SecurityThreats and vulnerabilitiesBeginner15 min read

What Is Dumpster diving? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Dumpster diving means looking through someone's garbage to find useful information. In the IT world, this could be old documents, hard drives, or even sticky notes with passwords. It is a physical security threat because companies often throw away sensitive materials without destroying them first. A good defense is to shred or securely destroy anything that contains private data.

Commonly Confused With

Dumpster divingvsShoulder surfing

Shoulder surfing is looking over someone's shoulder to see their screen or keyboard. Dumpster diving is going through trash after it has been discarded. Shoulder surfing happens in real-time; dumpster diving happens after the fact.

Shoulder surfing: you watch someone type their PIN at an ATM. Dumpster diving: you find that person's bank statement in their home trash.

Dumpster divingvsSocial engineering

Dumpster diving is often used to support social engineering, but it is not a social engineering attack itself. Social engineering involves manipulating a person. Dumpster diving involves manipulating a physical object (the trash). They are related but different.

Social engineering: calling an employee and pretending to be IT to get a password. Dumpster diving: finding the password written on a note in the trash.

Dumpster divingvsE-waste recycling (improperly done)

E-waste recycling is the proper disposal of electronics. Dumpster diving is the unauthorized retrieval of discarded items. However, improper e-waste recycling can lead to the same risk: data left on discarded devices can be recovered by dumpster divers.

If you donate an old computer to a recycling center without wiping it, a dumpster diver could steal it from the donation bin. The act of donation is not dumpster diving, but the theft from the bin is.

Dumpster divingvsTrashing (in OSINT)

In the context of Open Source Intelligence (OSINT), 'trashing' is a term sometimes used synonymously with dumpster diving. However, OSINT generally refers to gathering information from public sources, while dumpster diving involves private property (the trash is usually considered abandoned, not public).

OSINT uses public social media profiles. Dumpster diving uses discarded private documents.

Must Know for Exams

Dumpster diving is a recurring concept in both CompTIA A+ and Security+ exams, though it is treated with different levels of depth. In the A+ exam (Core 2, domain 3.0: Operational Procedures), dumpster diving is taught as a basic physical security threat. You are expected to understand what it is, why it is dangerous, and what the simplest countermeasures are, such as shredding documents and using a cross-cut shredder. The A+ exam focuses on the practical, technician-level response: ensuring that old hardware is properly sanitized and paper is destroyed.

In the Security+ exam (domain 2.0: Threats, Vulnerabilities, and Mitigations, specifically 2.3), dumpster diving is covered more thoroughly as a type of social engineering and physical attack. The Security+ exam expects you to understand dumpster diving in the context of the broader attack lifecycle. You need to know that it is often a reconnaissance step. An attacker dumpster dives to gather information that will make a later attack more effective. You must also know the full range of defenses, including policies (clean desk, information disposal), procedures (shredding, degaussing), and physical controls (locked dumpsters, secure areas).

In exam questions, dumpster diving is rarely the main focus. Instead, it is a detail in a scenario. For example, a question might describe a security breach that started with an attacker finding a network diagram in a trash can. You would need to recognize that the initial incident was dumpster diving. Another common question pattern is the remediation step. You might be asked, "After an employee threw away old hard drives, data was stolen. What should have been done?" The correct answer is something like "Physically destroy the drives or degauss them."

The exams also test the difference between dumpster diving and other similar concepts. For instance, they might ask about social engineering attacks. Dumpster diving is not purely social engineering because it does not always involve interacting with a person. However, it is often used to gather information for a social engineering attack, like a vishing or phishing call. Knowing this relationship is key for the Security+ exam. The A+ exam is more straightforward and focuses on the physical disposal of technology assets.

Simple Meaning

Imagine you want to learn secrets about a neighbor. Instead of breaking into their house, you go through their trash cans on collection day. You might find old bank statements, a forgotten sticky note with their alarm code, or a broken phone that still has saved contacts. That is dumpster diving. It is a way to get private information without having to hack a computer or pick a lock.

In a business setting, dumpster diving works the same way. An attacker goes through the company's physical trash bins. They look for anything that might have useful data. This includes printed reports, old invoices, outdated employee lists, and even hardware like old laptops or hard drives. A surprising amount of confidential information ends up in the trash. People often forget that throwing something away does not mean it is gone forever.

