Audit your digital footprint 2026: Sherlock, Holehe, Whoxy

Updated May 2026.

The single most useful exercise any privacy-conscious adult can do in 2026 is run the OSINT toolkit on themselves. Once a year, ideally every six months. The same tools an attacker uses for target reconnaissance, Sherlock, Holehe, breach lookups, data-broker scrapers, work just as well aimed inward. The difference is what you do with the findings: instead of building a phishing pretext, you fix what you can fix and harden what you can’t.

This is the workflow I run on myself and recommend to family. It takes a focused weekend the first time and a couple of hours every six months thereafter. Every finding maps to a remediation step.

The four-question framing

Don’t dive into tools yet. First write down the four things you actually want to know:

• What accounts exist under my identity? Email addresses, phone numbers, usernames I’ve reused.
• What credentials of mine have leaked? Passwords, session cookies, identity documents in stealer logs or breach corpuses.
• What does a public records search return? Address history, vehicle records, court records, voter records, OFAC and PEP lists.
• What’s in the data-broker graph? Spokeo, BeenVerified, Whitepages, Radaris, PeopleFinder, Intelius, and the long-tail trackers that scrape the above.

Each question has its own toolkit. We’ll go in that order.

Step 1, Username and email enumeration

Two open-source tools dominate this category. Both are fast, no-account, and run locally.

• Sherlock, checks 400+ social and service platforms for a given username. Runs as a Python CLI.
• Holehe, same idea but for email addresses, using the “forgot password” flow on each service to detect whether the email has an account without sending a reset.

# Install
pip install sherlock-project holehe

# Run on yourself
sherlock yourusername --output sherlock-results.txt
holehe [email protected] --no-color > holehe-results.txt

Read both outputs critically. Three categories of findings:

• Active accounts you remember. No action required.
• Active accounts you’d forgotten about. Decide: keep, close, or update credentials. The “forgotten about” tier is the highest-risk one, these accounts often have weak passwords from years ago and aren’t covered by your current password manager.
• False positives. Sherlock’s signature for some platforms is brittle; cross-check by visiting the URL.

Run Sherlock against every username variant you’ve used historically. jsmith, jsmith88, jsmith_official, the gaming handle from when you were 17. Each is a distinct identity exposure.

Step 2, Breach and stealer-log exposure

This is the highest-value 30 minutes you can spend on your privacy posture. Three searches, in order:

• Have I Been Pwned, haveibeenpwned.com. Indexes corporate-data-breach corpuses (LinkedIn 2012, Adobe 2013, Collection #1, etc.). Search every email you’ve ever used.
• Stealercheck, for stealer-log exposure specifically (different threat model than HIBP). Free, browser-based domain lookup with no signup, cross-references the major stealer-log corpuses for any email or domain.
• Pastebin / GitHub leak search, search GitHub for [email protected] in code, gists, and issues. Engineers paste credentials into Slack threads that end up in archived chat exports that end up on GitHub.

For every breach hit, rotate the password if you ever used it on the breached service or anywhere that shares it. This is where reused passwords bite, you wrote off the old breach as ancient history; the password is the same one your bank uses today.

For every stealer-log hit, the response is more aggressive. A stealer log doesn’t just leak passwords, it leaks session cookies, autofill data, browser history, and crypto-wallet metadata. Treat any stealer-log hit as a “the device that produced this log was compromised” event:

• Identify the device. The log will tell you the browser, OS, and a fingerprint.
• From a clean device, log out of every active session for every account that machine touched.
• Rotate every password stored in that browser.
• Format and reinstall the affected device, or take it to a professional. Stealers leave persistence.

Step 3, Public records and identity graph

Public-records searches are jurisdiction-specific. In the US the spine is property records (county recorders), court records (PACER for federal, state courts otherwise), and voter records (varies by state). In the UK, Companies House and the Land Registry. In the EU, business registries vary by country and are increasingly Beneficial Ownership Register-linked.

For a quick survey of what aggregators have on you, run yourself through a small set of “people search” sites, Spokeo, BeenVerified, Whitepages, Radaris, Intelius, FastPeopleSearch, MyLife, TruePeopleSearch, and note what each shows. The data is mostly accurate, occasionally embarrassing, and removable (next step).

Also worth searching: OFAC SDN list if you have an unusually common name (false positives matter for banking), and the NPI registry if you have any healthcare-licensed history.

Step 4, Data broker remediation

Each broker has its own opt-out flow, ranging from “fill in this form, wait 30 days” to “send a notarised letter and a copy of your driving licence.” We’ve covered the manual workflow before in our data broker removal tutorial; the short version:

• EU/UK residents, file a GDPR Article 17 / UK GDPR Article 17 erasure request with each broker. Most have a dedicated form. The 30-day deadline is enforceable.
• California residents, CCPA / CPRA “Do Not Sell” plus deletion requests. The state’s Privacy Rights enforcement page lists the brokers required to honour them.
• Other US states, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas DPDPA all give similar rights now. Check your state.
• Everywhere else, most brokers offer voluntary opt-out for international requesters; not all honour them. Use a service like Optery, Privacy Bee, or DeleteMe if you want this automated.

Step 5, Hardening the residue

You will never delete every reference to yourself from the public internet. The goal isn’t disappearance; it’s reducing the attacker’s ROI. Five concrete hardening moves after the audit:

• Switch every account to a password manager. Our picks. The audit will surface dozens of accounts that need password rotation; doing them by hand fails halfway through.
• Enable phishing-resistant MFA (hardware key or passkey) on email, banking, password manager, and primary-cloud accounts.
• Use email aliases for new signups. SimpleLogin, AnonAddy, Apple’s Hide My Email, or Proton Pass all generate per-service aliases. A breach of any one alias doesn’t expose your real address.
• Lock your phone number. Call your carrier and add a port-out PIN. SIM-swap attacks remain a top-three threat for high-net-worth individuals in 2026.
• Set up CT log monitoring for any domain you own personally. New certs for your domain that you didn’t request are a phishing red flag.

A common-sense privacy stack

The audit produces findings. The stack is what keeps the findings from accumulating again. Three layers we recommend in 2026:

• Browser, Mullvad Browser or Firefox with Arkenfox user.js. uBlock Origin in default config. See our 2026 privacy stack tutorial.
• VPN, for IP-level privacy and to keep your home IP out of analytics graphs. Our VPN picks; Mysterium for the decentralised model, Mullvad for anonymous billing.
• Email, alias your real address. Use a dedicated address per category (banking, social, shopping, work).

A note on family and elderly relatives

The audit applies harder to your parents. Older adults are over-represented in romance-scam and tech-support-scam victim demographics, and their data-broker exposure tends to be ten years deeper than yours because they’ve used the same email and phone since 2008. Run the audit for them once, set up a password manager you’ll co-administer, and book a recurring 30-minute conversation every six months.

Further reading

• EFF Surveillance Self-Defense, best free privacy curriculum on the internet.
• Privacy Guides, community-maintained tool recommendations.
• Consumer Reports Permission Slip, automates opt-out requests for US residents.
• Our Right to be Forgotten piece for the search-engine layer.

Your digital footprint is an attack surface. The same scan an attacker would run on you is your most useful audit. Do it, fix what you can, harden what you can’t, and put the next pass on the calendar.