When I say “hack,” I’m referring to something that was potentially illegal by today’s standards, but this was nearly 30 years ago, and since no one ever caught on, I’m okay sharing this tale.

Back in the fall of 1996, I started at a small rural community college. Their tech setup was basic - think laughable DSL for internet and a library BBS for book reservations and searches, which you could dial into.

Security was pretty much non-existent; access was tied to your library card number and the last four digits of your Social Security Number. If you accessed the patron info page with your library card, you’d see your own contact details. Here’s the kicker: I quickly noticed that library cards were issued sequentially, meaning the person registered right after you had the next card number.

My “hack” was guessing how far off another person’s number might be from mine to access their information. I experimented a bit, pulling info on a few folks with similar names, but then I stopped. There was no thrill in invading privacy; I just found the vulnerability intriguing.

You might find it ironic, given my interest in OSINT, but there’s a big difference. OSINT is about digging up information from publicly available sources, not stalking. I’m more interested in exposing shady practices or individuals exploiting others.