You may have heard about a lawsuit filed regarding a data breach concerning social security numbers. I encourage you to read at least the first few pages of the linked class action complaint to see how massive a violation of privacy this is.

The data breach concerns National Public Data, a company which offers background checks. They collect personally identifiable information (PII) as a part of their business. The defendant claims that NPD scraped PII from non-public sources (¶11). NPD then stored the data in an insecure manner and did not adequately protect this personal information (¶25). Consequently, a hacking group by the name of “USDoD” stole records of 2.9 billion individuals from NPD. According to the document, the data was independently reviewed by VX-underground, the cybersecurity company. They confirmed the breach included full names, address and address history, and social security numbers. They were also able to identify familial connections, both living and deceased (¶ 22-24).

Based on this class action complaint, NPD’s conduct was grossly negligent, leading to potential identity theft for almost anyone in the United States. It was also a massive privacy violation by scraping data from non-public sources. Even after they took millions of Americans personal information, they failed to secure the data from hackers.

Criminals can ruin your life if they target you with this information. They can open lines of credit without you knowing. You might only find out until creditors call you, demanding that you pay them back (¶60).

So, yeah. I am very concerned. I’ll have to figure out how to defend against this identity theft. Overall, I’m new to the privacy community, but I’m feeling like “privacy” in the United States is an absolute mess. If your data wasn’t somewhere on the dark web, it might be now. Protect your data. Stay safe.

    • @[email protected]
      link
      fedilink
      59
      edit-2
      3 months ago

      Yes! And don’t pay these assholes a dime for the privilege.

      They’re legally required to provide freezes for free, but two of them were trying to sell it as a service through misleading page links, last time I checked.

      • @Passerby6497
        link
        English
        43 months ago

        Experian does it with every. single. login. Really fucking annoying when you have to login multiple times for thawing and whatnot when necessary.

    • @[email protected]
      link
      fedilink
      193 months ago

      Everyone in the US should freeze their credit. Yes, it sucks that you have to unfreeze it to apply for new credit but it doesn’t actually suck that bad. Everything is done through the websites.

      Also what ever email you use, enable 2 factor authentication. I think using OTA is better because people have had their numbers sim swapped.

    • @[email protected]
      link
      fedilink
      193 months ago

      Don’t forget these companies didn’t exist before the late 80’s and credit worked just fine without them.

    • @[email protected]
      link
      fedilink
      63 months ago

      I tried to create an account with TransUnion but it said the identity check failed and won’t create an account, I have no idea what to do now.

      • @Ransack3
        link
        23 months ago

        Yep, same issue, haven’t figured out a fix yet.

      • @[email protected]
        link
        fedilink
        83 months ago

        Unfortunately the US doesn’t work that way. Unless you want to continue living under a rock, you have to deal with your credit.

    • @HootinNHollerin
      link
      33 months ago

      I tried w equifax recently and kept saying not available at this time

    • @inspxtr
      link
      33 months ago

      I’ve never had an account with these. Do I need to create an account with them to freeze my credits? And what kinds of information should I give / not give when I do?

      • @[email protected]
        link
        fedilink
        23 months ago

        If they have your records, then you can request a freeze in a variety of ways. Online is just the easiest way to manage all that.

  • astrsk
    link
    fedilink
    593 months ago

    There’s no longer any restrictions on feeezing and thawing your credit from the big 3 agencies. All of them also offer temporary thawing that automatically freeze after a designated time. Do not under any circumstance permanently thaw them again. If you need new credit cards, credit checks from apartments or mortgaging / car loans, just work with your lender / seller to figure out which agency they will query and when. Set a temporary thaw for as small amount of time as you can, and all will be peachy. What’s more, after a temporary thaw, get a credit report in a couple months after that to verify nothing snuck in during that time.

    • Chozo
      link
      fedilink
      123 months ago

      What does freezing your credit do, exactly? Is this still something someone should do if they don’t even have any credit cards?

      I’ve generally been pretty ignorant toward how credit reporting works.

      • @[email protected]
        link
        fedilink
        24
        edit-2
        3 months ago

        What does freezing your credit do, exactly?

        It prevents opening new credit cards or other lines of credit in your name.

        The reason this matters is lots of fraudsters are using names and SSNs they bought on the dark web, to open credit cards they have no intention of paying back.

        If you’re an American, your name and SSN combination is almost certainly for sale for about 25 cents, on the dark web, today.

        Freezing your credit at all three agencies is the only effective prevention, today.

        The credit agencies will attempt to charge you a monthly fee for the privilege, but don’t fall for it. They’re legally required to provide the service for free.

        If I’m ever a juror on a murder trial where the “victim” worked in leadership at one of the big three credit agencies, I’ll have to admit that I couldn’t possibly convict someone for that.

        Is this still something someone should do if they don’t even have any credit cards?

        Yes. Absolutely. Being a victim of credit fraud can make it impossible to get a home mortgage, or even get certain jobs or apartments. It can be incredibly difficult and expensive to clean up, and the burden is largely left entirely on the victim.

