ATLSECCON 2026

What if your most sensitive information wasn’t hacked, stolen, or exfiltrated—but quietly made public through everyday business processes? This talk examines how sensitive files routinely escape into the public eye via search engines, file-hosting platforms, misconfigured cloud services, shared drives and servers, URL shorteners, forgotten upload paths, and other overlooked exposure points—often without triggering alerts or raising suspicion. Drawing on experience in cybersecurity, information privacy, and private investigations, this session explores how attackers, journalists, and investigators systematically uncover sensitive data by pivoting across people, companies, domains, filenames, usernames, and keywords. Using nothing more exotic than internet search engines, specialized file-discovery tools, and an understanding of human error, this is a practical, reconnaissance-focused talk about finding what was “never meant to be public,” why these leaks are so persistent, and how defenders can identify and reduce this exposure before someone else does.

---

This talk focuses on sensitive files and the ways they accidentally reach the public sphere. We’ll examine how ordinary business workflows—exports, backups, shared links, file uploads, and collaboration platforms—create a large and consistently underestimated attack surface. We’ll also look at how modern search engines, AI-powered discovery tools, and niche indexing services dramatically amplify this risk. The emphasis is on patterns: why the same categories of files and sensitive data appear again and again across industries, and how attackers can pivot from a single keyword, filename, or individual to an entire document corpus.

Please note: This isn’t just a “be afraid” session. We’ll get concrete and operational, diving into the specific tradecraft behind large-scale document discovery and showing how these techniques are weaponized in practice. Topics include advanced dorking strategies, lesser-known search engines, and—most importantly—how to think about accidental exposure as a discoverable surface area rather than isolated mistakes.

The talk also turns the lens inward, translating offensive reconnaissance techniques into a defensive capability. I’ll demonstrate how blue teams and DFIR practitioners can safely apply these methods to their own organizations, vendors, and brands to proactively identify exposed files before adversaries, journalists, or regulators do. The focus is on building a repeatable discovery process, separating signal from noise, and closing the gap between policy, tooling, and real-world exposure.

Because, after all, “we didn’t know that was public” is never a good look!