Dumpster Diving
What is Dumpster Diving?
Dumpster DivingSearching through an organisation's or person's discarded materials — paper, removable media, hardware — to recover sensitive information.
Dumpster diving is the physical analogue of OSINT: attackers comb through trash bins, recycling, dumpsters at loading bays, or e-waste piles for printouts, sticky-notes, contracts, org charts, USB sticks, drives, decommissioned servers, or network diagrams. The harvested material accelerates reconnaissance for phishing, pretexting, and intrusion, and may directly disclose credentials or PII. Defences include cross-cut shredding of any paper containing sensitive data, locked confidential-waste bins, certified destruction of decommissioned media (NIST SP 800-88), full-disk encryption so discarded drives are useless, asset-disposal procedures, and awareness training.
● Examples
- 01
Recovering an org chart and password sticky-notes from a bin behind an office building.
- 02
Pulling an unencrypted laptop from e-waste and recovering customer data.
● Frequently asked questions
What is Dumpster Diving?
Searching through an organisation's or person's discarded materials — paper, removable media, hardware — to recover sensitive information. It belongs to the Attacks & Threats category of cybersecurity.
What does Dumpster Diving mean?
Searching through an organisation's or person's discarded materials — paper, removable media, hardware — to recover sensitive information.
How do you defend against Dumpster Diving?
Defences for Dumpster Diving typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Dumpster Diving?
Common alternative names include: Trashing, Bin raiding.