I think we are closer in agreement on the fundamental principle that OPSEC erosion is cumulative, but the threat model you are describing relies on a slightly outdated view of how OSINT is processed and monetized today. While you are absolutely right that attackers optimize for efficiency and ROI, the math on that efficiency has changed drastically in the last few years due to automation. Nobody is manually reading through 2,600+ posts to build a profile anymore; instead, threat actors scrape forum databases and pipe that data into LLMs to extract structured profiles of tech stacks, legacy pain points, and behavioral quirks for fractions of a penny.
A profile built from configuration threads isn't just a generic combination of an OS and antivirus; it is a bespoke, crowdsourced roadmap for evasion that includes specific versions and custom exclusion rules. Relying on private social networks as a firewall against correlating this data is also a dangerous false sense of security because attackers don't care about your private Instagram. They correlate using historic breach data, meaning if your forum handle, an old password, or your IP footprint exists in a compromised database from five years ago, an attacker instantly has an email address to pivot to your LinkedIn, real identity, and employer. Ultimately, the people pulling this data aren't usually the ones launching spear-phishing campaigns; they are Initial Access Brokers who build bulk, automated lists of IT professionals, link them to their employers via breach data, and attach their confirmed security configurations to sell to ransomware affiliates. The forum provides the exact details of your defenses, and breach data provides your identity, meaning there is zero reason to do the reconnaissance work for them for free even if you consider yourself a small target.