          • @[email protected]
            link
            fedilink
            6
            edit-2
            3 months ago

            Generally they need all of your personal information (Full Name, Date of Birth and SSN - which costs them 25 cents or less on the dark web), plus your username and password that you create when you first visit each site. (Which hopefully isn’t on the dark web, because it’s new and unique.)

            The new username and password that you create are what give some security.

            And a warning, only because someone reading along will need it:

            don’t re-use a password used elsewhere.

            Re-used passwords, from past data breaches, paired nicely with email addresses and full names, also cost about 25 cents on the dark web.

            • @[email protected]
              link
              fedilink
              English
              33 months ago

              Oh nice

              Bitwarden FTW! (If they get hacked it’ll only take, oh, an entire day to change all my passwords 😉 you’re probably a KeePass person?)

              • @[email protected]
                link
                fedilink
                33 months ago

                you’re probably a KeePass person?

                Yeah. I feel seen. Naturally I try to only use the finest artisinal open source from F-Droid.

                Though, honestly, I’m impressed by BitWarden and I’m happy enough to recommend it.

        • @[email protected]
          link
          fedilink
          English
          43 months ago

          How can anyone genuinely write that and still support any country that imposes it.

          Laughable. Fuck this country.

          • @[email protected]
            link
            fedilink
            7
            edit-2
            3 months ago

            Uh… I’m a patriot.

            I fully support my country in every meaningful way, especially those ways that might otherwise make my billionaire overlords feel threatened enough to put a hit out on me.

            More seriously, my neighbors are, on average, fantastic people, that deserve my support.

            Edit: To be clear, I fully agree that this should piss us all off.

      • @[email protected]
        link
        fedilink
        English
        113 months ago

        Freezing your credits means you (or anyone else) cannot access your credit report to open new lines of credit. No credit cards, mortgages, car loans, nothing.

        • Izzie🌴
          link
          fedilink
          73 months ago

          @ChaosCoati @Chozo

          Exactly.

          But it’s very easy and fast to temporarily thaw it when you want to apply for credit.

          I’ve been doing it for years.

          • @[email protected]
            link
            fedilink
            23 months ago

            What are the chances that my attempt to thaw gets denied “for my protection”?

            Because I’ve gotten locked out if every bank account I’ve ever owned at some point “for my protection” just because I tried to login. The only thing stopping me from freezing my credit is fear that I’ll never be able to thaw it because of these terrible anti-fraud systems that lock me out.

            • Izzie🌴
              link
              fedilink
              13 months ago

              @refalo

              Not really. Online they’ll need my user/pass, 2fa for starters.

              If they try to do it by phone they’ll need to first answer a bunch of questions (which yes they can probably get), but then upload a photo of my license…

              • @[email protected]
                link
                fedilink
                2
                edit-2
                3 months ago

                There have been several leaks with driver license and passport photos of people from all over the world, usually from sites or services that need to verify identity like for stock trading or porn.

      • @IphtashuFitz
        link
        English
        43 months ago

        Not easily. The scammer likely has your current address & contact info, but knows nothing about your history.

        To confirm your identity when you contact these reporting agencies they will use details from your credit history by asking detailed questions the scammer likely won’t know. For example it might be questions like these:

        • What kind of car did you purchase in 2005?
        1. Honda
        2. Ford
        3. Saab
        4. Jeep
        5. None of the above
        • Which one of these companies did you work for previously?
        1. IBM
        2. Pizza Hut
        3. Macy’s
        4. Jiffy Lube
        5. None of the above

        They’ll throw 3 or 4 questions like these at you that you’ll have to answer correctly. They might involve places you used to live, banks you have had accounts with, etc. The chances of a scammer with your SSN knowing all these details about you is pretty tiny.

  • @[email protected]
    link
    fedilink
    English
    34
    edit-2
    3 months ago

    What is the data used to freeze your credit? Why couldn’t a bad actor with your SSN unfreeze it?

    Edit: I just froze with the big 3 credit agencies. It took name, address, phone number, email, SSN, birthday.

    So all the stuff that leaks. Why do people think this provides security if a bad actor has the same data to unfreeze?

    • @IphtashuFitz
      link
      English
      83 months ago

      The credit monitoring companies have your up-to-date contact information (and verified) when you put the freeze in place. Now, should a third party try to open an account, etc. in your name it should be blocked from happening and the credit monitoring company should contact you.

      If a scammer tries to unfreeze or otherwise modify your account with them they should also contact you.

      If/when they contact you or you request your account be unfrozen then they’ll use old credit history to confirm your identity. These are a series of three or four random questions that a scammer is unlikely to know. For example they might ask you what kind of car you purchased in 2005, then give you 4 options, like Ford, Honda, Jaguar, or BMW, and then also a “nine of the above” option. Then they might ask you which of the following street addresses you used to live at, and list 4 seemingly random addresses, one of which you might have lived at.

  • Null User Object
    link
    fedilink
    323 months ago

    The best time to have frozen your credit reports at all three agencies was many many years ago. The second best time is right now. Not tomorrow. Now.

