# The yearly privacy debt audit

> How to do a once-a-year sweep of accumulated privacy debt: old accounts you forgot, breach exposure since last year, data-broker entries that grew back, abandoned email aliases, stale 2FA recovery keys, social-media archives to pull before you lose access, and the address / phone change-of-record sweep.

Markdown twin of https://xmr.club/guides/privacy-debt-audit. CC-BY-4.0. Attribute "xmr.club".

## At a glance

- Canonical: https://xmr.club/guides/privacy-debt-audit
- Slug: privacy-debt-audit
- Title: The yearly privacy debt audit
- Description: How to do a once-a-year sweep of accumulated privacy debt: old accounts you forgot, breach exposure since last year, data-broker entries that grew back, abandoned email aliases, stale 2FA recovery keys, social-media archives to pull before you lose access, and the address / phone change-of-record sweep.
- Available locales: en, zh, es, ru
  - zh: https://xmr.club/zh/guides/privacy-debt-audit
  - es: https://xmr.club/es/guides/privacy-debt-audit
  - ru: https://xmr.club/ru/guides/privacy-debt-audit

## Intro

Privacy is not a one-time setup. Every year you accumulate debt: accounts you forgot you created, breaches that exposed credentials you have not rotated, data brokers that grew back after you opted out, email aliases nobody is reading, 2FA recovery keys for services you no longer use, social-media archives you should have pulled before the platform changed hands. Most of this debt does nothing until something goes wrong — and then it does a lot. This guide is the once-a-year audit: a concrete sweep across seven specific debt classes, plus a one-day checklist, plus the things that look like debt but are not worth the time. It is not a beginner privacy guide; it assumes you have already set up the basics and want to keep them clean.

## Body

## What privacy debt actually is

Privacy debt is the accumulated count of identifiers, accounts, credentials, and disclosures that you no longer actively maintain but that still exist somewhere in a system that can leak them. The shape it takes:

- **Accounts you stopped using but did not delete.** The email host, the social platform, the niche forum, the subscription you cancelled the credit-card charge on without closing the account.

- **Credentials reused across services.** The password from a 2019 breach you still use somewhere, the recovery email at a host you can no longer log into, the SMS-2FA tied to a phone number that has been recycled.

- **Disclosures already made.** Data brokers that re-aggregated public records since you last opted out, an old address still listed on Whois, a public archive of a thing you regret posting.

- **Tools that quietly changed sides.** A VPN that introduced KYC, an email host that loosened its end-to-end posture, a wallet whose binaries are no longer being signed by the original maintainer.

The cost of debt is asymmetric. Most years, nothing happens. The year something does — a breach, a doxxing, a platform deciding to ID-verify accounts retroactively — the debt is what determines how bad it gets. The audit's job is to reduce that worst-case cost while the debt is still cheap to clean up.

## 1. Old-account inventory

You almost certainly have more accounts than you remember. The cheapest way to find them:

- **Inbox search.** Search your main inbox for `"welcome to"`, `"confirm your email"`, `"verify your account"`, `"reset your password"`. Each hit is an account you signed up for at some point. Read the list of hits, not just the count.

- **Password manager dump.** Export the full list. Anything you have not logged into in the last 12 months is a candidate for deletion or closure.

- **Browser autofill.** Older Chrome / Firefox / Safari profiles remember sites you stopped using. Pull the saved-login list.

- **Account recovery emails.** Search for forgot-password emails sent to you — those are services you still have credentials at.

For every account on the list, the choices are: (a) delete it (preferred, when the service supports it), (b) overwrite the personal data to `deleted-user-` values then close the account, or (c) accept that the account is going to stay live and rotate the password / recovery email to current values. *Justeruse.com*-style account-finder tools exist but they crawl your inbox themselves — do the inbox search by hand if the inbox is sensitive.

## 2. Breach exposure check

The fastest signal for "what credentials have been published in the last year":

- **Run every email address you use through Have I Been Pwned** (`haveibeenpwned.com/account/<email>`) — including the addresses you forgot you created. Each new breach since last year's audit is a service that needs a password rotation and (if reused) every *other* service that shares that password.

- **Check the Pwned Passwords API for your top-tier passwords** — if a password you actually use shows up in the k-anonymity hash range, it has been published somewhere and is no longer protective regardless of how strong it looks.

- **Check exposed-credentials lists for the email addresses on your high-value services** — bank, primary email, government identity. If the email used as a login at your bank is in a breach, the bank login itself may not be compromised but the recovery vector has been weakened.

