I’ll Never Tell You My 9GAG Username, But a Data Breach Might
Last year, around this time, I was hanging out with my brother, chatting about the state of the world and the latest news. One beer after another led to a terribly blunt question: “By chance, are you on 9GAG, bro? Do you have an account on the platform?”
I told him that I did. And then—silence. An awkward, unnatural silence between two people who had just learned they were on the same platform.
Wanna send you a friend request on the platform? No, thanks. I still wanna be invited at family functions.
He laughed and said that was fair. Everyone is allowed to have their opinions on the internet — that’s what makes the world go round. But he also said that he would never tell me his username. On the internet, nobody knows you’re a dog, but they can still find out if you’re a cat person.
I laughed, and we moved on to other topics. But the conversation stuck with me. I started thinking about the data I had shared with dozens or hundreds of web services unde the guise of annonimity, and how much of it was still relevant. I had shared my email address, my date of birth, and my location. I had also shared my interests, my likes, and my dislikes. I had shared my opinions, my thoughts, and my feelings.
And sometimes, opinions expressed under the guise of annonimity don’t necessarily click with who you are in real life.
How would you feel during an emergency landing in Russia, knowing you’ve left thousands of “unfriendly” comments on war-related videos? How would you feel if your vegetarian customers boycotted your business because your search history is packed with meat recipes? What if your employer decided that your corporate job doesn’t align with your weekend hobby of writing lyrics for thrash metal bands? Or if your partner discovered that, all this time, you’ve spent a considerable amount of it flirting with strangers on Ashley Madison?
Or worse, what if your kid grew up, stumbled upon your digital footprint and completely misjudged you the person you used to be?
The breach that keeps on giving
Thanks to massive data breaches, these secrets don’t always stay hidden. I’m not talking about a single hacked website here or a leaked database there. Over the years, cybercriminals have compiled stolen credentials from hundreds of breaches into mega-leaks that serve as one-stop shops for anyone willing to uncover the online past of millions of people. Take the Compilation of Many Breaches (COMB), for instance, a dataset of 3.2 billion email-password pairs mashed together from over 250 different breaches. And that was just one of many. You can change your credentials. You can get better at compartmentalizing identities. But good luck changing your search history. Or scrubbing those nasty comments you left on a forum in 2005.
Unlike a one-off hack of a major platform, mega-breaches don’t fade into the background. They build on each other. Every time a new company suffers a data breach, the stolen usernames, emails, and passwords don’t just get dumped on the dark web and forgotten. They get added to an ever-growing dataset of exposed credentials, cross-referenced, and indexed for convenience. In the hands of an attacker, this isn’t just a pile of stolen passwords—it’s a searchable archive of who you were on the internet. This is a living organism that, like a Pokemon that evolves into Mega Breach, and then into Fully Indexed Online Persona
These datasets make it painfully easy to connect the dots between an anonymous online identity and a real person. Maybe you used the same password on a long-forgotten gaming forum as you did on your primary email. Maybe your 9GAG account was tied to an IP address that was linked to your real identity (also exposed in a breach years ago). It doesn’t matter that you’ve moved on, changed your passwords, or scrubbed your social media—the old you is still out there, waiting to be rediscovered.
The chilling effect of a Permanent Digital Memory
Every once in a while I look behind and cringe at what I did or what I thought decades ago. Teenage years are marked with different values, different beliefs, and different priorities. I was a teenager, a young adult, a student, a professional, a parent. I’m glad that (most of) my past is not searchable, that my opinions are not indexed, and that my mistakes are not immortalized in a database.
It’s easy to joke about past internet habits, but the implications are serious. People have lost jobs, relationships, and reputations over things they said or did online under the assumption of anonymity. Data leaks have turned up incriminating messages, old forum posts, and even private emails that were never meant to be public.
One example is the IronMarch neo-Nazi forum leak, where usernames, emails, IPs, and private messages got exposed. Investigators used that info to track down extremists who thought they were safe behind fake names, linking them to actual people. Some turned out to be in the military, working at big companies, or even public figures. They assumed nobody would ever know who they really were, but they were wrong.
It doesn’t take an extremist forum, though, for old posts to cause problems. This is, excuse the pun, an extreme example. A leaked IP address could connect your employer to a controversial Reddit comment. An exposed email address from a breach years ago might be linked to a now-embarrassing username. A forgotten post on a random forum could surface your phone number in search results.
The internet never forgets. Tens of thousands of companies are built on bots that constantly search for information about you—data that trains AI algorithms capable of predicting almost everything about who you are and what you do.
So, what should I do about that?
Short answer: you can’t do anything, at least not completely. But you can make it harder for people to connect the dots.
VPNs are often sold like snake oil, but they do cloak your current location and browsing history commits. They won’t help you cherry-pick out past mistakes, yet they can keep bad actors from easily merging new bits of your identity into the “main” branch of hdata breach compilations.
Build segregated identities. Apple has a wonderful feature called “Hide My Email” that allows you to create a unique email address for every service you sign up for. This is so effective that very few of the commercial vendors living off of your data would ever implement it. This way, if one of your email addresses gets exposed in a breach, it won’t contribute to refining your online persona in any way. You’re basically hundreds of people, each with their own email address. But that’s as for as long as your VPN service is not leaking your real IP address.
Don’t fool yourself into thinking these measures will scrub your past. Your data is out there, rotting in data dumps for anyone to dredge up. You can shore up your defenses, or pray your darkest online confessions stay buried.
As for my 9GAG username? That stays between me and the rest of the people who have a copy of my data.
