Author: CPOBOX Technology Editor | Release Date: January 15, 2026
We always think that we are invisible people in the online world, until reality slaps us hard.
As a technology editor, I have always considered myself a basic sensitivity to information security. I don’t mess with the link, the computer has anti-virus software installed, and even tells the elders not to believe online rumors. I thought that was enough.
Until last Sunday night, out of boredom and curiosity, I opened the browser’s ‘Incognito Mode’, and entered my full name in the Google search box, plus the last four codes of my old mobile phone number.
The moment I press the ENTER key, I felt a chill on my back to my forehead.
On the first page of the search results, there was a PDF file of the university club address book 10 years ago, which contained my full mobile phone number, home address and private email at that time. Scrolling down, I saw an abandoned blog that I thought was closed as early as 8 years ago, and several forum records that showed that my account might be involved in data leakage.
At that moment, I was shocked that the ‘digital footprint’ I left on the Internet was much larger, chaotic and dangerous than I imagined. My personal information is like the bread crumbs scattered in the Internet wilderness, and anyone who is interested can pick it up.
This is the starting point for my decision to launch a 7-day ‘Digital Cleaning’. This article is not a dogmatic information security code, but I rolled up my sleeves and cleaned up the real pain records and practical experience of digital garbage in the past ten years.
Phase 1: Damage Assessment – How much am I ‘streaking’?
Before you start cleaning, you must first know how serious the problem is. Two days ago, I turned into a ‘Internet detective’ against myself.
1. Google Dorking: Advanced Self-Meat Search
General search is not enough. I used some basic Google Dorking techniques (advanced search syntax) to dig deep information.
'My Full Name' + 'My City''my common id' -site:facebook.com -site:instagram.com(Exclude the main social media and see if there is this ID in other places)filetype:pdf 'My full name'(Dedicated to search for PDF files with my name, such as list, address book)
Measured results: In addition to the terrifying college address book, I also found two unpopular interest forums that I have completely forgotten about the one I have registered.
2. Inquire about the ‘life and death book’ of data leakage: have i been pwned?
Next is a more professional inspection. I visited the well-known website of the information security world ‘Have I Been Pwned? (HiBP)’, and entered my three most commonly used email addresses.
The result was a terrifying red.
My main email has appeared in more than 13 known data breaches. This means that my account number, password miscellaneous value (hash), and even some personal data have already been passed on the dark web for several rounds. And I’m still using the same old password combination as these leaks on some unimportant websites.
3. ‘Time Machine’ review of social media
We all did stupid things when we were young, and social media helped us keep those stupid things forever.
It took me a whole night to re-examine my Facebook and Instagram accounts. I switched the viewing angle to ‘Public View’ to see what strangers can see.
Surprising to find:
- In 2015, I was excited to take a photo of my boarding pass and set it to public in order to celebrate my trip abroad. The barcode above is clearly visible, and people with a heart can get my reservation code and some personal information as long as they scan it.
- My Facebook friend list is public, which provides excellent material for social engineering scams.
Stage 2: Painful Cleanup and Upgrade Action (Core Practice)
After evaluating the damage, the next four days are extremely boring and painful, but absolutely necessary cleaning work. This is not something that can be done by pressing a key, but requires digital labor that requires login processing one by one.
Action 1: Say goodbye to the ‘Universal Password’ and import the password manager (the most painful step)
I have to be honest: For convenience, I used to have about 40% of the websites that I used to use the same set of universal passwords that ‘think is very complicated’. After seeing the results of HIBP, I know that this habit must be terminated immediately.
I decided to import a professional password manager (e.g. 1Password or Bitwarden).
Practical process:
This is the moment I want to give up the most in these 7 days. I have to log in to those 13 known leaked websites, plus dozens of other commonly used websites, one by one to manually change the password.
I replaced all the passwords that I remembered in my head with 20 digits randomly garbled by the password manager (for example:XYZ#9PQ$VR2@MK5L).
At first, I was very unaccustomed to it, and I felt that I had lost control of the account. But when I saw the original red ‘Reuse Password’ warning on the dashboard of the password manager, the ‘unique strong password’ that was turned green one by one, the sense of security was unprecedented.
Action 2: Fully upgrade double validation (2FA), but refuse to text
Changing the password is not enough. What if the hacker cheated my new password through a phishing website? At this time, you need a second line of defense: double verification (2FA).
Professional Insights: Why did I turn off SMS SMS verification?
Many websites default to use mobile phone text messages to send verification codes. But I decided to deactivate this way completely and use the app validator instead (such as Google Authenticator or Authy).
The reason is the ‘SIM Swapping Attack (SIM Swapping)’. Hackers can use social engineering means to deceive telecom operators and transfer your mobile phone number to their SIM card. Once successful, they can receive all your 2FA text messages and then take control of the account. This is not a movie plot, but a real risk.
It took me a whole day to migrate all 2FAs of core accounts such as Google, Apple, Facebook, and banks to the validator app. Although you need to take out more mobile phones to open the APP when you log in now, it is a little more troublesome than receiving text messages, but the security is a world of difference.
Action 3: Digital Breaks – Delete Zombie Account
When sorting my password, I found myself having more than 150 website accounts. At least 30% of them are ‘zombie accounts’ that I have never logged into in the past 5 years.
These sites may be weak in information security, and keeping them will only increase my attack surface.
I used a website guide like JustDelete.me to start a difficult journey to delete accounts. Why is it difficult? Because many websites deliberately hide the ‘Delete Account’ button in the depths of the maze of settings, and even ask you to write to customer service to delete it. I have successfully deleted about 20 services that I no longer use, and every time I click ‘Confirm Delete’, it is as refreshing as throwing away the waste that has been accumulated at home for many years.
Achievement and Reflection: The Eternal Raw Saw of Safety and Convenience
After 7 days of cleaning like a digital ascetic, my digital life has changed dramatically.
List of results:
- ✅ Successfully contacted the person in charge of the university club and removed the public PDF with personal information.
- ✅ Upgrade all 65 commonly used website passwords to unique garbled characters.
- ✅ All core accounts are enabled for App version 2FA verification.
- ✅ Removed 23 zombie accounts that are no longer used.
- ✅ Make old posts and friend list permissions on social media as friends only.
Real reflection: it has become troublesome, but it is also reassuring
To be honest, my digital life is now more ‘trouble’ than it used to be.
In the past, it only took 3 seconds to enter the password that I remembered. Now I need to open the password manager, copy and paste it, then pick up my mobile phone and open the validator APP, and enter a 6-digit code. The whole process may take 20 seconds.
Sometimes in a hurry, I really feel irritable. However, when I saw the news report on a large-scale data leakage of a certain website in the news report, I was no longer as worried as before, worried about whether I was a victim again. Because I know that even if the password of the website is leaked, the hacker will not get my second verification code, let alone use the same set of passwords to hit the library to attack my other accounts.
This kind of solidity of ‘knowing that I have tried my best’ cannot be exchanged for any convenience.
Call to action
You don’t need to spend 7 days as a carpet bombing like me, but you can do these three most important things from today:
- Immediately go to ‘Have I Been Pwned’ and enter your email. See if you are already on the leak list, facing reality is the first step in solving the problem.
- Pick your 3 most important accounts (such as Google, FB, Internet Banking) and turn on 2FA double verification immediately. This is the highest CP value information security investment.
- Stop using the same password on different websites. If you can’t remember, start researching the password manager.
Your digital footprint may be deeper and broader than you think. Don’t wait until the accident to start to make up for the prison, just spend some time now and get back the dominance of your digital life.