Think of your computer password. If you wrote it on a yellow sticky note and then threw that note in the office trash, an attacker could find it. They would not need to guess your password or hack the network. They would just need to be willing to look through your garbage. This is why security experts say that information is only truly gone when it is destroyed, not just when it is thrown away. The core idea is simple: if it is not securely shredded or wiped, it is still out there for someone to find.

Full Technical Definition

Dumpster diving, in the context of information security, is an attack vector that falls under the category of physical and social engineering threats. It involves the retrieval of discarded materials from trash receptacles, recycling bins, or dumpsters with the specific intent of extracting sensitive data. This information can then be used to facilitate further attacks, such as targeted phishing campaigns, credential theft, identity theft, or gaining unauthorized access to systems.

The technical depth of dumpster diving lies not in the act itself, but in the value of the artifacts recovered. An attacker is not looking for banana peels. They are looking for tangible data remnants. This can include printed network configuration diagrams, server inventory lists, firewall rule sets, internal phone directories, old USB drives, hard drives from decommissioned computers, and cardboard boxes from newly purchased software or hardware that reveal licensing details or vendor contracts. From a cybersecurity standpoint, any piece of discarded hardware or paper is a potential source of leaked information.

Data remanence is a key concept here. Simply deleting a file or throwing a hard drive in the trash does not destroy the data. Magnetic media, such as hard disk drives, retain data even after formatting. A dumpster diver with basic technical skills can recover files from a discarded hard drive using freely available software. While the physical act of dumpster diving seems low-tech, the exploitation phase is highly technical. The attacker uses the found information to profile the target organization, identify its network architecture, discover application versions, and create credible social engineering pretexts.

Defensive measures against dumpster diving are procedural and physical. The primary defense is a strict information disposal policy. This includes mandatory cross-cut shredding for all paper documents, degaussing or physical destruction for hard drives (such as shredding or crushing), and secure destruction or verified wiping for USB drives and solid-state drives. Organizations should control access to trash areas and implement a clean desk policy to prevent sensitive documents from accumulating in the first place. In CompTIA A+ and Security+ objectives, dumpster diving is a recognized threat that highlights the importance of physical security controls and proper disposal procedures.

Real-Life Example

Think about the junk drawer in your kitchen. It is full of old receipts, expired coupons, and random notes. One day, you decide to clean it out. You take everything and toss it into the big kitchen trash bag. Now, imagine a stranger comes by later that night and takes that bag. They spread the contents on their kitchen table. Among the old receipts, they find the instruction manual for your new smart lock, which still has the default code written on the back. They also find a bank statement with your account number and a sticky note with your email password.

This is a perfect everyday analogy for dumpster diving. You did not think twice about throwing away a manual or an old statement because they were just pieces of paper. To you, they were garbage. To the stranger, they were a treasure map. The stranger now has your default smart lock code, your banking details, and a way into your email. They did not need to pick a lock or break a window. They just had to be willing to go through your trash.

In the IT world, this happens at companies all the time. An employee might throw away a printed report of customer data because they made a small error and just need a fresh copy. They toss it into a recycling bin. An attacker sees the bin and takes the report. Now, the attacker has real names, addresses, and credit card numbers. The employee did not violate any obvious security rule like sharing a password online, but they left sensitive data completely exposed. The key takeaway is that once something is thrown away, you have lost control of it. The person who takes it owns it.

Why This Term Matters

Dumpster diving matters because it bypasses a huge number of technical security controls. You can have the world's best firewall and the most advanced antivirus software, but none of that helps if an attacker can just pick your login credentials out of a trash can. It is a reminder that security is not just about software. It is about the physical environment and human behavior.

For IT professionals, this means you cannot ignore the physical side of security. You are responsible for the entire lifecycle of data, from creation to destruction. Dumpster diving is one of the easiest ways for an attacker to get a foothold into your network. Once they have a physical asset like a hard drive or a printed network map, their job becomes much easier. They can then use that information to launch a more sophisticated technical attack.

Another reason it matters is that it is often overlooked. Companies spend millions on cybersecurity software but neglect to buy a shredder. A single sensitive document in the trash can undo all that investment. For example, a list of employee email addresses found in a dumpster can be used to send very convincing phishing emails. An attacker can pretend to be the CEO because they found a discarded internal memo with the CEO's signature and writing style.

