Skip to content
Use promo code: wHvawiVe
at checkout for 20% Off 🕵️ Happy Data Privacy Week 2025 from Optery! 🔒

Privacy Protectors Spotlight: Rachel Tobac

Feature image

In the latest installment of our Privacy Protectors Spotlight series, we are excited to feature Rachel Tobac, a renowned expert in human hacking and social engineering defense strategies.

Rachel Tobac is an ethical hacker and the CEO of SocialProof Security, a company dedicated to helping businesses and individuals protect their sensitive data from cyber threats, particularly through the prevention of social engineering attacks. Renowned for her expertise, Rachel has become a leading voice in cybersecurity, consistently advocating for better awareness and stronger security protocols to combat the human element of hacking. Her live demonstrations, frequent media appearances, and hands-on training programs have made her a pivotal figure in educating organizations and the public about how social engineers exploit vulnerabilities in human behavior to breach systems.

Background

Rachel’s path to infosec and hacking was unconventional yet, in retrospect, seemingly inevitable. After earning a degree in neuroscience and behavioral psychology, Rachel spent time teaching and doing improv on the weekends. Eventually, she decided to explore the tech industry and moved to San Francisco, where she worked as a community manager and later led a UX research team at Course Hero.

Rachel Tobac at DEF CON

During this time, her husband Evan, who worked in security, introduced her to DEF CON’s Social Engineering Capture the Flag (SECTF) contest, an event where fourteen contestants attempt to breach a company entirely over the phone, live in front of an audience, using social engineering. It was the perfect blend of everything Rachel loved—people, neuroscience, and persuasion, and she became hooked. After spending a year researching social engineering, she applied to compete in the contest the following year and, despite being new to hacking, placed second on her first try, maintaining top rankings for the next two years.

Following this success, Rachel and Evan founded SocialProof Security in 2017, with Evan handling the technical side and Rachel focusing on human hacking.

Today, SocialProof Security works with major organizations, including Google, Meta, X, PayPal, Lululemon, Uber, Prudential, SANS, government agencies like NATO and the U.S. Air Force, and many other legal, financial, medical, and technology clients to help them defend against social engineering attacks.

Notable Hacks and Demonstrations

Rachel Tobac regularly conducts live hacking demonstrations to raise awareness about the dangers of exposed personal data in the hands of social engineers.

Rachel Tobac hacks CNN tech reporter Donie O’Sullivan

Rachel’s most publicized demonstrations, which are always conducted with the consent of the target, have consistently shown how easily hackers can leverage online personal information to manipulate people and gain unauthorized access to sensitive data and accounts. One such example was her hack of CNN tech reporter Donie O’Sullivan, where she used his info found online to impersonate him and employed social engineering techniques to steal his hotel points. If this wasn’t enough, she also changed his comfortable exit row aisle seat on a five hour flight to a middle seat near the bathrooms. This demonstration showcased just how important it is to minimize what we share online. Check out the video here: (17) Rachel Tobac – CEO of SocialProof Security & White Hat Hacker, Technology Keynote Speaker – YouTube

At his request, Rachel hacked Donie again three years later using his own leaked passwords. Rachel began with OSINT (open-source intelligence), scouring the internet and social media for contact information. Using his contact info, within just 30 seconds she was able to find 13 of O’Sullivan’s plaintext passwords, hashes, and password hints from data breach repository sites, which compile breached passwords into easily searchable databases. Using a rainbow table and the password cracking tool Hashcat, along with assistance from her husband, she cracked Donie’s password hashes and demonstrated how attackers could use such methods to log into his social media, travel accounts, and more.The results were eye-opening for both O’Sullivan and the audience. Following the hack, O’Sullivan immediately updated his passwords, began using a password manager, and enabled multi-factor authentication (MFA)—steps Rachel strongly advocates for all high-value accounts.

In another highly publicized hack, Rachel targeted billionaire Jeffrey Katzenberg using a combination of spear-phishing (via a lookalike email address), phone number spoofing, vishing (with a voice changer), and a UXSS (Universal Cross-Site Scripting) vulnerability.

Rachel Tobac hacks billionaire Jeffrey Katzenberg

By using clever pretexts and exploiting out-of-date software on Katzenberg’s device, Rachel was able to steal sensitive data, including his driver’s license info, password, photos, emails, and contacts, and even turn on his microphone without detection.

As Rachel later explained in a Twitter thread, this hack emphasized the importance of keeping systems up-to-date, using two methods of communication to verify before taking requested action from an email, and removing personal data from data broker sites, as this reduces the amount of open-source intelligence (OSINT) available for attackers to use. 

