I Tested My Own Security — Here's Every Weakness a Hacker Would Use Against Me
I Tested My Own Security — Here's Every Weakness a Hacker Would Use Against Me
Last month I was working through a penetration testing lab on HackTheBox — a simulated corporate network. I rooted the machine in under two hours using a combination of password reuse, an unpatched service, and an exposed internal admin panel with default credentials. Standard stuff for practice environments.
Then I sat back and thought: would I find the same things if I pointed this methodology at myself?
I spent the following weekend doing exactly that. A full personal security audit — treating myself as the target, using the same reconnaissance and testing approach I use on lab machines. What I found was uncomfortable. I'm an MCA student studying cybersecurity, actively learning about these exact vulnerabilities — and I still had significant gaps in my personal security posture.
This post documents every weakness I found, how serious each one was, and the exact steps I took to fix it. If a cybersecurity student had these gaps, there is a high probability you have some too. Work through this with me.
- Phase 1 — Reconnaissance: What a hacker learns before touching anything
- Phase 2 — Password audit: The most uncomfortable findings
- Phase 3 — Account exposure audit
- Phase 4 — Device security gaps
- Phase 5 — Network and email vulnerabilities
- Phase 6 — Social media OSINT exposure
- Your complete personal security hardening checklist
Phase 1 — Reconnaissance: What a Hacker Learns Before Touching Anything
Real attackers don't start by trying to hack you. They start by learning everything they can about you using publicly available information — a technique called OSINT (Open Source Intelligence). I started my audit the same way.
I Googled my full name, my email addresses, my phone number, and my username (the same one I use across most platforms). The results were more revealing than I expected.
Vulnerability #1 — My username was consistent across 11 platforms
I've used the same username — a variation of my name and birth year — since I was 16. A simple Google search of that username returned: my GitHub, my LinkedIn, an old Instagram, a gaming forum account from 2019, a Stack Overflow profile, a Quora account, and four other platforms I had completely forgotten existed.
Why this matters to an attacker: Cross-referencing these profiles revealed my approximate location, my educational history, my interests, the kinds of projects I work on, and gave an attacker a comprehensive picture of my digital life. Some of those old accounts had my phone number visible. One had an older email address I no longer monitored — a potential account recovery vector.
Audited every old account. Deleted the ones I don't use (most platforms let you request full deletion). Removed phone numbers from profile fields where they weren't required. Made older accounts private or locked. Going forward: different usernames per platform type (social vs professional vs technical).
Vulnerability #2 — My primary email appeared in 3 data breach databases
I checked my email addresses on haveibeenpwned.com (free, completely legitimate service run by security researcher Troy Hunt). My primary email — the one I've used since college — appeared in three separate data breaches: an old gaming platform breach from 2021, a food delivery service from 2023, and one I didn't recognise at all.
What was exposed: In those breaches, my email address, usernames, and in one case a hashed password were included. If I had reused that password anywhere — which I had — an attacker with access to those breach databases could potentially access my accounts through credential stuffing attacks.
Immediately changed passwords on any accounts using that email that hadn't been updated since the breach dates. Enabled breach monitoring alerts on haveibeenpwned.com (free, sends email when your address appears in new breaches). Started using email aliases for new account signups.
Phase 2 — Password Audit: The Most Uncomfortable Findings
I'll be honest about this section because the findings embarrassed me. I study cybersecurity. I know exactly why password reuse is dangerous. I teach people not to do it. And I had still been doing it for accounts I considered "unimportant."
The rationalisation most people use — including me — is: "it's fine for accounts that don't matter." The problem is that "accounts that don't matter" are often linked to email recovery addresses, share passwords with accounts that do matter, or contain personal information an attacker can use elsewhere.
Vulnerability #3 — 23 accounts sharing 4 passwords
I exported my saved passwords from Chrome (Settings → Passwords → Export) and did a count. I had 47 saved accounts. Of those, 23 were using one of only 4 different passwords — with slight variations like a capital letter or an added number. Three of those password variants were based on the same root word with predictable modifications.
Real-world risk: If any one of those 23 services was breached (which, given the haveibeenpwned results above, was already true for at least three), an attacker could attempt those password variations against my email, banking apps, and other high-value accounts within minutes using automated tools.
