How to check if your social security number has been stolen in a giant data theft

AppleInsider

A massive lapse of security at National Public Data has resulted in the theft of a wide array of personal data -- including social security numbers -- for almost every American. You can't rewind time to prevent the theft, but there are ways to check if you've been exposed.

National Public Data breach affected millions of people

National Public Data, a company specializing in background checks, confirmed a significant data breach. Hackers infiltrated their database, stealing personal information like names, addresses, and SSNs. The 277GB database is now available for download on a notorious cybercriminal forum, making it a goldmine for identity thieves.

The breach is massive, with 272 million unique social security numbers and 600 million phone numbers. It's twice as large as the infamous Equifax breach in 2017.

How to check if you were affected

Two cybersecurity firms have stepped up to help people determine whether their personal information was exposed in the breach.

Atlas Privacy Data Corporation has created a website, npdbreach.com, which allows users to check if their SSN, phone number, or name and ZIP code are included in the breached database. The site doesn't store user searches, ensuring privacy while investigating.

NPDbreach.com

The company says 20% of breach records are legitimate but warns that not all information is accurate.

Another cybersecurity company, Pentester, has also launched a site at npd.pentester.com. The platform provides a more detailed view by revealing a user's redacted SSN, date of birth, complete address, and phone number.

While this can help users confirm whether the information is theirs, it also risks exposing partial data that others could exploit. Pentester notes that they've limited the data shown on the site to balance between providing useful information and protecting user privacy.

Pentester

Despite the breach's magnitude, National Public Data only acknowledged 1.3 million users affected, which seems low given the leaked data.

To protect yourself, place a free credit freeze and fraud alert with the major credit bureaus -- Equifax, Experian, and TransUnion. A freeze can prevent unauthorized people from opening new accounts in your name.



Read on AppleInsider

MacPro

Regarding the NPD Breach check.  Maybe it's just me, but filling in an online form asking for my details and SS# doesn't feel comfortable.

CheeseFreeze

I noticed that in the US you have to provide your SSN all the time.

Whereas in the Netherlands (as example) you log in through a secure system where other validated organizations can connect to (DigiD) and simply get a “SSN correct” or “SSN no match” result. 

This way the SSN is not in the hands of these third parties but only the first party. 

And the database is designed in such way the combination of number and personal details are stored separately, encrypted. 

The US would benefit from a similar system. 

robin huber

Correcting this national problem should be the responsibility of the federal government, not the individual victims. It is a the ID number from a federal program that has been stolen. It seems that in this case that the federal government has too little power, not too much. 

blastdoor

robin huber said:

Correcting this national problem should be the responsibility of the federal government, not the individual victims. It is a the ID number from a federal program that has been stolen. It seems that in this case that the federal government has too little power, not too much. 

They have the power, they just aren’t using it. That is, Congress could pass a law to address the problem but they aren’t passing such laws. Maybe if tens of millions of people experience id theft, there will be political pressure to act.

blastdoor

MacPro said:

Regarding the NPD Breach check.  Maybe it's just me, but filling in an online form asking for my details and SS# doesn't feel comfortable.

Agreed, but there’s an easier way to find out if you SSN has been stolen. 

Do you have an SSN?

if you answered ‘yes,’ then it’s been stolen.

pulseimages

I’ve had my credit frozen for a while now.

jbdragon

CheeseFreeze said:

I noticed that in the US you have to provide your SSN all the time.

Whereas in the Netherlands (as example) you log in through a secure system where other validated organizations can connect to (DigiD) and simply get a “SSN correct” or “SSN no match” result. 

This way the SSN is not in the hands of these third parties but only the first party. 

And the database is designed in such way the combination of number and personal details are stored separately, encrypted. 

The US would benefit from a similar system. 

No, you do NOT have to provide your SSN all the time.  The only time is when you are dealing with the SSN or your work as they need to file with the SSN.  The police and others ask for it, may even demand it, but NO, do not give it to them.

But if you hack the SSN directly, then everyone is screwed.  I took a look and my Info is out there also.  I have my Credit Frozen from all 3 services so I should be good.  My old Password is out there for a few places.  But I've been changing out passwords for a while to make them all LONG and computer generated for each site.  So that is not really a factor anymore either.

So I think I'm OK. I think criminals would go after easier targets!!!  You're never 100% safe.  I do try to use 2-factor at most places also.  

jimh2

blastdoor said:

MacPro said:

Regarding the NPD Breach check.  Maybe it's just me, but filling in an online form asking for my details and SS# doesn't feel comfortable.

Agreed, but there’s an easier way to find out if you SSN has been stolen. 

Do you have an SSN?

if you answered ‘yes,’ then it’s been stolen.

Masterful response and spot on. We have all been worked over at least once and some of us many times.

jimh2

My question is why we cannot have a class action suit against each company that leaks our data. Some companies should be sued out of existence with the NPD company being first in line.

fred1

blastdoor said:

robin huber said:

Correcting this national problem should be the responsibility of the federal government, not the individual victims. It is a the ID number from a federal program that has been stolen. It seems that in this case that the federal government has too little power, not too much. 

