This year’s Cybersecurity Awareness Month highlights the Core 4 habits: strong passwords, MFA, scam awareness, and software updates. Put another way: protect your passwords, protect your accounts, protect against social engineering, and protect against exploitable vulnerabilities.
One of the most effective things one can do along these lines is to address exposed personal data, because attackers rely on it to crack or harvest passwords, bypass MFA, and craft scams that AI now makes more scalable than ever. A data broker profile is an open vulnerability that is just as exploitable as unpatched software.
The less PII you leave exposed to attackers, the fewer opportunities they have, which means a dramatic reduction in targeted social engineering attempts that reach your email or phone. That’s a win for you, your company, and the CISOs working to keep us all secure.
Core 4 Habit #1: Create Strong Passwords and Use a Password Manager / Protect Your Passwords
Using strong, unique passwords, and managing them with a reputable password manager, is foundational for security. But even strong passwords can be compromised when personal data falls into the wrong hands, and data brokers make it easy for attackers to access details that can undermine your password security.
Data brokers sell the personal details that help threat actors crack, reset, or steal passwords:
- Password cracking (breach + hashes): Attackers plug exposed emails found on data broker sites into breach repositories to pull password hashes, then crack them (rainbow tables / targeted guesses using personal data).
- Password resets via vishing: Attackers call IT help desks and use personal details to impersonate employees, convincing support staff to reset passwords or grant account access.
- Social engineering & credential harvesting: Attackers craft convincing lures (email, SMS, voice) using personal details and trick users into handing over passwords.
Password security is far stronger when attackers don’t have the data they need to crack, reset, or trick their way in.
Optery helps by finding and removing more exposed employee profiles than anyone else, proving it with screenshots, and minimizing organizational risk for social engineering and credential compromise.
Core 4 Habit #2: Enable Multi-Factor Authentication / Protect Your Accounts
MFA is essential for protecting accounts, but not all MFA is equally strong. Attackers increasingly use exposed personal data and social engineering to bypass common forms of MFA such as SMS, one-time passcodes, or app-push approvals.
Here are the main ways MFA is defeated today:
- SIM swap / SMS interception: attackers use exposed PII to impersonate victims and convince carriers to port numbers so SMS OTPs are intercepted.
- Real-time phishing / AiTM: attackers craft highly targeted phishing messages using exposed personal data to lure users to a proxy site that mimics a legitimate login page. The proxy relays credentials to the real service and steals the authenticated session cookie, letting the attacker access the account even when MFA is enabled.
- MFA prompt fatigue / coercion: attackers first obtain usernames and credentials (via phishing, breach dumps, or password cracking using exposed emails), then bombard the user with repeated push requests or apply tailored social pressure until the user approves a login.
- Account-recovery / help-desk abuse: attackers use exposed personal details to pass identity checks with support staff and reset MFA or account credentials.
Phishing-resistant MFA like FIDO2 hardware tokens is the gold standard, but most other MFA methods can still be defeated with enough personal data. Optery helps prevent MFA bypass by removing the exposed employee information attackers use to impersonate, phish, or trick their way past authentication.
Core 4 Habit #3: Recognize and Report Scams / Protect Against Social Engineering
When it comes to social engineering, employees should watch for red flags like urgency, unusual channels, or unexpected attachments, and always verify sensitive requests through a second channel.
But here’s the reality: training doesn’t reduce the volume of scams. So long as there is exposed employee personal data to fuel them, social engineering attacks will keep coming. And with AI now in the mix, they will only increase.
Commercial data brokers make attacker reconnaissance on businesses easy, providing a wealth of employee and organizational data to exploit. From Conti to Scatter Swine to Black Basta, Scattered Spider and more, attackers use these sites to identify targets and craft phishing, smishing, vishing campaigns that lead to breaches, ransomware, and extortion.
Optery prevents social engineering attacks by finding and removing this exposed personal data from data broker sites in the most comprehensive way possible.
Without easy reconnaissance data, attackers will move on to more exposed targets.
Even the best training can’t stop every click. Optery prevents many of those lures from being sent in the first place.
Core 4 Habit #4: Keep Your Software Updated / Protect Against Exploitable Vulnerabilities
Updating software closes vulnerabilities before attackers can exploit them. But while IT teams patch systems, attackers also exploit another set of vulnerabilities: the exposed personal data of employees.
That data fuels all of today’s top attack vectors, posing a major security risk:
- It’s weaponized for social engineering.
- It powers password cracking, resets, and credential harvesting.
- It sets the stage for BEC, data breaches, ransomware, and financial and reputational damage.
Optery ‘patches’ your people by removing this exposed personal data from data broker sites. The result: attacker reconnaissance is disrupted, lures lose credibility, and the volume of targeted attacks drops dramatically
Patch your systems. Patch your people. Minimize both halves of your attack surface.
Conclusion
Follow the Core 4 habits to strengthen your passwords, accounts, awareness, and systems.
But combine them with personal data removal for more complete proactive protection against today’s most common attack vectors.