The Facebook post that hacked your company — or the real power of OSINT

In May 2025, one of the most prominent speakers at GITEX EXPO in Berlin Danny Brookewas — a former British secret police officer and intelligence expert who shared decades of experience with the audience. The focus of his presentation was OSINT, or Open Source Intelligence. A methodology that does not work with technological tricks, but with data voluntarily shared by people.

His message was clear: through social media, LinkedIn profiles, resumes or even publicly available company documents, information could end up in the wrong hands that could be the key to a well-targeted cyberattack.

Why is this important? Because what you think is harmless is a valuable weapon for others

Attackers are no longer trying to hack a database in the first place. Instead, they collect information: who works where, who uses what device, what their schedule is like, when they go on vacation, where they usually have coffee, what topics they post about. From these puzzle pieces a profile is assembled - and the attacker will know who to write to, what to talk about, what to ask, and how to ask so that it does not look suspicious.
This is OSINT. An invisible but effective prelude to any successful social engineering attack.

The root of the real problem: visibility we don't know about

Many people are unaware of the detailed picture they paint of themselves in the digital space. An HR on LinkedIn lists what tools they use to recruit. An administrator openly publishes a configuration file on GitHub that reveals the architecture of the internal system. A CEO posts about his vacation while the attacker already knows when he's not in the office. Based on these, an attacker will be able to write what looks like an internal email sent by a financial colleague in good faith - with attachments.

Even the most modern firewall does not protect against your own Facebook

Companies spend huge amounts of money on endpoint protection, firewalls and encrypted communications, while workers' social media activity is barely regulated. Yet the real entry point is often not a port in the firewall, but a LinkedIn post with the status of “Public”, an Instagram story or a badge shared on X (formerly on Twitter) from the last conference.

These scammers are not “hackers” in the classical sense — rather, they are masters of linking human behavior and public data. And this is what makes them especially dangerous.

Prevention: not technology, but awareness

The most important method of defense is not a new software or AI-based detector — it is raising awareness.

Every organization needs to think about:
• What information do your employees share publicly?
• What regulations protect corporate data assets on social platforms?
• Is OSINT regularly audited?
• Are workers trained on what constitutes sensitive data in the eyes of attackers?

Cybersecurity culture begins when an employee knows for himself: “I'm not posting about this, because an attacker can infer from this.”

The next attacker may have known your password for a long time by the name of your favorite dog

Social engineering and OSINT go hand in hand — the former is action, the latter is foundation. If someone targets your company, endpoint protection won't be your first obstacle. It is if he can't find anything about you that can be used.

Therefore, the most important question is: how visible are you?

At United Consult, we regularly conduct OSINT audits and simulated social engineering attacks on our partners. Our goal is not to look for mistakes — but to awaken vigilance. Because the first step in cyberattacks may have already taken place — in a LinkedIn post from months ago.

You have to act now — you can only explain later

Train your colleagues. Limit public information. Review the social media usage guidelines. Not only as an IT, but also as a manager, HR, communication specialist.

Because the attacks of the future don't start with zeros and ones — they start with selfies and hashtags.

Author:
D. László István
Head of Cybersecurity, United Consult Group