They have the power, they just aren’t using it. That is, Congress could pass a law to address the problem but they aren’t passing such laws. Maybe if tens of millions of people experience id theft, there will be political pressure to act.

Congress doesn’t have time to pass laws like this. They’re far too busy running for reelection, lambasting each other and impeaching. 

blastdoor

fred1 said:

blastdoor said:

robin huber said:

Correcting this national problem should be the responsibility of the federal government, not the individual victims. It is a the ID number from a federal program that has been stolen. It seems that in this case that the federal government has too little power, not too much. 

They have the power, they just aren’t using it. That is, Congress could pass a law to address the problem but they aren’t passing such laws. Maybe if tens of millions of people experience id theft, there will be political pressure to act.

Congress doesn’t have time to pass laws like this. They’re far too busy running for reelection, lambasting each other and impeaching. 

They make it easy to dunk on them for sure, but they actually achieved a surprisingly large amount between 2020 and 2022. But unfortunately they didn't do much about this issue. 

maltz

I checked a few other people I know, and some of them showed up on pentester site but not the npdbreach site.  So check both!

The pentester site is definitely superior.  There are addresses in this data dump going back at least 25 years, from what I saw on pentester, but the npdbreach site seems to only include more recent records.  But address history is a big part of an identity check.

maltz

MacPro said:

Regarding the NPD Breach check.  Maybe it's just me, but filling in an online form asking for my details and SS# doesn't feel comfortable.

You don't have to provide your SSN.  You can do it by name+ZIP *or* by SSN *or* by phone number.

However, the pentester site is the one you should use.  I found tons of records on there that weren't listed on the npdbreach site.  The latter actually said that some people weren't affected who actually were.

zeus423

blastdoor said:

robin huber said:

Correcting this national problem should be the responsibility of the federal government, not the individual victims. It is a the ID number from a federal program that has been stolen. It seems that in this case that the federal government has too little power, not too much. 

They have the power, they just aren’t using it. That is, Congress could pass a law to address the problem but they aren’t passing such laws. Maybe if tens of millions of people experience id theft, there will be political pressure to act.

If more politicians were hacked, then maybe something would get done. (I had a tough time typing the “get done” part.)

blastdoor

jimh2 said:

My question is why we cannot have a class action suit against each company that leaks our data. Some companies should be sued out of existence with the NPD company being first in line.

I’m sure there’s some limited liability what have you that protects them. 

But it’s interesting to consider what the implications would be if companies could be sued out of existence over a data leak. I’m having a hard time imagining what that world would look like. I suspect it would be a world in which just two or three very large companies have access to personal data, and those companies would be extremely powerful. Apple is increasingly well positioned to be one of those companies.

JaiOh81

blastdoor said:

jimh2 said:

My question is why we cannot have a class action suit against each company that leaks our data. Some companies should be sued out of existence with the NPD company being first in line.

I’m sure there’s some limited liability what have you that protects them. 

But it’s interesting to consider what the implications would be if companies could be sued out of existence over a data leak. I’m having a hard time imagining what that world would look like. I suspect it would be a world in which just two or three very large companies have access to personal data, and those companies would be extremely powerful. Apple is increasingly well positioned to be one of those companies.

I think after the first company gets sued out of existence the rest of them will beef up security and do their best to stay ahead of the bad guys. I think the fact nobody has been thrown in jail yet tells them they don’t need to spend the money or time protecting our data. 

blastdoor

JaiOh81 said:

blastdoor said:

jimh2 said:

My question is why we cannot have a class action suit against each company that leaks our data. Some companies should be sued out of existence with the NPD company being first in line.

I’m sure there’s some limited liability what have you that protects them. 

But it’s interesting to consider what the implications would be if companies could be sued out of existence over a data leak. I’m having a hard time imagining what that world would look like. I suspect it would be a world in which just two or three very large companies have access to personal data, and those companies would be extremely powerful. Apple is increasingly well positioned to be one of those companies.

I think after the first company gets sued out of existence the rest of them will beef up security and do their best to stay ahead of the bad guys. I think the fact nobody has been thrown in jail yet tells them they don’t need to spend the money or time protecting our data. 

My guess is that even before some company gets sued out of existence, most companies would start trying to make changes that would eliminate the need to have such data in the first place. For whatever purpose they previously kept data (payments, marketing, etc), I suspect they would outsource to a third party willing to take on the risk. Exactly what that third party looks like might depend on how the law is written. If the law says all liability shifts to the third party, then there could be third parties that are pretty shady — created just to die. But if some significant but not apocalyptic liability remains with the original firm, then they will have an incentive to find the best third party they can. That would have to be a firm with significant financial and technical resources and a culture of almost pathological secrecy/security. Apple has all those things. Not many other firms do. Many tech firms have a culture of ‘openness,’ so they would lack credibility (though they have the resources). There might be some banks or insurance companies that are truly committed to security, but might not have the technical expertise. Maybe they could team with IBM, which has the technical expertise and I imagine is committed to security, but just doesn’t have the financial resources they used to. 

So maybe it would be Apple, IBM+banks, and that’s it. Edit: And of course Lumon Industries— their employees have no idea what they’re even working on when they’re at work, let alone when they leave. No data leaks there!