A recent Newsweek piece described how Alan Malcher, a U.K.military veteran, who is now at a U.S. think tank, was approached in a London pub by an unknown man with a Slavic accent.
The stranger chatted him up, offering positive commentary on Russian president Vladimir Putin, and then made reference to Malcher’s military service. Malcher told the magazine weekly that there was “no way” the man could have known about his service—except by reading his profile on LinkedIn, the business-focused social network owned by Microsoft (MSFT).
As described, he sounded a bit surprised by this. But should he have been? Why would a Russian operative (or anyone researching a mark) not check that person out on LinkedIn first? No self-respecting reporter would contact a company exec without stalking him or her on LinkedIn beforehand. This is no knock on the site itself. It was created as a way for people to share their professional information.
Related: Microsoft to Buy LinkedIn for $26.2 Billion
One point of the story was that the Russians sent this guy to let Malcher know they’ve got an eye on him. Another was to note that Russian propaganda factories use whatever data sources necessary to do their jobs. That includes gathering facts that can be spun into fake news or to intimidate enemies. If Malcher is on Facebook (FB) or Twitter (TWTR), you can bet they’re all over those posts, too.
One irony is that to do any LinkedIn cyber-sleuthing, Mr. Mystery Man had to leave Russia as that country blocked Linkedin last year. (A LinkedIn spokeswoman said the company is working to restore access.)
Get Data Sheet, Fortune’s technology newsletter.
Here’s the thing: People like to brag about their accomplishments on LinkedIn. (Who knows when they’ll need a new gig?) But they should do so cautiously. And this is certainly nothing new. As outlined in this decade-old ComputerWorld story, every bit of personal information a person puts into a public space can be turned against its author.
Data gleaned from LinkedIn, Facebook, Twitter, and blog posts can be harvested and used to create spear phishing email in which the bad guy poses as a friend or associate of an executive to get that executive to click on a link, which unleashes malware on his device. Even such innocent-seeming things as corporate affiliations, educational background, and favorite charities can be used this way. Email remains a huge conduit for hacking.
The lesson here, which clearly needs to be repeated: Be careful what you post. Someone may be watching.