In practical IT terms, dumpster diving is a threat you can prevent with simple policies and training. Shred everything. Wipe and destroy old hard drives. Lock your dumpsters. And, most importantly, train your staff not to throw away anything with confidential information. It is a low-cost, high-impact security measure that every organization should take seriously.

How It Appears in Exam Questions

On the A+ and Security+ exams, dumpster diving questions are usually disguised within a larger scenario. The exam writers do not typically ask, "What is dumpster diving?" Instead, they describe a situation and test your ability to identify the attack or the correct mitigation.

A common question pattern is the scenario question with a missing cause. For example, a question might say: "A company discovers that an unauthorized person accessed their internal network and stole customer data. An investigation reveals that the attacker had knowledge of the internal IP addressing scheme and the names of specific employees. What was the most likely initial attack vector?" The answer is dumpster diving, because the attacker likely found a discarded network diagram or employee list. The examiner wants you to connect the dots between the physical finding and the technical breach.

Another frequent question type is the remediation or prevention question. It might ask: "An IT manager wants to prevent sensitive data from being recovered from discarded media. Which of the following is the MOST effective method for hard drives?" The correct answer is "Degaussing" or "Physical destruction." The wrong answers might include "Formatting" or "Deleting files," which are not sufficient because data can still be recovered. You need to know the difference between sanitization methods.

A third type is the policy-based question. The exam might ask: "Which of the following policies would BEST reduce the risk of dumpster diving?" The answer is "A clean desk policy" or "An information disposal policy." The question tests your understanding that prevention starts with behavior and procedure, not just technology. Sometimes, the question will list a control like "Shredding documents" and ask whether it is a physical, technical, or administrative control. For Security+, you must classify things correctly.

Finally, there are multiple-choice questions where dumpster diving is one option among several attack types. The question could be: "An attacker retrieves printed emails from a company's trash to gather information for a targeted attack. What type of attack is this?" Among options like phishing, tailgating, and shoulder surfing, you must choose dumpster diving. These questions test your ability to differentiate between similar attack methods.

Practise Dumpster diving Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a junior IT technician for a small accounting firm. One morning, you notice a man in a dirty jacket looking through the large recycling dumpster behind the office building. You think it is odd but assume he is just looking for bottles or cardboard. Later that week, three employees in the accounting department receive very strange emails. The emails look like they are from the company's CEO, but the language is odd. The emails ask the employees to urgently transfer funds to a new vendor account. The employees are suspicious and report the emails to you.

You start an investigation. You check the trash area and see that someone has been rummaging through it. The dumpster is not locked. Inside, you find torn-up documents. You piece a few of them together. One is a list of employee names, email addresses, and phone numbers. Another is a partially destroyed memo from the CEO that includes her signature and a few phrases she commonly uses.

You realize what happened. The man you saw was not a homeless person looking for recyclables. He was an attacker practicing dumpster diving. He took the employee directory and the CEO memo from the trash. He used the CEO's name and writing style to write a convincing phishing email. He used the employee email list to know who to target. The attacker did not need to hack the company's server. He just needed to look in the trash. The entire attack started because someone in the office threw away a printed employee directory and an old memo instead of shredding them.

The solution is immediate. You recommend that the company buy a cross-cut shredder for every desk and lock the dumpster. You also suggest a clean desk policy so that employees do not leave sensitive documents out overnight. This scenario shows how a simple act of dumpster diving can lead to a sophisticated cyberattack. It also highlights why proper disposal is a critical part of IT security.

Common Mistakes

Thinking formatting a hard drive makes data unrecoverable.

Formatting a drive only removes the file system pointers. The actual data remains on the platters or NAND chips until it is overwritten. Specialized software can easily recover formatted data.

Use a degausser for magnetic drives or physically destroy the drive (shredding, crushing) for all types. For SSDs, use a secure erase command that performs a full overwrite.

Believing dumpster diving is only about paper documents.

Dumpster diving also targets hardware like old laptops, hard drives, USB sticks, and even discarded cell phones. All of these can contain recoverable data and are a significant threat.

Treat all discarded electronic devices as sensitive. Sanitize or destroy them before disposal, just as you would with paper documents.

Assuming a locked office door prevents dumpster diving.

