Securityby The Ghost in The Prompt2026-05-259 min read

Nothing to Take, Nothing to Destroy

Capital One has emailed me four times this month to inform me that my data has been found on the dark web. I read these in line at the bodega on Ninth Avenue. I have never reset a password because of one.

The bodega on Ninth and 45th has a routine. Egg on a roll, lottery tickets ahead of me, the phone vibrating in my pocket with the latest "we found your data on the dark web" alert from Capital One. Same envelope graphic. Same urgency strip across the top. Same five-year-old breach data scraped from the same combo list, repackaged through the same automated scanner that flags every name on the list once a quarter so the bank can say it watches.

I yawn through it the way you yawn through a fire drill on a Tuesday afternoon.

This is the part of the article where I'm supposed to tell you I have a strong password and 2FA and you should too. I will not be doing that. The story is not about a stronger lock. It is about a house with nothing in it.

"Found On The Dark Web" Means Found On A Spreadsheet From 2019

The alert is a product, not a finding. Somewhere inside Capital One's credit-monitoring contract — the one bundled with the card as a perceived benefit — sits an automated scanner that ingests known-breach corpora and matches the cardholder's email against them. The corpora are mostly years old. LinkedIn 2012. Collection #1. Combolists that have been circulating on forums since before TikTok was a verb.

The engineers who built that scanner know exactly what it is. The CISO knows. The product manager knows. The thing they shipped is not a threat detector. It is an engagement loop wearing a security badge — the same email, gently re-skinned, mailed once a quarter to keep the credit-monitoring upsell warm in the customer's mind.

That is not engineering failure. That is procurement and marketing wearing engineering's clothes. A contract with a third-party data broker. A compliance checkbox. A customer-success metric that lights up when you log in to "review your alert." The engineers building inside that constraint know what they're inside of. I have met them. They are not the villain of this article. The product the bank is asking them to ship is.

What the alert is not:

NOT INCLUDED IN THE ALERT
- Whether the leaked credential is still valid anywhere
- Whether the breach is recent or eight years old
- Whether the email in question is your actual primary identity
- Whether anything in the corpus could ever harm you specifically
- Any threat model that mentions you by name

That last line is the one. The alert never mentions you. It mentions a record. The record happens to contain an address you once typed into a sign-up form.

That is not a finding. That is mail merge.

The Locksmith's Front Gate

I do this work for a living. Defensive side, offensive side, occasionally both inside the same engagement. The job comes with a guarantee: someone will eventually decide you are a trophy.

The flavor varies. Most of the traffic is script-kiddie shaped — credential stuffing my old burner emails, half-rendered dox attempts using a five-year-old address that goes to a dead inbox, the occasional WHOIS fishing trip against a domain I parked in 2017. Some of it is more committed: persistent social engineering against people I've published with, fake "you have a package" texts trying to harvest a real number, the once-a-year attempt to spin up an impersonation account on a platform I don't even use. Rarely, something competent enough to deserve a second look — targeted reconnaissance against an operational persona, a real OSINT pass on infrastructure, a phishing kit tuned to my actual writing voice.

None of it has cost me a Saturday.

Not because the attackers are bad at their jobs. Some of them are. Some of them are good. The reason is the same reason the bodega alert doesn't move me: the address they have is not the address that matters. The trophy they're chasing is paper.

You don't shake down a locksmith by rattling the front gate. You shake down a locksmith by getting inside the shop. The front gate is the part the locksmith built knowing it would be rattled.

Decoupled Identity

The architecture is the defense. Not the password. Not the second factor. The map.

Operational identities live in their own environments, on their own infrastructure, with their own funding channels and their own communication patterns. Personal identity — banking, family, the boring mail — lives somewhere else entirely. There is no document, no shared device, no recovery email that ties one to the other. The two persons do not share a phone. They do not share a notes app. They do not share a browser session.

HACK LOVE BETRAY
COMING SOON

HACK LOVE BETRAY

Mobile-first arcade trench run through leverage, trace burn, and betrayal. The City moves first. You keep up or you get swallowed.

VIEW GAME FILE

This is not paranoia. This is the same principle a bank uses internally: blast-radius containment. Capital One, ironically, runs this exact discipline at the infrastructure level — the 2019 breach was damaging precisely because their internal segmentation failed and a misconfigured WAF gave one credential too much reach. They know what segmentation is. They sell it as a feature. They just don't ship it to the customer.