For every fresh hit: rotate the password at the affected service first, then sweep the password reuse — if the same string was used elsewhere, those are also compromised whether or not the other service shows up in HIBP yet.

## 3. Data-broker opt-outs grow back

If you sent opt-out requests to people-search sites last year, the realistic shape this year is:

- **About 30-50% of them grew back.** Data brokers refresh from public records (court filings, voter rolls, property transactions, marketing lists they buy). Your old removal request did not propagate to the new ingestion.

- **New brokers appear every year.** A site that did not exist when you ran last year's sweep is now indexing you.

- **The DIY list is now ~150+ sites.** Doing it by hand is a full weekend.

Practical move: re-run a focused removal at the top dozen by reach (Spokeo, Whitepages, BeenVerified, Intelius, PeopleFinder, Radaris, MyLife, Truepeoplesearch, FastPeopleSearch, USSearch, Pipl, Nuwber). Those carry ~80% of the casual-search exposure. If your threat model justifies it, a paid removal service (DeleteMe, Optery, Privacy Bee) automates the rest — verify in their docs which brokers they actually cover, because the long tail is the value.

## 4. Abandoned email aliases

If you use an alias provider (Anonaddy, SimpleLogin, addy.io, Apple Hide My Email), some of your aliases are dead — they go to inboxes you no longer monitor, or they were created for a service that no longer exists, or they were a one-time intake address that you never burned. The audit:

- **Pull the full alias list** from your provider. Sort by last-received-at if the provider exposes it.

- **Burn dead aliases.** Delete the alias, then change the email-of-record on the corresponding upstream service to the real or to a fresh alias. If the upstream service is itself abandoned (per Section 1), delete the upstream account first.

- **Audit destination forwarding.** If you set up forwarding to a now-defunct inbox or to a personal address that has moved, the aliases are silently dropping messages.

- **Audit the alias-provider account itself.** Is it still under a payment method you control? Is the recovery email still live? An alias provider you lose access to is worse than no aliases at all.

## 5. Stale 2FA recovery keys and seed phrases

The class of debt most likely to bite you in a real recovery scenario:

- **Recovery codes printed on paper.** Are they still in the place you put them? Are they for accounts you still have? Burn / shred the ones for accounts you closed in Section 1.

- **Backup-email recovery vectors.** Audit every recovery-email line item. If your recovery for service A is a Gmail you no longer log into, an attacker who takes that Gmail also takes A.

- **SMS-2FA on phone numbers you don't fully control.** If you ported, lost, or recycled a phone number in the past year, every account that still uses that number as a 2FA channel is compromised. Replace with TOTP or a hardware key. Most carriers expose this on the privacy dashboard if you ask.

- **Hardware-key inventory.** Do you still have both keys you registered? If one is lost or in a stolen / unaccessible location, register a replacement now and de-register the lost one.

- **Wallet seed phrases.** Were any kept in a state that has degraded — paper exposed to humidity, metal backup at an address you no longer live at, encrypted file on a hard drive you no longer have the passphrase for? Re-do the backup. See [Monero cold storage](/guides/monero-cold-storage) for the canonical pattern; [inheritance plan](/guides/monero-inheritance-plan) for the long-tail version.

## 6. Social-media archive pulls

Platforms change. Accounts get banned, hacked, suspended, recovered-by-someone-else, deleted-because-policy. Your years of posts are not safe on someone else's server:

- **Pull your archive once a year** from every platform where you have anything you would miss. Twitter / X export, Facebook export, Instagram export, Reddit data request, Discord data request. Most arrive within hours to days.

- **Store the archives offline.** Encrypted external, encrypted remote, an entry in your normal backup routine. The point is to have them when the platform is no longer cooperative.

- **Then re-audit the visibility of what's on each platform.** Posts that made sense in 2018 may be a doxxing surface today. Delete the ones you would not post now. The archive you pulled is the safety net.

- **Account-portability claims are aspirational.** "I can always re-create my profile" is true until the platform decides your email address is now blocked, or your previous handle is held by someone else, or your country has been geo-restricted.

## 7. Address and phone change-of-record sweep

If you moved or changed numbers in the past year, the sweep is mechanical and unfun:

- **Banks, brokerages, insurance.** Easiest to do online; biggest consequence if forgotten.

- **Government records.** Driver's license, voter registration, passport address, tax authority, social-security-equivalent. The order matters in some jurisdictions — driver's license first feeds voter roll automatically in many US states.

- **Domain registrar Whois.** If a personal domain still lists the old address, the data broker layer will eventually catch up.

