Have you ever received a popup on your phone from an app, asking you to grant permission to your data? Chances are, if you want to use the app, you will say yes. However, apps and sites have increasingly collected and sold our data to advertisers for profit, and I’m going to make the case that that is incredibly unsafe. You may not think that Facebook presenting ads for specialized dog food could lead to your personal identity being stolen, but it is a lot easier than you’d think.

First of all, let’s look at the information Facebook, Google, and other large companies collect. While there is no public policy to follow, we can assume that Facebook collects about as much info as you have. When you sign up to the site, you fill out some seemingly meaningless information, such as your gender and where you went to high school. Over time, though, Facebook collects information about every like button you push, every status you post, and even the people who appear in pictures with you.

So what does Facebook do with this information? It sells it. Advertisers (whether from legitimate companies or scams) can buy Facebook ad space and put their content right in the middle of your timeline. The problem is, these ads are typically geared toward you as an individual. Do you ever look up an item once and see it all over your Facebook feed? That is the power of data collecting.

Yet, I still haven’t explained how this can lead to your identity being stolen. The process would actually be quite simple. Let’s say you’re a scam company who tries to steal people’s identities. You would want to steal the information of a rich person, rather than a poor person, right? Well, the data Facebook collects can give you all of the information you need to put people in one group or the other.

However, Facebook does not reveal any personal information about its users, just their browsing habits. You can still find ways around this, as many Facebook pages and posts are regional, even down to the city. Beyond that, you can do some quick digging and find the target’s profile.

From there, you could “Catfish” your potential victim, or you could do digging a few other ways. No matter which you choose, you can fairly easily find information, such as: phone numbers, hometown, address (easily traced to a phone number), email address, and more. Then, you can use some fairly basic phishing attacks or dig deeper into the web to find credit card information or something else valuable enough to steal.

And that is the risk we take by using the Internet. One big point to mention is that this kind of data collection happens on nearly every site you visit, so avoiding Facebook won’t do you much good. Still, just keep in mind that this scenario is theoretical. Facebook would want to avoid its members’ identities getting stolen via its site, so chances are that you will not encounter it. If there is one lesson to take away from this, it is to be careful of how much personal information you put online, as nearly everything else is already out there.