I often see people espousing the dangers of having their IP leaked. I partly blame VPN companies for this fear mongering.
It seems to be a common fear, often discussed on game forums or Reddit threads titled "someone has my IP, what to do?" or "how do I protect my IP address?" and inevitably down in the comments are various people who "work in IT"* and consider themselves cybersecurity experts.
I want to state a few things here, as if even one person sees it and has their anxiety calmed, it's worth it.
Your IP address, by itself, is completely safe to reveal. An IP address, at best, can give someone a very rough idea of your geographical location, and this is assuming the records are up to date. There is a cental authority, ICANN, responsible for dolling out IP addresses, not to you, but to your ISP. In a very simplified version, ICANN gives your ISP a big block of IPs they are allowed to use, and your ISP eventually assigns one of those IPs to you.
By itself, this information is mostly useless. When I say a rough location I'm talking city at best. My IP shows as being in a totally different town than where my modem actually is. Even getting that close is no guarantee: I've had service calls for sole reason that a subscriber's IP was showing up as being several hours away from their actual location. At a certain point this actually can cause problems for a customer, such as if a cable TV streaming service is unable to approximate their location and gives them local news from three counties away.
Your IP address may, or may not, change over time. Most ISPs use dynamic IP addresses for residential accounts. This means the IP has a brief lease time, and can change when that lease expires. This lease time is decided by the ISP. Now, just because your IP can change when that lease expires, doesn't mean it always will. I have personally seen "dynamic" IP assignments last for years in some cases. Static IP addressing is usually reserved for business and enterprise accounts because of the limited number of IPv4 addresses availible these days. This may change as the world slowly but surely moves over to IPv6.
Your IP changing is not really a big deal, unless you run some type of public facing service off your home internet connection. An IP is just how packets find your modem on the open internet. Try not to let it seem more complicated than it is: the internet is just a bunch of modems and routers. Some are really big, some are really small, but they are all doing functionally the same thing. (Which I've learned is a bad statement to open a Tinder bio with). All they do is point to other computers. An IP, as the name implies, is just an address for said devices. Because computers are (hopefully) fast at updating records, it can change. As long as the records are current, other computers can find your computer; which is good, that needs to happen for the internet to work. I know to some people this all seems very obvious, and it's true I am only stating the obvious, but I think it is worth re-stating given how much misinformation I see that relies on assumptions and ignores simple basic truths.
Simply by connecting to a modem and getting on the internet, you are exposing your IP. Every server, no matter how big or small, can see you connect to them. Bots that scan millions of addresses every day can see you. You probably got scanned within hours of plugging in your ethernet cable. This is generally not a problem, and not something to worry about. Again, all your IP can do is tell someone approximately what city you live in and who your ISP is (assuming current records). Neither of these are particularly personal information. I maintain that you can find way more information about someone with their actual name than you can with an IP.
Now, there is one legitimate threat I can think of: DDoSing. With your IP, someone can DDoS you, grinding your internet connection to a halt for however long they run the DDoS. Most of the people DDoSing are paying for this attack, as they do not have their own botnets, so the longer they keep you down the bigger the hole they burn in their own wallet. This is generally not worth it unless you run some public facing service where even a few hours downtime could be millions of dollars lost in revenue for you. Typically, for you to be worth DDoSing, you need to stand to lose more than the attackers spend. Most people simply aren't that important.
Of course, there are the cases where someone is in a joker mood and says it's not about money, it's about sending a message, and is willing to pay to have you DDoSed for no reason other than because they can. In these cases, your best bet is to unplug your modem and contact your ISP by phone and ask for their advice. It may take a few tries before you get someone who knows what they are talking about, but hey, your internet is down so you've got nothing better to do, right?
The important thing to remember is that unless someone with a lot of money really, really hates you or has something to gain by taking you down, a DDoS is temporary. Eventually, your connection will come back. A DDoS doesn't damage anything, except your sanity. By definition, they are simply flooding your modem with packets and creating a traffic jam. And just like traffic jams on the road, it will eventually clear up. It's inconvienent, but not really threatening. If this thought alone still worries you, you may consider it worth investing in a pre-paid cellular backup to act as a failover connection. That would give you backup connectivity without having to pay full time for a 2nd internet line. These usually start at around $250 for the unit, depending on how fancy you want to get.