Dumpster diving happens outside, in trash bins, dumpsters, and recycling areas that are often in public or semi-public spaces. A locked office does not protect trash that has been taken to a disposal area.

Secure the dumpsters themselves with locks or cages. Ensure that all trash areas are monitored or have restricted access.

Confusing dumpster diving with shoulder surfing.

Shoulder surfing involves looking over someone's shoulder to see their screen or keyboard. Dumpster diving involves physically retrieving discarded items. They are both information gathering, but the method is completely different.

Remember the physical action: shoulder surfing is looking, dumpster diving is retrieving from trash.

Thinking a cross-cut shredder is enough for all disposal.

While a cross-cut shredder is excellent for paper, it does not apply to electronic media. You cannot shred a hard drive in a paper shredder. You need separate destruction methods for hardware.

Use a cross-cut shredder for paper and a hard drive shredder or degausser for electronic media.

Exam Trap — Don't Get Fooled

{"trap":"A question asks how to prevent data leakage from discarded hard drives, and one of the options is \"Use a software tool to securely delete the files.\"","why_learners_choose_it":"Learners see the words 'securely delete' and think it is sufficient. They also know that deleting is a common action and assume it works for all situations."

,"how_to_avoid_it":"Understand that 'secure deletion' software is effective if done correctly, but physical destruction or degaussing is the only truly foolproof method. The exam frequently tests the 'least risk' or 'most secure' method, which is rarely just software deletion. Always default to physical destruction for discarded media."

Practical Mini-Lesson

Dumpster diving is a physical attack that can have severe digital consequences. As an IT professional, your job is to ensure that the organization's data cannot be recovered from the trash. This requires a combination of policies, training, and technology.

Start by performing an audit of what goes into the trash. Walk through the office and look at what is thrown away. Are there sticky notes on desks? Are old reports thrown in the bin without shredding? Are old hard drives stacked in an unlocked storage closet waiting to be disposed? Identify every source of sensitive information that is not being handled securely. Common items include printed emails, employee lists, network diagrams, hardware inventory sheets, and old backup tapes.

Next, implement a clear disposal policy. Paper documents containing confidential information must be shredded using a cross-cut shredder. Strip-cut shredders are not sufficient because the strips can be reassembled. Hard drives and solid-state drives must be wiped using a tool that overwrites every sector, then physically destroyed by shredding or crushing. Degaussing works for magnetic drives but not for SSDs. For backup tapes and optical discs, physical destruction is also recommended.

Work with facilities to secure the dumpster area. The dumpster should be in a locked enclosure with access limited to authorized personnel. Security cameras should monitor the area. Employees should be trained to never throw sensitive materials into open trash bins. Instead, they should place them in locked shredding bins that are emptied by a certified destruction service. The service should provide a certificate of destruction for compliance purposes.

Finally, educate users. A common mistake is that employees think small pieces of information are harmless. A sticky note with a username and password seems insignificant, but combined with other discarded items it can be deadly. Use real-world examples in training to show how a single piece of paper can lead to a breach. Remind them that security does not end at the desk. It extends to the trash can. By treating all information as valuable until it is destroyed, you eliminate the dumpster diving threat.

Memory Tip

Dumpster diving = data diving. If it's in the trash, it's not safe. Shred it, wipe it, or destroy it.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Summary

Dumpster diving is a low-tech but highly effective physical security attack where an attacker searches through discarded materials to find sensitive information. It targets the weakness in how organizations and individuals dispose of data. The attacker can obtain passwords, financial records, employee details, and even hardware that still contains readable data. This information can then be used to launch further attacks, such as phishing, pretexting, or direct system access.

Defending against dumpster diving requires a combination of policies and physical controls. Paper documents must be shredded, storage media must be wiped and destroyed, and trash receptacles must be locked and monitored. Security awareness training should remind everyone that information remains valuable even after it is thrown away. For IT certification exams, especially CompTIA A+ and Security+, you must be able to recognize dumpster diving in a scenario and choose the appropriate prevention measure.

The key takeaway is that security is continuous. It does not stop when you hit delete or drop something in the bin. By treating all data as sensitive until it is completely destroyed, you close a simple but dangerous vulnerability. For the exam, remember the telltale signs: trash, dumpster, discarded, and the recovery of information from waste. That is dumpster diving.