In the past three or four years I have listened to no fewer than twenty-eight audio books on cybersecurity, mostly focused on cyber intrusions (what most people refer to as ‘hacks,’ social engineering, and malware. No fewer than three (3) of those books were written by employees of WIRED Magazine.
The irony of it hit me in the face when I received an email over the weekend between Christmas and New Years that read:
Breach: WIRED
Date of Breach: September 2025
Breached Accounts: 2.36 Million
Compromised Data: Dates of birth, Display names, Email addresses, Genders, Geographic locations, Names, Phone numbers, Physical addresses
Description: In December 2025, 2.3M records of WIRED magazine users allegedly obtained from parent company Condé Nast were published online. The most recent data dated back to the previous September and exposed email addresses and display names, as well as, for a small number of users, their name, phone number, date of birth, gender, and geographic location or full physical address. The WIRED data allegedly represents a subset of Condé Nast brands the hacker also claims to have obtained.
I think no less of either WIRED or its parent company than I did before this. The truth is that companies are going to be compromised and while they can take every reasonable precaution to lessen the chances, the reality is that no company can take every step necessary without making their products or services unusable and cost-prohibitive. Knowing some of the employees of both firms, I am confident that the breach was not the result of carelessness on the part of the IT and Information Security teams.
I receive emails from https://www.haveibeenpwned.com on a fairly regular basis. I have hundreds of accounts on hundreds of websites, and every time one of those sites is compromised, I am advised… and I take what necessary precautions I can or should, based on the breach information.
In the case of WIRED, I cannot change (nor could I have masked) my physical address because I subscribed to the physical magazine and they had to mail it to me. With that said, they were sending it to an address in Texas that is no longer mine and no longer relevant to me.
You might notice in the announcement that several things – date of birth, email and physical address, names and phone numbers – are included in the leak. Passwords were not. That did not stop me from logging into my account and changing my password immediately. Why? You never can be sure… and while the worst that could happen if someone logs into WIRED as me is they might see my reading trends and saved articles, that does not change the fact that it is better to be safe than sorry.
If you were to ask me what steps you can take to reduce even further the likelihood of such breaches costing you, then I have the following suggestions for you:
- Create an alternate persona – including fake name, address… everything – that you can use for sites that do not require a credit card (at which point you likely need to provide your actual details). Create an email account only for this purpose. Keep a record of these details, and use them for any site that does not require you using your actual details. It is easier than trying to remember fake details for different sites.
- Use a strong password vault. This will allow you to use different passwords for every site you visit. Yes I know… it is hard to remember dozens or even hundreds of passwords. That is what the password vault is for! The one I use lets me know if I have reused passwords, or weak ones. Every few months I go into my dashboard and check my security score… and I review all of my reused passwords (which are mostly because the same site has two or three entries because of different URLs). I change the ones that need to be changed, I clean up the ones that need to be cleaned up.
- Never share your passwords! I wish I did not have to keep repeating that.
- Whenever possible, implement Multifactor Authentication (MFA). You have a smartphone, so install an Authenticator app onto it.
- More and more sites are offering you the option to log in via a passkey. That is not a terrible idea!
These are just a few suggestions off the top of my head. There is a great book called The Art of Invisibility by Kevin Mitnick with Robert Vamosi which goes into great detail about the lengths you can take to go completely anonymous online. While I found it to be an interesting read, I consider the steps required for complete online anonymity somewhat (cough) extreme… not to mention pricey and inconvenient. While I might go about setting up a completely anonymous identity online as an exercise, it would be completely impractical for anyone to do, let alone maintain.
While I know there are services out there that might do it, I do not believe it possible or at least practical to completely eliminate your online presence. I also know that for me, having spent a great deal of time building my online presence (before I started focusing on cybersecurity) it would be nearly impossible to eliminate; nor would I want to. I am neither a criminal nor a paranoiac… and while I realize that bad things can happen when too much information is shared online, I try to not share too much… and I constantly weigh the benefits of my online presence against the potential of what could happen. Just like I teach it in class, I follow a Risk Management strategy that includes Risk Awareness, Risk Minimization, Risk Tolerance, and Risk Avoidance.
My point is that the Internet is both an an amazing resource and a dangerous place for the unaware. Stay informed, stay aware, and stay vigilant. Yes, you are going to get spam and yes, people are going to try to social engineer you. It is absolutely certain that one or more sites that you are registered with will be compromised, so take the steps necessary to minimize the potential damage that could happen – do not reuse your passwords is just one example. Never register on a site that does not have a valid TLS Certificate protecting it. Stay off the types of site that have traditionally been magnets for cyber attacks – pornography, non-secure gaming, and any site that either offers pirated software (or other files) for download, sites that publish or sell illegitimate license keys or hacks, and sites that sell (or give away) exam cheat sheets.
Safe web browsing is not too different from walking down the street. Stay aware, walk/surf with intent, and stay out of the bad neighbourhoods. Will that keep you completely safe? Absolutely not… but it will reduce your risk.
As for compromised sites… well you either know that your information has been compromised or you do not know that your information has been compromised. Either way, your information has indeed been compromised. Sorry if I am the bearer of bad news.
(Oh… and if you believe that posting a disclaimer on your online profile that states that you do not give permission to use your information or pictures means anything to anyone, then boy do I have bad news for you… those disclaimers are not worth the paper they are printed on!)
Stay safe people… and happy surfing!
The World According to Mitch 
Leave a comment