    • @nman90
      link
      123 months ago

      Wish I would have known to do this a while ago, I am currently trying to do it now but all three are telling me that my info doesn’t match their records and to call them. Too bad they are all closed right now so I can’t call them, definitely doesn’t bode well for me.

    • @[email protected]
      link
      fedilink
      13 months ago

      so when you freeze your credit your credit score can’t go up either?

      Paying things on time has no effect at that point then right?

      • Null User Object
        link
        fedilink
        33 months ago

        No, it just prevents banks, etc from checking your credit score/rating, which prevents anyone from opening a new account under your name. When YOU want to open an account, you temporarily unfreeze it for a couple days so that the institution you’re opening an account at can check, and then refreeze it.

        The credit agencies will continue monitoring how much credit you have and how well you pay your bills and adjust your score accordingly. Freezing has no effect on that.

  • @bluestribute
    link
    243 months ago

    I like how the only way to protect yourself is to freeze your credit but also the private websites to freeze your credit that also leak your data like a drippy faucet won’t let you create an account to freeze your credit.

  • @[email protected]
    link
    fedilink
    English
    17
    edit-2
    3 months ago

    Freeze your credit report at all three credit agencies and ChexSystems. That should protect you from most fraud that involves opening new accounts.

  • Mikelius
    link
    fedilink
    123 months ago

    The news is kind blowing this up bigger than it really is. But I find this as a good thing because I’ve noticed a few people FINALLY taking the advice I’ve been giving for years now, and that’s to freeze your credit at the big bureaus and some, if not all, of the smaller ones.

    That being said, I checked this data dump for my own data as well as a bunch of friends and family. Not a single person I checked was in it… Which is why I’m not finding this breach to be that frightening personally. The ATT breach was way worse. Also Krebs posted on this today… A good read for anyone interested. Main thing I took from it was a large number of these entries belong to people who have passed away already.

    • @[email protected]
      link
      fedilink
      3
      edit-2
      3 months ago

      Sample size of 1 is not indicative of anything though… several entire families I know were in it when I checked, even people that have been dead for decades, still had their name, address history, DOB, SSN and phone number.

      Personally I consider this way bigger than previous ones because of how accessible the data is. I could never find the previous Experian one, but there’s several sources for this one now, and seems to have a lot more information in it.

      • Mikelius
        link
        fedilink
        13 months ago

        Fair enough, I should have left with the mention of mileage may vary. I checked for some more friends per request since my posting, and out of the 20-30 families I’ve now checked, only 1 was compromised… But they were also in a couple of previous ones too. But of course, this doesn’t mean it’s the same case for everyone else.

    • capital
      link
      2
      edit-2
      3 months ago

      I wonder if you and your social circle skews younger.

      While I wasn’t able to find myself, my spouse, or my younger siblings, I was able to find both my parents, their friends, and older family.

      • Mikelius
        link
        fedilink
        13 months ago

        Friends and I are in the upper 30s and 40s range so not young not old I guess lol. For the family side, I tend to look for all my closer relatives which range in all ages. While there were many many lines that matched our last names, the entries that were a match didn’t have the right phone numbers or addresses (so couldn’t really validate if they were us or others with the same name). Or it could always be that they were addresses so old that I don’t have a record of them to compare to… Considering a large chunk of the data is apparently old, it’s possible that could be a reason I didn’t see everyone, too? I’ll probably go back and dig a little deeper on the family side since I haven’t deleted the data yet.

  • @[email protected]
    link
    fedilink
    53 months ago

    Also be careful of having your experian account being compromised where hackers then attempt to unfreeze your credit.

    • @pdxfed
      link
      43 months ago

      What was the story on that? I remember reading but can’t recall, just anyone could provide a new email if “locked out” with no verification or something essentially invalidating all security setup to that point? Wasnt that fixed?

      • capital
        link
        33 months ago

        There is duplicate data and address history in the dump.

        # of records ≠ # of people.

      • @[email protected]
        link
        fedilink
        English
        33 months ago

        maybe there was a mixup of individual datapoints and individual persons.

        lets see if that could fit.

        as far as i read things in this thread, the whole security is based on exactly these datapoints: Full Name, Date of Birth and SSN (three datapoints) plus username and password for 3 sites (six datapoints) makes 3+6= 9 datapoints per person.

        2.9 billion (us) should be 2.900.000.000 (correct me if i’m wrong, but where i live one “billion” is actually “1.000.000.000.000” thus a “bit” more)

        divided by 9 those 2.9billion would be ~ 320 million.

        on wikipedia they say the us had 331 million people in 2020…

        that would fit like an ass on a bucket! lol just to mention that.

        have a nice day!

      • Possibly linux
        link
        fedilink
        English
        2
        edit-2
        3 months ago

        I know

        That’s why this seems megafishy. It would’ve had to be a international breach plus maybe some dead people

        • @[email protected]
          link
          fedilink
          2
          edit-2
          3 months ago

          It has tons of dead people, duplicates, invalid entries, foreign residents, etc., basically anyone or anything that ever needed a SSN.

    • capital
      link
      1
      edit-2
      3 months ago

      deleted by creator