I’m the CTO here at Cloud Depot and if you look for my details on our website or LinkedIn, you won’t find them. That’s very much on purpose.
Why I Decided to Go Dark
I first decided to go “dark” after listening to Episode 10 of Darknet Diaries (a wonderful audio podcast, highly recommended). In that episode, attackers tracked down an IT administrator called “Bob.” By mixing info from his Reddit posts, LinkedIn, and Facebook, they figured out which tools he used and what OS he ran at work. With that knowledge, they were able to directly target him and eventually broke into his business. That story really got me thinking about my own exposure, and how easy it might be for someone to pull off the same thing against me or my team.
One of my colleagues once joked that I was the most paranoid person he’s ever met in security. I take that as a compliment because sometimes in this job, a little paranoia is healthy.
When Your Public Profile Becomes a Risk
Your LinkedIn or similar public profile can be an organisational weakness. It gives attackers a roadmap: who’s on the team, who has access to what, who to phish, and who to impersonate. The more public you are, the easier you make their job.
The LastPass Hack
Look at the LastPass 2022 breach. It is a case study in how attackers use OSINT, which is Open Source Intelligence, from LinkedIn. The criminals started by identifying key employees, including senior DevOps and security engineers, simply by combing through LinkedIn profiles. This was not just a list of names. It told the attackers whom to target, what software stacks to prepare for and how to craft highly convincing phishing emails. That intelligence was instrumental in breaching one of the world’s best-known password managers.
It's Not Just LastPass
And it’s not just LastPass or stories from podcasts. It happens all the time. I’ve seen first-hand how easy it is for threat actors to build a dossier on an organisation using nothing but social media, industry forums.
We recently had a new employee start with us. She posted about her new position on LinkedIn and within 24 hours, she received a phishing email that appeared to come from our ‘CEO’.
What Can We Do About It?
Here’s what I recommend, both as a CTO and as someone who has lived ‘dark’ for a while now:
Limit Public Exposure: Senior IT and security staff should consider avoiding or heavily restricting LinkedIn profiles. If presence is required, keep details vague and avoid listing sensitive internal tools or technologies.
Awareness Training: Make sure your team knows that oversharing, no matter how innocent, can help an attacker. Include OSINT awareness in your security training.
Regularly Audit Your Org’s Web Presence: Google your team, review what’s easily found about them, and treat that exposure as a potential attack surface.
Encourage Privacy: Where possible, coach staff to lock down privacy settings on all their social platforms, not just LinkedIn.
Share Success Safely: Celebrate wins and certifications inside the company, or in ways that don’t also give away technical details that could aid attackers.
The Bottom Line
LinkedIn is a fantastic tool for professional networking, but for those of us in security and IT, it is also a double-edged sword. The more visible and detailed our public profiles, the more ammunition we hand bad actors all for free.
How exposed is your company? Has your organisation ever fallen victim to OSINT-fuelled attacks? It is worth taking a look. Sometimes, keeping a lower profile is the most secure move you can make.