Not long ago, the British YouTuber Zac Alsop ran an experiment that lit up the internet. He hired a former criminal and a white-hat hacker and gave them one assignment: steal his identity. The result went past anyone’s worst guess. In a matter of days the hackers had opened a bank account in his name, taken out a loan, laundered the money through cryptocurrency, and bought a piece of property overseas. Zac himself only learned that there was a house under his name in another country after the experiment was over. It sounds like a stranger’s misfortune until you realize the techniques work on anyone with a smartphone and a social-media account — which is to say, all of us.
The most striking thing about the experiment is where the hack began. Not with code. The first thing the hackers did was rummage through the trash bins outside Zac’s office building. Out came unshredded bank statements, notes with phone numbers, papers printed with email addresses. Security professionals call this “dumpster diving,” and in the digital age it remains one of the most effective ways to gather information about a target. A piece of paper you toss without a thought becomes someone’s starting line. A meaningful share of identity-theft crimes worldwide begin this way — through physical channels, not digital ones.
Trash alone, of course, doesn’t finish the job. The hackers mapped Zac’s workplace and daily routines from LinkedIn and Instagram, then used a device called a “Wi-Fi Pineapple” to spin up a fake wireless network and eavesdrop on his communications. They physically broke into his office building and walked out with bank cards and contracts. And then came the decisive move: they fed his publicly available YouTube footage into an AI system and built a real-time deepfake of his face. That synthetic face cleared the bank’s remote identity-verification step without trouble. It was a tightly choreographed operation that fused digital intrusion with physical break-in.
Here’s the part we have to face. Every single piece of information used against Zac was something he had put into the world himself. The photos on Instagram, the career history on LinkedIn, the papers tossed without a shredder, the videos uploaded to YouTube. Each fragment looks harmless on its own; gathered by a professional, they become the key to a wholesale copy of a person. As security experts put it: the fragmentation of information does not guarantee safety.
So what can an ordinary person actually do? First, run any document with personal information through a shredder before it leaves the house. Bank statements, parcel labels, hospital receipts — all of it. Second, don’t connect to public Wi-Fi networks of unknown origin. The free Wi-Fi you jump on at a café or airport without thinking can be the hacker’s trap. Third, audit what you put on social media. Birthday, school, employer, the name of your pet — these are the basic building blocks of identity theft.
Conventional wisdom about passwords needs to change, too. In 2003 a National Institute of Standards and Technology employee named Bill Burr wrote the now-famous guideline: mix uppercase letters, numbers, and symbols, and change your password every 90 days. He later said in an interview that he regretted much of what he had recommended. Faced with the complicated rules, people just changed “aaa1” to “aaa2” and called it a day, and security didn’t actually improve. In 2017 NIST rewrote the guidance from the ground up: instead of short and complex, use long and memorable passphrases — and don’t bother changing them on a fixed schedule.
Security in the digital age cannot be carried by a single password. The sum total of what you carelessly leak into the world is your security posture. A single sheet of paper in the trash, a single photo on social media, can become someone’s key to stealing your life. Identity theft is almost impossibly hard to clean up after the fact — proving the damage and unwinding it can take months or years. When you get home tonight, the first thing to pull out of the closet is the shredder.