And again they will fail to punish the company responsible for protecting this data for their criminal neglience.
Because that might damage shareholder value
It really should. The shareholders did profit from not investing in security until the incident. Let them suffer.
“Please enter your full name, address and SSN to check if you were exposed!”
Is this why I got the latest scam email saying I need to pay $4k in bitcoin else a video of me wanking would be leaked.
How about you send it to me instead and I’ll pay you the 4k
Ok
Oh shit sorry. I must have accidentally sent that email to the wrong person. I meant to send that to my dad.
There are only 1 billion SSNs possible with 9 digits, and at most around 350M living people who have them (the US population). This breach is international but SSN is a US thing.
Do TINs overlap with SSNs? Because businesses and non-citizen taxpayers have TINs instead of SSNs, but they’re used just the same.
This I don’t know. I remember reading that around 70%(?) of SSNs have been allocated, and there are enough left for a few decades. No idea whether corporation TINs come from that. I believe non-citizen taxpayers get similar SSNs to citizens. IDK if they pay into social security and collect benefits the same way.
And not all 9-digit numbers are used, so there are fewer than a billion. It sucks when organizations store them because the search space is so small it’s relatively easy to unhash them in a stolen database.
A lot of businesses use the last 4 digits separately for some purposes, which means that even if it’s salted, you are only getting 110,000 total options, which is trivial to run through.
9 digit social security number specifically might be, but a unique number tied to you that is often used as identification when it really shouldn’t isn’t, it’s a shitshow that has been implemented in many countries around the world.
The Finnish version was called an SSN originally for example, though now its a “henkilötunnus”, personal identity code.https://en.wikipedia.org/wiki/National_identification_number
Who TF is “National Public Data?”
A company not dumb enough to store anything in the EU, that’s who. They’d be in real trouble now! Phew.
You’re kidding, right?
Dang, that’s quite a few people. Maybe we can stop linking our identity to a simple number in the US sometime? That would be swell.
It sounds like a bad breach, and I’m not arguing against that. I just want to point out my doubts that there were ever 2.9 billion Americans since the founding of the nation, let alone since social security numbers became a thing. Maybe if I bothered to read the article, it would make more sense.
There’s something like 330 million Americans currently alive, give or take. Social Security began in 1935, so that’s 89 years ago. For the sake of making the math easy for a dumb Lemmy comment, let’s figure the population at the time was two thirds of what it is today at 220 million, and we can figure that within the margin of error virtually all of them are dead. Yes there are some Americans between the ages of 90 and 111 but they likely didn’t have social security numbers as children; the practice of assigning a SSN at birth happened later when they tied it to a tax credit for having kids; at first you got a SSN when you got your first job so anyone who was under the age of 15 or so in 1935 wouldn’t have been given one.
So let’s figure 220 million Americans who have since died, and 330 Americans who are still alive, have held social security numbers. That’s 550 million SSNs total. Rough back of the napkin math.
Why guess at the 1935 pop instead of just looking it up?
It was about 127 million.
Because it’s a dumb Lemmy comment.
The SSN itself is limited to under 1 billion possible permutations anyway because the format is 9 total digits. (3 digits hyphen 2 digits hyphen 4 digits.)
And if I recall they also have something weird with the state you were born roughly corresponding to which 3 digit prefix you’re issued. Obviously that isn’t purely true either because that would only give you about 1 million unique numbers per prefix.
Either way they’ve gotta be close to the theoretical maximum of the format without recycling numbers.
Okay, but I’m not sure how revelant that is. The article doesn’t say only Americans were affected, it says the exact opposite.
[…] this data likely comes from both the U.S. and other countries around the world.
Like I said, I didn’t read the article, but only Americans would have social security numbers.
Social security numbers being involved in a breach does not mean that the breach only affects Americans. Some records might not have an equivalent ID number associated with them at all, and some records could have similar ID numbers from other countries. They also list current address as part of the data leaked but the fact many people don’t have a current address didn’t seem to cause you any confusion. The original source lists “information about relatives”, if that was in this title would you have assumed only people with living relatives were included?
“I didn’t read the article” is a poor excuse when you’re commenting on the believability of the article. What happened here is you saw an article, immediately assumed it was about the US, realised that doesn’t make any sense, then dismissed the article without even bothering to check because the title doesn’t fit the US exclusively. It’s crazy to me that you wouldn’t even consider the fact it’s not an exclusively US-based leak.
