Ace Security Desk – In short: Research reveals that the information Australians are putting on social media could make them easy targets for scammers and identity theft. Most Australians are not reviewing the privacy settings of the platforms they share information with.

Two-thirds of Australians leave private information open to cybercriminals

What’s next?

Cybersecurity experts say platform defaults lead many users to share more personal details, and they want to empower users to take back control.

A cybercriminal could find personal information on more than half of all Australians via their public social media accounts, according to new government research.

The research, commissioned by the Australian Department of Home Affairs, found 64 per cent of Australians had personally identifying information publicly visible on social media.

About a third — 32 per cent — had their birthday public, while 28 per cent listed an email address.

The research used survey data to calculate an estimate for the entire Australian population.

Younger Australians were found to be at an even higher risk, with 86 per cent of 19-24-year-olds and 74 per cent of 25-34-year-olds admitting it would take just minutes to find their personal information.

It followed previous research by the federal government last month that suggested young people were among the most vulnerable to cybercrime.

National Cyber Security coordinator Lieutenant General Michelle McGuinness said even though it was not deliberate, the oversharing remained “dangerous”.

“I think that we’re underestimating the power of that information,”

she said.

“We have scammers who work very hard to piece together details, so they can commit fraud or identity theft.

“And these details make it much easier for them to impersonate us.”

Most do not update camera and microphone privacy settings

According to the research, 57 per cent of Australians did not review their privacy or location settings, and only 41 per cent regularly updated them.

This included updating which apps had access to their phone or device’s camera and microphone.

Only 46 per cent of Australians limited who could see their location on social media, and only 29 per cent hid their profile from search engines.

Of that 64 per cent who had personally identifying information on social media, 23 per cent disclosed their residential suburb, and 18 per cent had a mobile phone number listed.

Cybercriminals, according to Lieutenant General McGuinness, could piece together information, using it to then impersonate loved ones and create better targeted scam messages.

This information, she said, could be pieced together from years of online posting.

“It might be very easy to underestimate the compilation of details over a long time,” she said.

“It might be that you’ve been on social media for years. That information just stacks up.”

The research also found 30 per cent of people were using personal information in their passwords, and 55 per cent were using the same password across multiple accounts.

A further 59 per cent were using variations of the same password across their online accounts.

Lieutenant General McGuinness noted a need for Australia to adopt the same safety culture online as it has in the real world.

“Australians know how to stay safe in the physical world,” she said.

“We teach our kids to swim, we lock gates, we lock our cars up, we know how to cross the road … we know how to wear sunscreen to stop us getting skin cancer.

“We are thriving in the online environment [but] we’re not transferring that same security culture from the physical world into the digital world.”

Online privacy not a ‘mass failure’ of Australians

There were more than 84,000 cybercrimes reported in the 2024-25 financial year.

Almost half of all Australians aged 18 years and over had experienced some kind of cybercrime in 2024, according to the Australian Institute of Criminology’s 2024 Cybercrime in Australia survey.

Professor Daniel Angus is director of the Digital Media Research Centre at the Queensland University of Technology.

He said part of the issue was that social media platforms were “built on the premise of sharing personal details”.

“That’s not a failure for people, that’s a structural contradiction,” he said.

“It is in the title, social media. You are there to be social.

“I was reading a report by DMRC colleagues, Professor Amanda Lotz and Dr Gabriela Lunardi. They’ve surveyed 2000+ Australians … to get qualitative insights into how they use social media.

“What’s really interesting is how people have retracted away from the public feed to engage in personal social aspects through private messaging groups.

“Whether that’s using Messenger, WhatsApp, direct messages on Instagram, whatever it might be, that’s where we’re actually exercising our sociality.

“Whereas for many the public feed has been absolutely swallowed up by viral content and other kinds of media that’s not in your direct social network.”

The number of people with personal information available, he noted, should not be seen as a “mass failure of personal responsibility”.

“It’s actually a signal that some of the defaults and incentives coming from platforms are perhaps misaligned with safety,”

he said.

“In this case, this could come down to platform defaults. You could force many platforms to make those settings clearer and easier.

“Say when someone’s about to post, you could get an occasional nudge saying, ‘you’re about to share something and it appears to be quite an intimate post. Are you aware that this is being posted publicly and anyone anywhere could see this?’

“But it’s clear they’re not going to build something like this unless we force them.”

In its April 2026 security advice for social media users, the Australian Cyber Security Centre noted that platforms and messaging services typically collected extensive data as part of their business models.

Asked about how her strategy balanced individual responsibility with holding social media platforms accountable, Lieutenant GeneralMcGuinness said she did not want Australians to feel they had no agency in their online safety.

“This is not about blaming anyone; this is about empowering people,”

she said.

“But everyone and every aspect of our society has a responsibility, so this is about ensuring that citizens don’t feel that their destiny is in the hands of a big platform or in the hands of somebody else.

“And at the same time … there are layers across how we engage with services that are critical to our nation, our critical infrastructure, how we collaborate across the industry, how we secure data across government.

“But at this level, the individual, we want them to feel empowered and not intimidated by cybersecurity, and know there are things that are in their control.

“They can be smart and it’s not too big a burden.”

At Sterling Publishing & Media Service Agency, we prioritise transparency and accountability in all our operations. We wish to clarify that we are not responsible for any external content, hyperlinks, or costs associated with our services. Nevertheless, we remain committed to delivering outstanding services and greatly value your continued support. Thank you for your trust in us.