Installed Bitwarden (free, open-source password manager). Spent one focused evening changing every password to a unique, randomly generated 20+ character string. Priority order: email first, banking second, social media third, everything else over the following week. This was the single most impactful security improvement I made.
Vulnerability #4 — No two-factor authentication on critical accounts
I checked 2FA status across my most important accounts. My Google account had 2FA enabled (added it a while ago). My GitHub had 2FA enabled. My university email — used for financial aid, student records, and institutional communications — had no 2FA. My primary bank's app had PIN-only access, no separate login 2FA. My WhatsApp had 2FA disabled.
Why WhatsApp matters specifically: WhatsApp account takeover through SIM swapping is common in India. An attacker who gains access to your WhatsApp has immediate access to your entire contact network for social engineering attacks — they can impersonate you to request money transfers from family members. This happens regularly and the cases are frequently reported.
Enabled 2FA on every account that supports it, prioritising: university email, WhatsApp (Settings → Account → Two-Step Verification), banking apps (where available), social media. Used an authenticator app (Aegis, free and open-source) rather than SMS for critical accounts, since SMS-based 2FA is vulnerable to SIM swap attacks.
Phase 3 — Account Exposure Audit
Beyond passwords, I looked at what my accounts were actually exposing — to third parties, to apps I'd granted permissions to, and to other people.
Vulnerability #5 — 34 apps with Google account access, many long-abandoned
Google lets you audit every third-party app that has been granted access to your Google account: myaccount.google.com → Security → Third-party apps with account access. I found 34 apps. Of those, I recognised maybe 12. The remaining 22 were from websites and applications I'd signed into once using "Sign in with Google" and never returned to.
Why this matters: Each of those apps potentially has read access to your Gmail, Google Drive, calendar, or contacts — depending on the permissions you granted when you first signed in (and almost certainly didn't read carefully). If any of those third-party apps was ever compromised, your Google data was exposed.
Revoked access for every app I didn't actively use or recognise. Kept only apps currently installed on my phone or actively used. Going forward: use a throwaway email alias for one-time signups rather than "Sign in with Google."
No issues — Recovery contacts were current
I audited the recovery email and phone number on every major account. Fortunately, these were all current and pointed to accounts/numbers I still control. This is worth checking: recovery contacts on accounts you set up years ago sometimes point to old phone numbers or email addresses you've lost access to — which would lock you out if you ever needed account recovery.
Phase 4 — Device Security Gaps
I looked at my laptop, phone, and any connected devices with fresh eyes — asking what an attacker with 30 seconds of physical access could extract.
Vulnerability #6 — Laptop had no disk encryption
My laptop (running Ubuntu) had full-disk encryption disabled. I had chosen not to enable it during installation because I thought it would slow down the system. The reality: modern disk encryption (LUKS on Linux, BitLocker on Windows) has negligible performance impact on any laptop made after 2018, and without it, anyone who gets physical access to your laptop — stolen, lost at a café, seized at a border — can read every file on it by booting from a USB drive.
My laptop contains: saved SSH keys, project files with credentials stored in .env files (yes, I know), browser sessions, and my university coursework. All of it would be immediately accessible without encryption.
Enabled LUKS disk encryption (requires reinstallation on Linux — I did a clean install). On Windows, BitLocker is in Control Panel. On Mac, FileVault is in System Preferences → Security. Also audited and moved all credentials out of plaintext .env files into a proper secrets manager.
Vulnerability #7 — Phone had 17 apps with microphone/location permissions they didn't need
I went through every app's permissions on my Android phone (Settings → Privacy → Permission Manager). A casual games app had microphone access. A flashlight utility had location access. A regional news app had contacts and camera permissions. None of these are functionally necessary for what those apps actually do.
This is a recognised attack vector: malicious or compromised apps with excessive permissions can silently collect data. India has experienced multiple incidents involving popular regional apps collecting and misusing location and microphone data.
Went through every permission category and applied minimum necessary access. Deleted apps I hadn't used in 6+ months. Changed location permission for most apps from "Always" to "Only while using." Disabled microphone access for every app except voice calls and one recording app.