# How a normal person's digital identity tends to look
identity = {
    "primary_email": "[email protected]",
    "bank_login_email": "[email protected]",
    "shopping_email": "[email protected]",
    "recovery_phone": "+1-555-MY-NUMBER",
    "social_media_email": "[email protected]",
}
# Compromise one node, the whole graph lights up.

# How a decoupled identity looks
identity = {
    "primary_email":    "[email protected]",
    "bank_login_email": "[email protected]",
    "shopping_email":   "[email protected]",
    "recovery_phone":   "+1-555-VOIP-ONLY",
    "social_media":     "[email protected]",
}
# Compromise one node, you found a node.

The right column is not exotic. Every alias on it can be generated in a free tier of any reasonable email-masking service in under a minute. The cost is one habit: when something asks you for an email, you do not give it the email. You give it an email. The one that exists for that purpose and no other.

A Burnable Email Has No Smoke

When a Capital One alert arrives, the email it found in the dark-web corpus is almost always a burnable alias I issued to a specific vendor in a specific year. The alert tells me something useful, but not the thing the bank intended: it tells me which vendor leaked. The address bank_only_alias showing up in a 2023 breach means one of two things — either Capital One itself leaked it, or someone the bank shared it with did.

That's a real signal. The alert was supposed to scare me. Instead it audits the bank's third parties for me, for free.

What the bank thinks the alert says:
  "Your identity is at risk. Please review."

What the alert actually says (to me):
  "One of the vendors you gave alias_xyz to is in a known corpus.
   The credential is unique-per-vendor. The blast radius is one account.
   The account in question has no funds and no privileges.
   Acknowledge and move on."

The point is not that I am cleverer than the alert. The point is that the alert is doing the same work for everyone — it just lands differently in a mailbox whose owner already designed the response.

What You Actually Buy When You Buy Aggression

The thing nobody tells you about the "unshakable" posture is that it is not a personality trait. It is paid for in setup time, in friction, in the boring weekly habit of not handing your real email to a sandwich shop's loyalty app.

It is also not paranoid. The threat model is mundane. Most adversaries are not targeting you specifically. They are running mass operations against a list. The single highest-leverage move you can make is removing yourself from the list — not the dark-web list, the list of people whose entire life routes through one inbox and one phone number.

A short version of the practice:

Step 1. One domain you control. Catch-all enabled.
Step 2. One alias per vendor. Never reused.
Step 3. Banking and government identity on aliases no merchant ever sees.
Step 4. A second, VoIP-only number for any service that requires SMS.
Step 5. Recovery questions answered with generated nonsense stored in a vault.
Step 6. Yearly audit: which aliases showed up where? Burn the ones that leaked.

That is the architecture. None of it is exotic. All of it survives a Capital One alert without raising a heart rate.

For phone-side hygiene, the companion piece is Clutch — same principle at the device layer, lower in the stack. The dark-web alert is a mass-mail problem; the SIM and the baseband are a different layer with the same logic. Decouple the identity, decouple the device, and the threat model collapses to "one account, one inconvenience."

A Note To The Capital One Engineering Team

I would love to be wrong about your product. The credit-monitoring upsell does not have to ship as theater. The same scanner that mass-mails the quarterly alert could distinguish a fresh, validated, account-specific leak from a 2017 combolist match — the tooling exists, the corpora are labeled, the validation is straightforward. The product decision to flatten all of it into one envelope is what makes the alert worthless to anyone with a threat model.

If the goal is real fraud prevention, the alert needs:

- Source corpus name and date of leak
- Credential validity check (is the password still good anywhere?)
- Specific account exposure (which of the customer's accounts uses this credential?)
- A recommended action that scales with severity, not one-size urgency

That product exists. It's not what you ship. It could be. The constraint between "could" and "is" is internal — procurement, contract terms with the data broker, brand-safety review, the quarterly engagement metric. The engineering is the easy part.

I do this work. I'm in New York. If you'd like the credit-monitoring product to actually mean something, the door is open.

GhostInThePrompt.com // You don't survive the dark web by being scarier. You survive it by having nothing left in the house.

Continue Reading

security

Claude at the Table, Weaponized at the Terminal

Dario met with Trump. Same week Claude's getting prompt-injected by state actors exploiting global chaos. The model built for safety is now the attack vector. Multi-stepped injections. Difficult to detect. War rages, systems fail, black hats capitalize. This is the duality nobody wanted to acknowledge.

security

The Invisible Tenant: Hacking the Shared Responsibility Gap

The Cloud isn't a place; it's someone else's misconfigured computer. Hacking the shared responsibility gap through permission bloat, metadata service exploits, and the software-defined perimeter paradox.