National Public Data (NPD) Social Security Number Leak

[yachi]

Looking for advice on this data leak.  According to the site put out by cybersecurity company Pentester, my information was included, and about half the people I search for as well.  It's a huge data leak.  So far, I got copies of my credit reports from annualcreditreport.com, and in addition to keeping my eye on my accounts through CreditKarma, I've placed a credit freeze on Transunion, Equifax, Experian, and (I didn't realize this one existed) Innovis.

Official advice on the www.identitytheft.gov website is to:
Take up the company's offer (if made) to monitor credit
Get the reports
Consider the credit freeze,
File taxes early
Don't believe scamming callers even if they have my SS number
Continue to check my credit report

Do you guys suggest anything else?  I find the suggestion to file taxes early particularly problematic as I like to wait until the financial companies provide my 1099s.  Is there anything I can do to lock that down?

[mistymoney]

We all just froze credit on all three agencies.

I also have identity protection through a program at work (optional benefit I pay for).

Hoepfully this covers me.

The other question I've been asking lately - is why isn't our credit automatically locked all the time? Seem we should all follow that model and then intervene when we need to access it.

[Sibley]

Regarding the advice to file your taxes early, you do realize that there are plenty of people who file on tax day, right? Or just get extensions and file months later. Once you get your tax forms, get your taxes done. Any depending on your situation, it's perfectly valid to have it mostly done except for that last 1099. Don't sit on it for 6 months.

At this point, I'm sure that everyone's SSN has been leaked multiple times BEFORE this leak. There are so many data breaches and leaks, and those are just the ones that are discovered. There must be some which aren't known. All you can do is your best, don't let it keep you up at night.

[Goldendog777]

Here’s some more in depth info if you really want to go deep.

https://www.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/

[reeshau]

Yeah, we have had our credit locked for...20 years?  Back when you had to pay to have it done.

When I went to college, our student ID was SSN + one digit.  Stamped onto a plastic card.

I also shredded some of my first paychecks, from the 90's.  All had the SSN on them.

Times have changed.

I do find when I check credit some of the verification questions are silky, as we have moved several times.  So, they come up with quite the mishmash of attempted-misdirecting answers.

I think one method of defense might be to keep on the move, so bad guys can't guess your history by your current whereabouts.

[use2betrix]

I’m constantly getting letters about data breaches and my personal information on the dark web. Even my credit monitoring service I use from when I do my taxes seems like non stop notifications. It’s hard to tell where to draw the line without it feeling like some constant arduous activity of protection.

[rantk81]

Yeah, for many years, I have had constant "free credit monitoring" of some sort, from multiple different "monitoring companies" due to my data being involved in breaches repeatedly.

It's frustrating that companies can be collect all kinds of information about me (for their benefit/profit), and keep it in big databases, without my consent or even knowledge of it... and keep it in unencrypted forms or otherwise unsecured so that it could be accessed by threat actors/hackers.

Until there is federal legislation with actual teeth, and actual punishments, to restrict such data aggregation, this kind of shit will continue.  I have absolutely zero faith that our elected officials will ever solve this, and even less faith that even if some laws were passed, that they would be enforced.  Look at the "Do Not Call List" -- how well does that work? lol.

[GilesMM]

I wouldn't lose any sleep over it.

[G-dog]

I don’t click links sent by text or email, I assume all texts and some emails are phishing. I use 2-factor authentication on all financial sites.  I pay all recurring bills, including credit card bills via automatic transfer from my bank account.

[oldtoyota]

We all just froze credit on all three agencies.

I also have identity protection through a program at work (optional benefit I pay for).

Hoepfully this covers me.

The other question I've been asking lately - is why isn't our credit automatically locked all the time? Seem we should all follow that model and then intervene when we need to access it.

I agree with you. I have my credit locked from a previous situation yet wonder why the default isn't "locked."

Dealing with ID theft sounds stressful, and I've heard stories of minors and young adults having parents take out loans in their names. This should not be possible for a parent to do to their child.

[crocheted_stache]

I agree with you. I have my credit locked from a previous situation yet wonder why the default isn't "locked."

The default isn't "locked" because credit reporting is and always has been a service to the credit issuers. Credit issuers pay for credit reports, and it's in the interest of credit issuers to make it really easy to apply for that new credit card or loan, because that's how they make their money. If it were about serving consumers of credit, the default would have been frozen, and you wouldn't have had to pay to freeze your credit before the Equifax breach, either.

If you don't like the way it is, please vote accordingly, and let your elected officials know you demand better privacy and security.

[Michael in ABQ]

I froze all three credit reports for my wife and I years ago. I assume my basic personal info has been hacked/leaked multiple times by now.

[AccidentialMustache]

I'm starting to wonder why the feds don't put someone undercover (or get cooperation from a black hat's plea deal) to release 99% garbage data. Have enough accurate from either 1) deceased or 2) otherwise previously released to make it smell semi-legit, but then the rest be noise.

Although from the sounds of this data, that may have already happened.

[crocheted_stache]

At least one more thing occurs to me to do: log in to your own Social Security account, especially if you haven't (ever/lately), and "plant your flag:" https://krebsonsecurity.com/2018/06/plant-your-flag-mark-your-territory/

I turned up my annual Social Security statement and I'm being prompted to go through setting up a new login process. Obviously, I'll be making a new, long, strong password; the best multi-factor authentication that's offered (Yubikey > security key generator app (e.g. Authenticator, Authy) > text me a six-digit number); and non-obvious answers to any "security" questions.

It's too easy to figure out where someone went to high school and get the mascot off the website. The answers don't need to be true or even realistic, so I use the passphrase generator in my password safe and record the random result in the password safe entry, along with which question it's supposed to be the answer to. My high school mascot/town I grew up in/first pet's name is thus "Gravy-Exponent-Reunion," except that I'll be hitting that button again and not using the example I just posted in a public forum.

[reeshau]

At least one more thing occurs to me to do: log in to your own Social Security account, especially if you haven't (ever/lately), and "plant your flag:" https://krebsonsecurity.com/2018/06/plant-your-flag-mark-your-territory/

I turned up my annual Social Security statement and I'm being prompted to go through setting up a new login process. Obviously, I'll be making a new, long, strong password; the best multi-factor authentication that's offered (Yubikey > security key generator app (e.g. Authenticator, Authy) > text me a six-digit number); and non-obvious answers to any "security" questions.

It's too easy to figure out where someone went to high school and get the mascot off the website. The answers don't need to be true or even realistic, so I use the passphrase generator in my password safe and record the random result in the password safe entry, along with which question it's supposed to be the answer to. My high school mascot/town I grew up in/first pet's name is thus "Gravy-Exponent-Reunion," except that I'll be hitting that button again and not using the example I just posted in a public forum.

I once read an article where the author's answer to "what's your mother's maiden name?" was Superman.  Clearly memorable, (at least to him) and utterly unrelated to the question.  It's not a quiz!

[elysianfields]

I once read an article where the author's answer to "what's your mother's maiden name?" was Superman.  Clearly memorable, (at least to him) and utterly unrelated to the question.  It's not a quiz!

Oh, great, thanks for spoiling it for all of us... jeez.

[reeshau]

I once read an article where the author's answer to "what's your mother's maiden name?" was Superman.  Clearly memorable, (at least to him) and utterly unrelated to the question.  It's not a quiz!

Oh, great, thanks for spoiling it for all of us... jeez.

He did call dibs on Superman at the end of the article, so...