In another hack, Rachel used AI to clone the voice of 60 Minutes correspondent Sharyn Alfonsi to trick a colleague into revealing Alfonsi’s passport number. After cloning her voice, Rachel employed a spoofing tool to manipulate the caller ID and make it appear as though the call was coming from Alfonsi’s number. Within just five minutes, Rachel successfully extracted the sensitive information from Sharyn’s colleague.

Rachel Tobac on 60 Minutes

During this demonstration, Rachel emphasized that phone spoofing is a simple yet highly effective technique that can deceive anyone. Hackers can easily download an app and, with a few taps, change the number they’re calling from to impersonate a trusted contact. If your phone number is publicly accessible online, it becomes vulnerable to being spoofed by anyone looking to impersonate you.

Social Engineering & Hacking Tactics And How to Defend Against Them

Rachel Tobac has provided a wealth of insights into the tactics social engineers use to manipulate their targets and the measures people can take to protect against these attacks.

Rachel Tobac's The Hacker's Guide to Securing Your Organization eBook

In her eBook, The Hacker’s Guide to Securing Your Organization, she outlines the psychological principles of persuasion that hackers often exploit, based on the work of psychologist Robert Cialdini. For instance, people often feel obliged to return favors, trust authority figures, or follow the behavior of others. Social engineers also take advantage of the pressure to act quickly in urgent situations, and people’s natural inclination to maintain consistency with their past actions or identify with shared group values.

By understanding these principles, organizations can better prepare their employees to recognize and shut down manipulative social engineering attempts before they cause harm.

Below are some of the key strategies Rachel highlights for organizations and individuals to defend against social engineering attacks.

  • Human-Based MFA: Being “Politely Paranoid” 

Rachel advocates for organizations to instill a culture of what she calls “polite paranoia”—a mindset where employees maintain a healthy dose of skepticism and verify the authenticity of any unexpected or unusual requests. 

“Being “Politely Paranoid” means using two methods of communication to confirm someone is who they say they are before fulfilling their request – a bit like human-based MFA!…By being ‘politely paranoid’ about sensitive requests such as requests for wire transfers, access to company data, [or] bank changes, we can catch cyberattacks in the moment.” The Hacker’s Guide to Securing Your Organization

“If an urgent email arrives, use a text, signal, call, slack, etc. to ask the sender ‘quick question about that email’… to confirm it’s legit before taking requested action.”
 Rachel Tobac, Twitter Thread on Hacking a Billionaire

“You can shut down an attack while smiling.” Rachel Tobac explains how ‘polite paranoia’ can derail social engineering attacks – Security Boulevard

  • Strong Passwords and Password Managers

Rachel consistently underscores the importance of using strong, unique passwords for every account. She advocates for password managers to generate and store secure passwords, reducing the likelihood of reuse across sites, which hackers often exploit.

Breached passwords are one of the first things Rachel looks for when planning a hack:

“My first attack method is to determine if I can find the target’s password in a breach.”

“When most people log in to their accounts, they reuse their passwords, or they change the password ever so slightly. And when you reuse or remix passwords and you’ve been in a breach (which all of us have), that means I can take that password and try putting it into all the other sites you log into—like your bank, work accounts, and personal email.  The Hacker’s Guide to Securing Your Organization

“Bottom line: don’t reuse your passwords, it’s the very easiest way for me to hack you. If you reuse your passwords across multiple sites… I can take that password and I can use it against you.”  The Hacker’s Guide to Securing Your Organization

She further explains the critical role of password managers in providing protection against domain spoofing, helping users avoid phishing sites by recognizing the correct domain and refusing to autofill credentials on fraudulent sites:

“One of the common tactics employed by hackers is to create fake websites that closely resemble legitimate ones, aiming to trick users into entering their login credentials or other sensitive information. Password managers can recognize phishing sites by automatically matching the login information to the correct website. If a password manager does not recognize the site or fails to autofill the login information, it raises a red flag. This additional layer of verification acts as a safeguard against inadvertently falling for phishing attempts. By relying on password managers, you and your team can have increased confidence in the legitimacy of the websites you visit, making it more difficult for hackers to deceive you with fraudulent login pages or phishing scams.” The Hacker’s Guide to Securing Your Organization

  • Multi-Factor Authentication (MFA)

Rachel emphasizes that strong passwords alone are not enough to protect against modern cyber threats. She advises the use of multi-factor authentication (MFA) to add an extra layer of security to accounts, making it much harder for hackers to gain access even if they have stolen a password. For those with elevated threat models, i.e., VIPs, those with Admin access, those who are in the public eye, etc., Rachel advocates for the use of physical tokens like FIDO or YubiKeys to make MFA even stronger and more resistant to attacks. For Rachel’s other recommendations for those who need extreme privacy and security, watch her interview with David Bombal here.

