惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google Online Security Blog
Google Online Security Blog
S
Security @ Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
人人都是产品经理
人人都是产品经理
The Hacker News
The Hacker News
W
WeLiveSecurity
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
博客园 - 司徒正美
雷峰网
雷峰网
L
LINUX DO - 最新话题
博客园 - 叶小钗
云风的 BLOG
云风的 BLOG
The Last Watchdog
The Last Watchdog
V2EX - 技术
V2EX - 技术
S
Security Affairs
有赞技术团队
有赞技术团队
月光博客
月光博客
T
Threatpost
T
Tor Project blog
O
OpenAI News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
Know Your Adversary
Know Your Adversary
Project Zero
Project Zero
博客园 - 三生石上(FineUI控件)
D
Docker
AWS News Blog
AWS News Blog
AI
AI
P
Proofpoint News Feed
K
Kaspersky official blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Securelist
F
Fortinet All Blogs
F
Full Disclosure
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
量子位
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Palo Alto Networks Blog
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
美团技术团队
N
News | PayPal Newsroom
T
The Blog of Author Tim Ferriss
MyScale Blog
MyScale Blog

Troy Hunt's Blog

Weekly Update 512: IoT Lockout Fail Weekly Update 511: Live from my Riad in Marrakech Weekly Update 510: Live From Mallorca with Scott Helme Weekly Update 509 Weekly Update 508 Weekly Update 507 Welcoming the Philippine Government to Have I Been Pwned 1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever Weekly Update 506 Welcoming the Bhutanese Government to Have I Been Pwned Weekly Update 505 Weekly Update 504 Welcoming the Bahamian Government to Have I Been Pwned Welcoming the Bangladesh Government to Have I Been Pwned Welcoming the Costa Rican Government to Have I Been Pwned Weekly Update 503 Weekly Update 502 Weekly Update 501 Weekly Update 500 Here's What Agentic AI Can Do With Have I Been Pwned's APIs Weekly Update 499 Weekly Update 498 Weekly Update 497 HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API
Swimming Pools, Pee, and Trying to Delete Your Data From the Internet
https://www.facebook.com/troyahunt · 2026-07-03 · via Troy Hunt's Blog

I can't recall if someone else originally came up with this saying or if I said it in some off-the-cuff comment and it just propagated, but since it's often attributed back to me, I'll relay it here regardless:

Trying to delete yourself from the internet is like trying to take piss out of a swimming pool

Depending on the publication, I'll tailor the saying to be either more broadly palatable or more, uh, "Australian", but the sentiment doesn't change: once data spreads on the internet, you can never put a lid on it. This is important in the context of data breaches because it speaks to the immutability of our exposed personal information. It also speaks to the limited practicality of services that promise to erase your data from the internet, and it's the constant outreach from these organisations looking for marketing opportunities on Have I Been Pwned (HIBP) that's prompted me to write this.

Let's begin with those services, and because there are so many and I don't want to throw any of them under the bus, I won't name names. I also won't name them because whilst they're rather assertive in their marketing outreach, I do believe they're well-intentioned and I don't want to imply otherwise. And they have a role to play; it's just much more limited than is represented. The positioning is often around "data broker removal services", or "protect my data", or "remove my information from the internet". You'll find various companies providing these services by searching for those terms, or you can search for specific organisations... and find others hijacking the search term as they pay to market their brand in front of others. Usual internet marketing shadiness, of course, but IMHO it speaks volumes about the commercialisation of the data removal business.

These services all follow roughly the same marketing handbook:

  1. Data brokers have your personal information, which they may obtain via both legitimate and dodgy means
  2. It may be used for nefarious purposes such as identity theft, stalking, spam and other privacy violations
  3. Pay us, and we'll ask the brokers to remove your data

So let's go through these points one by one, starting with the data broker claim, which is absolutely correct. Your data has value - "data is the new oil" - and there's business in obtaining and selling it. I've dealt with many of them personally over the years, primarily because they've had data breaches. Master Deeds in South Africa was massive. National Public data a couple of years ago was many times larger. Exactis, Adapt, and many others have also been added to HIBP over the years. To the best of my knowledge, they're legally operating services, even if they may exist on the fringe of what most of us would consider "a bit dodgy" as far as respecting our personal information goes.