Other than that, your IP being "exposed" or "leaked" is not something to lose sleep over. There isn't anything for them to do with just an IP to actually cause you any sort of harm. I would encourage anyone who disagrees with me to please, reach out on Steam/Discord and tell me why I am wrong. I am open to such discussion. If you can explain to me a reasonable threat model for a home user in which they could be harmed simply because a bad actor learned their IP, I will update this page and credit you (if you want to be credited).
With that out of the way, I would like to take a brief moment here to rag on VPN services, as stated earlier I feel they are partially to blame for adding fuel to this fear fire. Note that in this context I am referring specifically to what most people think of when they hear the term "VPN". That is, a service that you sign up for to protect/anonymize your online activity because you saw it advertised somewhere. I am NOT attacking the technology of Virtual Private Networks in general, or their appropriate use in corporate settings and the like. This is strictly aimed at the public services you see advertised everywhere that belch out the same generic crap buzzwords. Just a few brief points:
Basically it's a "trust me bro" kind of thing. Or don't. That's up to you. My source is that I am choosing to follow the logic of how technology actually works rather than blindly panic about imagined threats. There are more than enough real threats to worry about, the last thing any of us need is to start freaking out over fake ones. If you don't believe me, I highly encourage you to do your own research. Actually, scratch that, I highly encourage you to do your own research anyway.
Remember this: In order for the internet to work the way it does, both the sender and the reciever need to be able to find each other. When you connect to a website, your ISP knows who you are connecting to because at least part of that connection is over their network. The server also knows you are, because they need to send you the requested content back. The ISP still however cannot see what you actually do on the page as long as it is encrypted. For example, when you submit payment information, so long as the connection is over HTTPS (which any legit website that handles private information should be), your details are safe even over sketchy public WiFi. Now some websites, like this one, don't encrypt by default, so just make sure you don't submit any personal information directly on those sites. If the admin is even semi-responsible he won't want any. When you use a VPN, you're simply adding an additional hop after your ISP so that all they can see is that you connected to the VPN. However, it is vitally important to remember that the VPN can then see what sites you go to. All a VPN does is shift the trust from your ISP being able to see where you go, to the VPN company being able to see where you go. You have to make a decision to trust these random companies in other countries more than an ISP in your home country that at the very least you can hopefully sue if they do something naughty.
With that said, is there any point to paying for a VPN service? I can think of two: 1) Hiding your IP from the server you are visiting, because you don't trust the owners of it. And 2) Hiding your activity from your ISP, because you want to do something that is illegal** but probably too low-priority for the alphabet bois to get involved; something like sailing the seven seas of torrents. If that is the case, then yes a VPN service might be worth your money.
One more brief full-tinfoil thought: There are tens of thousands of ISPs. If I wanted to harvest as much data as possible about every device and user on the internet, I could try to request data from all of those ISPs. Or, I could make a few shell VPN companies, pay some YouTubers to shill the shit out of them, and try to get as many people to funnel all their traffic through them. That way no matter where people go, or what connection they happen to be on, I can mine their data. Sounds way easier than having to supoena every mom & pop CLEC and backwoods two-county service provider.
*Note the lack of any specific job title, just "I work in IT". This is my quick litmus test to sus out people who just parrot what they heard from someone who heard from someone. IT is a very, very, very broad field. "Information Technology" means any technology that supplies information. Ask them what their actual job title is. Engineer? Consultant? Admin? Technician? Developer? Analyst? From there, try to drill down into what they actually do. "IT" means nothing to me. It has become a catchall for people to make their job sound cooler than it is. I want to know their actual, internal title.
**I should mention that this is primarily regarding people who live in 1st world Western-ized countries. If you live in a part of the world where the government cracks down on communications that any reasonable person would argue should be legal, then your possible threats are totally different and you may have legitimate reasons to distrust your ISP.