“MFA helps protect against various security threats, such as phishing attacks and credential stuffing… It adds an extra barrier that makes it more challenging for hackers to impersonate legitimate users.” The Hacker’s Guide to Securing Your Organization

The more you can move towards hardware-like MFA the better… Move towards Google Authenticator, or Duo, or some sort of tokenized MFA like a YubiKey or a Google Titan Key. That’s something that should be deployed at the business level.”— Interview with Dashlane: How to Defend Yourself From…Well, Her!

  • Personal Data Removal and Minimizing Open-Source Intelligence (OSINT)

Rachel frequently points to the dangers of personal data exposure and how it fuels OSINT, the research hackers conduct to gather information about their targets. She recommends that businesses provide personal data removal services to their employees, helping to reduce the availability of sensitive information on data brokerage sites.

“Open-source intelligence or OSINT is a reconnaissance step we take before starting the hack. We try to find as much publicly available information about a target as possible, such as their contact information, technical tools in use, likes/ dislikes, etc. Hackers employ OSINT to query search engines, explore massive public forums, or comb through troves of public records online to find the details needed to launch an attack.”  The Hacker’s Guide to Securing Your Organization

“If I’m trying to find the actual contact details of the person I’m emulating, a lot of times I’m finding that on a data brokerage site. If you’ve ever typed your name into Google and you’ve seen your address, your data of birth, your family members, every place that you’ve ever lived pop up, that’s a data brokerage site and they sell our data…It makes it easy for me to hack.” — She hacked a billionaire, a bank and you could be next. Do this now to protect yourself! (youtube.com)

“Delisting from data brokerage sites makes it harder for me to do OSINT to figure out how to contact you + who to pretend to be. Without a reliable email/phone contact I’m unsure if my attack will land in the right place—and that’s a good thing.”  Rachel Tobac, Twitter Thread on Hacking a Billionaire

  • Continuous Patch Management

Keeping systems up to date is another essential safeguard Rachel advocates for, as many people dismiss or delay action on update notifications, leaving their devices vulnerable to known exploits. She emphasizes that unpatched vulnerabilities are often the first entry point for attackers, making it crucial to ensure that all machines are kept current with the latest software updates.

“Keep machines patched.”

“This UXSS vulnerability only worked for [our target] because his machine was out of date by a few months at the time of this attack (if your mac is updated then you’re safe).”  Rachel Tobac Twitter Thread on Hacking a Billionaire

  • Encrypting Communication Channels

Rachel emphasizes the importance of encrypting communication channels as a key defense against interception by attackers. End-to-end encryption ensures that only the intended sender and recipient can access messages, protecting sensitive information in transit from being compromised. Using encrypted communication tools like Signal or other secure messaging services is critical for both individuals and organizations looking to safeguard confidential conversations.

“High-profile individuals are often targeted or impersonated through digital channels. Implement strong cybersecurity measures to safeguard your VIPs’ digital presence. This includes…encrypting communication channels.” — The Hacker’s Guide to Securing Your Organization

  • Security Awareness Training and Simulations

Rachel advocates for dynamic, engaging security awareness training that goes far beyond traditional lectures. Her company offers customized training programs that focus on real-world scenarios, helping employees understand how social engineers operate and how they can defend themselves against these tactics. Their fast-paced, 2-3 minute video modules and interactive workshops ensure that participants stay engaged, while also keeping the content relevant to their everyday roles.

Rachel’s approach makes the learning experience memorable and effective by using music and competitive elements that help drive the lessons home. By stepping into the shoes of a hacker and simulating attacks, employees gain firsthand insight into the tactics used by social engineers, making them more vigilant and prepared to recognize and resist potential threats in both their personal and professional lives.