Which brings us to the second point about nefarious uses. There is a very broad spectrum of legitimacy across data brokers. Let's pick two extremes as far as the legality of the service goes. On the "very legally operating" end of things, we have Experian, and even if you don't like what they do, there's no arguing the fact that they're on the cleaner end of legitimacy and do provide valid services. At the other end, you have the likes of LeakedSource (and pretty much every other service with the word "Leak" in its name) that... well... just Google them. And there are many, many more at each end and everywhere in between. And a lot of it's very grey: different legal jurisdictions, different means of obtaining data, and different tolerances for adhering to opt-out requests.

But it's the data removal piece that's the real problem. If you pay one of the services in question to scrub you from the internet, I have no doubt they'll have some degree of success with the legally operating services. Those services will comply with legal requests and are adequately equipped to receive and process them. But the LeakedSources of the world? Not so much. And that's where the rub begins:

Requests to remove personal information are only effective for services that are willing to honour them.

That should sound profoundly obvious to anyone reading this now, but it doesn't really feature when you read the marketing material on data removal services. But I'm only just warming up...

Imagine trying to remove your data from here:

🚨🇺🇸 ShinyHunters has leaked the data of multiple companies...

🇺🇸 American Tower Corporation

🇺🇸 JCPenney & subsidiaries under Catalyst Brands & Authentic Brands Group

🇺🇸 Madison Square Garden Sports Corp.

🇺🇸 Ralph Lauren

🇺🇸 https://t.co/08IaUnp1sx pic.twitter.com/TvqanSTO1Y

— Dark Web Informer (@DarkWebInformer) June 16, 2026

That's a small snippet of the ShinyHunters website from a couple of weeks ago. At the time of writing, a bunch more data has been dumped, including only about 15 minutes before putting these words down in the draft blog post. These breaches have impacted tens of millions of people, including my wife courtesy of her having previously shopped at Canada Goose. Now, let's see how you go about scrubbing her data from that incident. For all the data broker removal services I'll direct to this post later, how do you do that? Clearly, you can't. The pee is now in the pool, and you're not taking it back out. And it's not just "on the dark web" either, their Tor site links through to a clear web site hosting all the data:

And that's just the beginning. Because we're talking about digitised data posted publicly, it replicates like crazy. There will be tens of thousands of copies of my wife's personal info floating around between personal stashes, Telegram channels and public hacking forums. That genie is never going back in the bottle, not unless we're talking about the narrow scope of a legally operating data broker, which raises another issue:

What legally operating broker is enriching their corpus from data breaches?! That's just not where the legitimate ones source info from. The data comes from surveys, exchanges with other services where you ticked the box to agree to the terms and conditions for exchanging data with "partners", public business directories, and even arrest records. Legal services, legal sources, legal processes. In one of the emails from a company looking for product placement, they described their plan as follows (bold is mine):

a plan which allows you to remove your personal information from any URL (where it's legal) you find your personal information on

So what we're left with is data removal services being effective for legally operating brokers who honour legitimate requests, whilst being completely useless against the worst kinds of sites that replicate and abuse your data. In other words, you may be able to opt out of some marketing material or content that's way too specifically targeted to you, but you can't stop the bad guys trying to steal your identity or extort you because "we caught you watching porn on your PC via the malware we installed". It's a little like the court injunctions being the thoughts and prayers of data breach response I wrote about in October: I can't touch the Qantas data breach because I'm a law-abiding Australian who knows about the injunction, but there's absolutely nothing stopping the genuinely bad actors from abusing that data.

And therein lies the core of why I don't want to entertain partnerships with these organisations: not because I disagree with the service or because it will cause any harm, rather because when someone uses HIBP to search for their email address and finds it in the Canada Gooses of the world, these services can't do anything about it. They're merely skimming the leaves off the top of the pool, and no amount of skimming is going to remove what we all know still lies beneath.

Security Have I Been Pwned
Tweet Post Update Email RSS
Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals