I Doxxed Myself This Week

December 11, 2021

Did you know I started putting out video content this year? You can view it on PeerTube, Odysee, and YouTube. If you do so, you may notice that I reuploaded my Bitwarden video. That’s because, this week, I accidentally lightly doxxed myself. And I want to talk about what we can learn from it.

What Was It & Damage Control

Let’s start by answering the question I’m sure everyone’s wondering: “What got exposed?” Well, I’ll answer because there’s a lot we can learn there, too. It was my email address – including a custom domain – for my personal Bitwarden account. My response – once someone more attentive than me caught this mistake – was to pull the video, blur out the email address, and reupload it. Hence, the reupload file.

So What Can We Learn?

1. Mistakes can happen to anyone. This is gonna sound a little narcissistic but bear with me: The New Oil’s success has made me a bit of an authority. While I try to be very open about the limits of my expertise, that doesn’t stop people from constantly contacting me to ask my opinion on a variety of privacy- and security-related topics. That’s fine, I enjoy sharing what I know, but the point is that nobody is immune to mistakes. Even being an “expert” or “authority” in this space does not make me immune to slip ups. I’ve said it a million times and I’ll continue saying it: nothing is unhackable. No matter how much you’ve done, you will still have weaknesses, and sometimes that weakness is yourself. Always be vigilant, always look for ways to improve. (But be careful not to get paranoid and carried away.) On that topic:

2. Risk management. When this leak was pointed out to me, I wasn’t scared. I was more upset at myself for missing it in editing. That’s because the information that was leaked was very non essential. It’s a personal email address, but it wasn’t a password, and my account is protected behind two-factor authentication. Furthermore, I don’t keep any essential passwords in Bitwarden. I mainly use it to share passwords with my partner – like the Netflix password or grocery list – and sync passwords to Windows for my audio stuff. I don’t have any banking passwords, sensitive account passwords, or anything like that. I’ve managed the risk: when I’m on Windows (which I am every time I produce a video), there’s very little sensitive information to expose. That’s by design. Risk management. Finally:

3. Non-descript usernames and domain names. The main reason this leak wasn’t a big deal though, and one of the biggest takeaways I want to discuss is the nondescript nature of it. I’m a big fan of purchasing your real name as a domain to plant your flag, but I’m also a big fan of not using it unless you have a reason. As such, I have another domain that I use for emails that are important to me and I don’t want to lose control of, but I also don’t necessarily want it tied to my real name.

I hope this blog has been helpful. We all make mistakes, but hopefully you can learn from mine. Be vigilant, cut yourself some slack when you fail, and try to fix it so it doesn’t happen twice. The only true failure is not learning from a failure.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.