metadata, phishing. OPSEC starts where you need to account for a specific threat model: who might be interested in you, what assets are being protected, who can be used to reach you, and how different parts of your digital footprint connect to each other.

How do I know if my data has already leaked?#

A basic check starts with breach aggregators like Have I Been Pwned. The service shows whether your email has appeared in known breaches. That's only the surface layer. A full picture includes old accounts, phone numbers, cloud storage, documents, public profiles, mentions by people around you, and the connections between them.

Can I completely remove myself from the internet?#

Completely, no. You can substantially reduce your digital footprint: remove unnecessary publications, close old accounts, limit data visibility, set rules for the people around you, and reduce the number of points through which you can be studied.

Is it safe to store documents in the cloud?#

It depends on the documents, the cloud provider, and your access settings. Personal photos and routine files carry one level of risk. Passport scans, contracts, financial documents, and sensitive correspondence sitting in the same account with no segmentation or encryption carry a very different one. Critical data is better kept in a separate protected environment.

Does a VPN actually protect my privacy?#

A VPN solves a narrow problem: it hides traffic from your ISP and changes your visible IP address. It doesn't make you anonymous, doesn't block trackers, doesn't reduce your digital footprint, and doesn't mask behavioral patterns. Useful tool, not universal protection.

Can I use AI services for confidential documents?#

Not on public free tiers. Enterprise solutions with documented data handling policies and a clear opt-out from training material can work, though the answer always depends on how sensitive the information is. The baseline rule: if you wouldn't show the document to a stranger, don't upload it to a random service.

What does an OPSEC audit include?#

An OPSEC audit shows what you look like from outside: what data is available, how it connects, and which accounts, people, publications, and documents can be used to build a risk scenario. The work covers digital footprint, open sources, breaches, accounts, devices, cloud storage, social circle, and a prioritized list of vulnerabilities to address.

Conclusion#

Digital hygiene isn't ten settings in a phone. It's the baseline discipline of personal data protection, and it determines how much can be assembled about you without ever touching a closed system.

A shared password chains accounts together. One email for everything turns recovery into a master key. A phone without task separation mixes personal, professional, and financial. A geotagged photo gives up a location. A document uploaded to a random service can live in someone else's infrastructure for years.

Each mistake looks small on its own. Together they assemble into a digital footprint that's clearly visible from outside.

Digital hygiene closes the common risks. After that, OPSEC begins: working with a specific threat model, your circle, your assets, and the actual cost of a mistake.

The conversation usually starts with a simple request: "I want to understand what I look like from outside". That's the most natural entry point.

If you recognized yourself in more than three of these mistakes, it's worth seeing the full picture before someone else does. Consultations are handled in strict confidence.