- Nile unwraps NaaS security features for enterprise customers
- Even Nvidia's CEO is obsessed with Google's NotebookLM AI tool
- Get these premium Sony Bravia home theater speakers for $500 off during Black Friday
- The best Black Friday soundbar and speaker deals: Save on Bose, Sonos, Beats, and more
- One of the best pool-cleaning robots I've tested is $450 off for Prime Day
Was your Social Security number leaked to the dark web? Here's how to know and what to do
You’ve likely never heard of National Public Data, the company that makes its money by collecting and selling access to your personal data to credit card companies, employers, and private investigators. It now appears that the hacker group USDoD snatched about 2.9 billion of its records. Odds are that your records — including, possibly, your Social Security number (SSN) — are in those databases.
USDoD wanted to sell this data for the low price of $3.5 million. Ironically, before USDoD could profit from the theft, another threat actor, Fenice, swiped the data and released it on the dark web.
Also: The best VPN services: Expert tested and reviewed
How bad is it really? According to the security organization Vx-Underground, the stolen data includes
- First name
- Last name
- Address
- Address history (three decades’ worth)
- Social Security number
Vx-Underground also found that “the database does not contain information from individuals who use data opt-out services.” These are sites or services that allow you to say no to a company or group that wishes to keep your records.
That’s good to know, but for many of you, it’s probably a little late.
The leaked data, totaling 277GB, can be used for identity theft and fraud. Although the breach does not necessarily affect 2.7 billion unique individuals (due to multiple records per person), it still poses a significant risk. The information can be used to open fraudulent accounts, apply for loans, or even commit tax fraud.
What to do first
First, check to see whether your data is actually out there. The easiest way to do that is with the Have I Been Pwned website. This should be your first resource to find out which breaches you and your data have been involved in and how extensively your data has been leaked. To use Have I Been Pwned, all you need to do is give the site your email address, and in less than a minute, you’ll get the bad news.
Also: Delete yourself from the internet with these online data removal services
Notice, I didn’t say if your data has been leaked. I can guarantee that your data has been leaked. With one data breach following hot on the heels of another for decades now, there’s no question that some of your personal data is out there.
For example, I take security more seriously than many people do, and I’m better equipped than most of you to deal with security and privacy issues. Nevertheless, my data has been ripped off in no fewer than 34 data breaches.
Now, the vast majority of these breaches are relatively harmless. For example, my chess.com account’s email address was revealed. I can live with that. But the USDoD data drop is another matter.
Next, you need to determine just how bad the news really is. If you’ve reason to believe your data’s been being used against you, it’s time to use an identity theft protection and credit monitoring service to protect yourself. ZDNET recommends Aura as the best overall such service.
Also: The best identity theft protection and credit monitoring services
It’s not enough to have these services, though. You should regularly check your credit reports for any unauthorized activity. Report any suspicious transactions to the credit bureaus (Experian, Equifax, and TransUnion) and consider placing a credit freeze to prevent new accounts from being opened in your name.
Also, you should stay vigilant against phishing attacks. Be cautious of emails, texts, or calls that attempt to solicit personal information. Scammers will use your leaked data to craft convincing phishing attacks. For example, I recently got an email purporting to be from my bank, which included my address, warning that my account had been hacked and that I needed to change my password from the included link Right Now.
Also: Stop paying for third-party antivirus software. Here’s why
Anytime you get a message like that, whether it’s warning you of something dreadful or promising you something that sounds too good to be true, don’t trust it. Never click on links from such e-mails or text messages.
What to do if you’ve clicked on a phishing link
If you’ve clicked on a phishing link, don’t panic. Do, however, take these steps immediately:
-
Disconnect from the internet and your local network immediately. This prevents any potential malware from spreading or communicating with malicious servers.
-
Back up important data to an external hard drive or a USB stick. This safeguards your information in case of data loss or corruption.
-
Run a thorough antivirus check. Don’t have one on your device? Then, you should download an antivirus program to another computer, transfer its installation program to a USB stick, and install it on your affected machine.
-
Change passwords for all your online accounts, especially important ones such as banking and credit card accounts. Use strong, unique passwords for each account, and consider using a password manager.
-
Enable multi-factor authentication. Activate multi-factor authentication (MFA) on your accounts whenever possible. This adds an extra layer of security.
-
Watch your important online accounts. If you see any suspicious activity, contact the company as soon as possible.
Also: How to freeze your credit (and why you might want to)
What to do if your SSN is compromised
Let’s suppose, however, you have reason to believe that your SSN has ended up in the hands of crooks. In this worst possible scenario, you should take the following steps:
- File a report with the Federal Trade Commission (FTC) at IdentityTheft.gov. This website will guide you through the process and provide a personalized recovery plan.
- File a police report with your local law enforcement agency. While they may not be able to investigate immediately, having a police report can serve as important documentation.
- Check your credit reports for any unauthorized accounts or activity]. You can get free weekly credit reports from AnnualCreditReport.com.
- Place a credit freeze on your credit reports with all three major credit bureaus (Equifax, Experian, and TransUnion). This prevents new accounts from being opened in your name. You can also place a fraud alert on your credit reports, which requires businesses to verify your identity before issuing credit in your name.
- Review your Social Security Statement for any suspicious activity, such as unreported income.
Next, contact the Internal Revenue Service (IRS) to prevent potential tax-related fraud. Here’s what to do:
- Contact the IRS: You can reach the IRS Identity Protection Specialized Unit by calling 1-800-908-4490. This line is dedicated to assisting individuals who believe they are victims of identity theft involving their tax accounts.
- Submit an Identity Theft Affidavit: Complete IRS Form 14039, the form used to report suspected identity theft to the IRS. You can submit it online via IdentityTheft.gov, which will forward it to the IRS, or you can download the form from the IRS website and mail it along with your tax return to the address specified on the form.
- Respond to IRS Notices: If you receive a notice from the IRS indicating that your SSN has been used fraudulently, follow the instructions provided in the notice. Typically, such notices come by snail mail. You may then be required to submit a Form 14039 or other documentation to verify your identity and resolve the issue.
This can be a long, tedious process. But, if you don’t check and — if necessary — protect your accounts, your identity can be stolen. Recovering from identity theft is much more painful than preventing it.
Afterward, stay vigilant and continue monitoring your accounts and credit reports regularly. If you notice any suspicious activity, report it immediately to the relevant authorities and financial institutions. This is not a threat you can deal with once and then ignore. It’s one that will continue for the rest of your life.
Yes, I hate that too.