SocialProof Security offers a comprehensive suite of services designed to help organizations mitigate the risk of social engineering attacks. These services include:

Rachel Tobac public speaking
  1. Live Social Engineering Prevention Training
    These customizable, role-based, hands-on workshops teach employees how to recognize and defend against social engineering attacks. The training can be tailored for all-hands events or specialized team sessions, equipping attendees with the tools needed to mitigate human security risks going forward.
  2. Music & Spoken Security Awareness Training Videos
    Short video modules cover critical topics like phishing, ransomware, social media, social engineering, and MFA. These videos include hacking demonstrations to bring the security concepts to life and are customizable with branding, quizzes, and more. New videos are released quarterly to keep the training fresh and relevant. Here’s an example: (9) Phishing Music-Based Security Awareness Training Video Teaser – YouTube
  3. Social Engineering & Security Awareness Keynotes
    Rachel delivers engaging keynotes on topics like Inside the Mind of a Hacker, How I Would Hack You & How to Stop Me, and The Human Element of Security. These presentations include personalized sales kick-offs, custom keynotes, panels, Q&As, AMAs, and more.
  4. Social Engineering Penetration Testing
    This service includes testing across multiple communication platforms—phone, email, chat, SMS, and social media—focusing on vulnerabilities that attackers exploit for social engineering and account takeover. It includes a full report, executive briefing, and actionable recommendations.
  5. Social Engineering Protocol Update Workshop
    This hands-on workshop focuses on updating outdated identity verification methods used by organizations to authenticate requests, helping to reduce the risk of account takeover, ransomware, financial loss, and data breaches.
  6. Live Hacking, AI Deepfake & Social Engineering Demonstrations
    In these live sessions, Rachel demonstrates how attackers develop a pretext and launch a social engineering campaign, using AI deepfake technology and other tools. These lighthearted but educational sessions can be held during webinars, in-person events, or media appearances.
  7. Social Engineering & Hacking Workshops
    These workshops include OSINT and pretexting Capture the Flag (CTF) competitions, vishing and phishing development, and hacking competitions designed to engage participants in team-building while teaching them critical security concepts. No prerequisites are required, making them accessible to all.
  8. Red Team Training
    This advanced training is designed for InfoSec teams, red and blue teams, customer support, IT support, and helpdesk teams. It focuses on leveling up OSINT, vishing, phishing, pretexting, and social engineering skills to prepare teams to defend against sophisticated attacks.

“Educate your VIPs about the most common threats they’re likely to receive.” — The Hacker’s Guide to Securing Your Organization

“Live hacking demos let people see how hackers actually think and operate. Watching the attack unfold in real-time is one of the best ways to get people to really understand how social engineering works and take the threat seriously.”  Rachel Tobac on CNN: We asked a hacker to steal data from a CNN tech reporter

Advocacy and Public Outreach

Beyond the work she does with SocialProof Security, Rachel Tobac has shared her real life social engineering stories with NPR, Last Week Tonight with John Oliver, The New York Times, Business Insider, CNN, NBC Nightly News with Lester Holt, Forbes and many more.

Rachel Tobac public speaking

In her remaining spare time, Rachel serves on the CISA (Cybersecurity and Infrastructure Security Agency) Technical Advisory Council, where she helps shape national cybersecurity policies. She is also the Chair of the Board for the nonprofit Women in Security and Privacy (WISP), an organization dedicated to advancing women’s careers in the fields of cybersecurity and privacy.

Conclusion

Rachel’s expertise in behavioral psychology and social engineering tactics has established her as an invaluable resource in the fight against cybercrime. As an ethical hacker, she has made a lasting impact on both cybersecurity and privacy protection. She has helped to break down the complexities of social engineering in an engaging, accessible way and has equipped countless individuals and companies with practical strategies to defend themselves. By advocating for a ‘Politely Paranoid’ mindset—where education, vigilance, and strong security practices converge—Rachel has helped make it significantly harder for hackers to succeed.

Rachel’s exceptional ability to capture attention and inspire real behavioral change sets her apart. Few in the security industry can communicate the tactics of social engineers and how to counter them as effectively as she does, both in person and in writing. She not only educates but also vividly demonstrates the immediate risks of personal data overexposure and the consequences of not being ‘politely paranoid.’ Those who attend her workshops or watch her videos leave with a heightened sense of caution and the knowledge to take meaningful action in protecting their privacy and security.

At Optery, we are greatly inspired by Rachel Tobac’s work and are happy to spotlight her for her outstanding contributions to privacy protection and security.

Join us in recognizing Rachel Tobac’s important work. You can follow Rachel on X at @racheltobac@socialproofsec, and @wisporg.

Stay tuned for more features in our Privacy Protectors Spotlight series and follow Optery’s blog for further insights on safeguarding your personal information.

Ready to Remove Your Info from the Internet?

Free Tools + Paid Plans starting at $3.99/mo. 605 sites covered. 30-Day Money Back Guarantee!

Get Free Scan

Ready to safeguard your personal data?

Join the movement of people strengthening their privacy
Sign Up Free