Phase 5 — Network and Email Vulnerabilities
Vulnerability #8 — Home router using default admin credentials
I typed 192.168.1.1 into my browser (standard router admin panel address) and logged in with admin/admin. Default credentials, unchanged since my family got the router installed. The admin panel gave me complete control over the network — I could redirect DNS, intercept traffic, or add devices to the network.
Router hacking is more common than most people realise. Attackers who get into your home router can intercept all unencrypted traffic, redirect banking website requests to fake pages, and monitor every device connected to the network.
Changed admin username and password to a unique, long password (stored in Bitwarden). Updated router firmware to the latest version (Firmware Update option in admin panel). Disabled remote management (usually under Advanced settings). Verified WPA3 or WPA2-AES encryption was enabled (not the outdated WEP or TKIP).
Vulnerability #9 — Email filters had no rules catching phishing indicators
I looked at my Gmail settings and found I had zero custom filters configured. I was relying entirely on Gmail's default spam detection. For someone who regularly receives emails from financial institutions, government portals (university fees, scholarship applications), and recruitment emails from companies, this meant I was one convincing phishing email away from a credential compromise.
Enabled Gmail's Enhanced Safe Browsing. Set up filters to flag emails that claim to be from institutions I deal with but come from non-official domains. Turned on Google's Advanced Protection Program (free, the strongest available account protection). Created a habit: before clicking any link in an email, check the actual URL by hovering. This sounds simple and it is — but it takes deliberate practice to make it automatic.
Phase 6 — Social Media OSINT Exposure
The last phase was the most unsettling to audit. I looked at my social media profiles the way an attacker doing OSINT (Open Source Intelligence gathering) would — piecing together everything I'd publicly shared over years to build a profile.
Vulnerability #10 — Years of location-tagged posts revealed my patterns
Looking at my Instagram posts from the last three years with OSINT eyes: I could determine my college location, my approximate home neighbourhood (from geo-tagged posts near home), restaurants and cafés I frequent, and — most concerning — my general daily schedule based on when and where I posted. There were also photos that incidentally showed my student ID, a bank statement in the background of one photo, and my laptop sticker collection (which reveals exactly what operating system and tools I use).
For an attacker attempting social engineering, this kind of detailed profile is extremely valuable. They know where you are, when you're there, what you care about, and details that help them sound credible when impersonating someone who knows you.
Set all old posts to private (Instagram allows this in bulk). Removed location data from new posts. Reviewed and deleted about 30 posts that revealed sensitive information. Changed privacy settings so posts are only visible to followers I've approved. This won't undo the exposure of old posts that people may have saved, but it limits ongoing exposure.
My Final Audit Score — And Yours
The honest summary of what I found
Before the audit, I would have rated my own security as "pretty good" — I'm studying cybersecurity, I know about these threats. The reality:
- 3 email addresses in breach databases
- 23 accounts with reused passwords
- 4 critical accounts without 2FA
- 22 third-party apps with unnecessary Google account access
- No disk encryption on my primary laptop
- 17 apps with excessive mobile permissions
- Default router credentials
- Significant OSINT exposure across social media
The good news: every single one of these was fixed in a single weekend with free tools. The bad news: most of these would have been exploitable by a moderately skilled attacker before I fixed them.
Your Personal Security Audit Checklist
Do This Yourself — In Order
- Check your email addresses at haveibeenpwned.com — note every breach
- Export your saved passwords and count how many share the same base password
- Install Bitwarden (free) and begin migrating to unique passwords — email and banking first
- Enable 2FA on: email, banking apps, WhatsApp, social media — use an authenticator app, not SMS where possible
- Audit third-party app access: Google (myaccount.google.com → Security), and any other "sign in with" accounts
- Check phone permissions: go through every app in Permission Manager and remove what's unnecessary
- Log into your router admin panel — change default credentials, update firmware
- Check your laptop: is disk encryption enabled? (BitLocker / FileVault / LUKS)
- Google your own username, full name, and email — review what's publicly visible
- Audit social media privacy settings — make older posts private, remove sensitive location data
The free tools I used throughout this audit:
Comments
Post a Comment