- **Subscription services and shipping defaults.** Amazon, Apple, Google, the mailing list you signed up for in 2017. A package addressed to the old place reaches whoever lives there now.

- **Emergency contacts maintained by other people.** Notify the friends and family who would be called in an actual emergency that the number / address has changed. This is the version of the audit that protects future-you from someone else's outdated record.

## One-day audit checklist

If you can dedicate a single weekend day to the audit, the order that gives you the most safety per hour:

- **Morning (2-3 h).** Run all email addresses through HIBP. Note the new breaches. Rotate the affected passwords immediately, sweep reuse.

- **Late morning (1 h).** Inbox search for "welcome to / verify / confirm". Build the account list. Mark each as keep / close / overwrite-and-close.

- **Early afternoon (2 h).** Close 5-10 of the highest-risk old accounts. Burn the corresponding aliases. Move the recovery email lines off any defunct host.

- **Mid afternoon (1 h).** Re-run people-search opt-outs at the top 12 brokers (use a fresh email or alias for the receipt, not your real address).

- **Late afternoon (1 h).** Verify 2FA recovery codes are present + audit phone-number 2FA, replace SMS with TOTP / hardware key on the top-3 highest-value accounts.

- **Evening (1 h).** Pull social-media archives, let them download overnight. Decide what to delete from each platform tomorrow.

- **Next day (1 h).** Verify the archives downloaded cleanly; encrypted-back-up to your normal storage; commit the deletions on the platform side.

That's the once-a-year version. Spread across a calendar quarter it is one Saturday morning a month. The leverage is the inventory step at the start — once you know what exists, the actual cleanup is quick.

## What is NOT worth doing

- **Suing every data broker for compliance.** The legal cost dwarfs the benefit unless you are a public figure with a specific identifiable harm. The reasonable bar is "did the top dozen brokers comply with the standard request?"

- **Switching everything to a new identity each year.** The work is enormous and the new identity is just as leaky in twelve months. Build a stable, well-audited identity instead.

- **Deleting your historical accounts in pure-purge mode.** Some old accounts are anchors — proof you have been online consistently — and walking those away can hurt account-recovery vectors later (the bank that wants to verify you, the platform whose age-of-account is a moderation signal). Keep the long-tenured ones; clean what they hold instead.

- **Buying a "privacy dashboard" subscription that does not name its brokers.** If the service does not publish the broker list it removes from, you cannot tell whether it covers the ones that matter for you. Pay only for transparent coverage.

## See also

- [Recover from a privacy mistake](/guides/recover-from-privacy-mistake) — when the audit surfaces an active exposure rather than dormant debt.

- [Monero cold storage](/guides/monero-cold-storage) — the seed-phrase side of the 2FA/recovery sweep.

- [Monero inheritance plan](/guides/monero-inheritance-plan) — the long-tail recovery vector audit.

- [Pick a no-KYC email](/guides/pick-a-no-kyc-email) — for the replacement inbox you will land on after closing the abandoned ones.

- [Best no-KYC VPN](/guides/best-no-kyc-vpn) — for the audit step where your incumbent VPN turns out to have changed sides.

## Picks

- [Feather Wallet](https://xmr.club/wallets/feather) — Lightweight Monero wallet — useful for moving long-tail balances off a wallet you no longer fully trust during the audit.
- [Cake Wallet](https://xmr.club/wallets/cake-wallet) — Mobile XMR wallet you can spin up to receive sweeps from old wallets during the cleanup.
- [Mullvad VPN](https://xmr.club/vpns/mullvad) — Account-number-only signup — when you rotate VPN providers as part of the audit, the new one should not be a new identity trail.
- [IVPN](https://xmr.club/vpns/ivpn) — Audited no-logs, no-email signup. Good replacement candidate if your incumbent VPN expanded its KYC posture in the past year.
- [Coldcard](https://xmr.club/wallets/coldcard) — Hardware wallet for the BTC side of the audit — rotate keys off old hot wallets while you have the project context loaded.

## How to cite

Source: xmr.club, "The yearly privacy debt audit". https://xmr.club/guides/privacy-debt-audit (CC-BY-4.0).

## Related

- https://xmr.club/guides — full guides index (45 guides)
- https://xmr.club/methodology — how the directory grades providers referenced in this guide
- https://xmr.club/transparency — funding model + editorial firewall
- https://xmr.club/data.json — full provider dataset (CC-BY-4.0)

## License

CC-BY-4.0. Attribute "xmr.club".