I mentioned the not reading the article so people would not waste their time citing facts from the article that may explain the headline that suggested billions social security numbers were leaked. I made no assumptions about missing addresses, as the headline didn’t mention anything about missing addresses. I even mentioned that the event the article discussed was probably pretty bad – definitely not a negative against the article’s believability. I’m only guilty of judging a book by its cover, and in an existence of limited time, nobody has time to do any more than that except for limited exceptions. I did not choose to make this article an exception. The headline was mathematically deceptive, and my comment was about that. Nothing more.
If you see an article highlighting a breach of social security numbers and don’t assume it’s about the U.S., that’s crazy to me.
Lol, yeah “National Public Data” has records of over 3 billion people going back 30 years and these people live all over the world, so it seems.
the U.S. and other countries “around the world”
meaning, for those of us living on other planets, we are completely safe … such a relief ! /s
It’s best to say around the world just so who ever is reading it doesn’t think it region specific.
For example, they could say “the U.S. and other countries in the western hemisphere.”
How do you like : “worldwide (including self centered U.S.A.)” 🤣 ?
The other way works better since National Public Data is based in Florida and because of the name of the company. If it said “International” instead of “National” the readers would assume it is international data.
Based on the location, name of the company, and the breach mentioning social security numbers, stating the US first is the most logical.
This is why I don’t go to the National House of Pancakes.
Oh well I feel at this point every man woman and child already had this done to them in United States and our government not doing shit about it.
This one is way more than just the US.
deleted by creator
Hi Steve. Have you heard from Tom? Been a while.
deleted by creator
Stack on another “Free monitoring, 2 years”
What if this was just a scheme to get everyone free monitoring
whoa
If I get to use them consecutively, I’m good for a few lifetimes.
Put a credit freeze on all 3 credit agencies.
Just got this bullshit offer from Ticketmaster for one of their breaches and they are only offering 1 year free credit monitoring.
It’s better than the previous class action which got you nothing but a slight discount on a future Ticketmaster purchase to a very select number of concerts.
I read “free credit monitoring” as allowing your name to get on another list to be sold.
Don’t worry. Their is a service that monitors your information that you give credit monitors. You just have to give them your information.
And I’m sure they’ll delete it in two years so you’re not included in the breach 3 years from now 🙄
Yeah not sure I even care enough to take advantage.
Just freeze your credit. It is the simplest and easiest solution. It sucks, but it seems to be the best utensil to eat the shit sandwich we’ve been fed.
It doesn’t even suck that bad. Last time I had to unlock mine, I saw that the previous unlocking had been two years earlier. Each time I have to do it, I set an end date and it automatically relocks. Whole process takes maybe 10 minutes for the big 3 credit bureaus.
Identity theft monitoring services always scare me. It seems like you are dumping a huge amount of information into a single system and just hoping the vendor is secure. I have access to one but refuse to put much information in. Is this mindset incorrect?
It reminds me of the recent Crowdstrike fiasco: apparently kernel level access was needed for their anti-malware to be able to properly work (because that way their net can cover the entire OS basically), but that high level of access meant that when CrowdStrike fucked up with an update, people’s computers were useless. (Disclaimer, I am not a cybersecurity person and am not offering judgement either way on whether Crowdstrike’s claim about kernel level access was bullshit or not)
In a similar way, in order for identity theft monitoring services to work, they surely will need to hold a heckton of data about you. This is fine if they can be trusted to hold that data securely, but otherwise… ¯\_ (ツ)_/¯
I share your unease, though I don’t feel able to comment on the correctness of your mindset. Though I will say that on an individual level, keeping an eye on your credit reports in general (from the major credit agencies) will go a long way to helping there (rather than paying for serviced that give you a score and other fancy “features”, you can request either free or v. low cost report which just has the important stuff you need to know.)
I also know that if you want to be extra cautious, you can manually freeze your credit so basically no new lines of credit can be opened in your name. This is most useful for people who have already been a victim of fraud, or they expect to be at risk (such as by shitty family, or a data breach). I don’t know how one sets this up, but I know that if you did want to set up a new line of credit, you can call to unfreeze your credit, and then freeze it again when your application for the new credit is all done. I have a friend who has had this as their default for years now because of shitty family.
Yea that’s a tough system to design for. Ideally you want sensitive stuff like that, where you don’t care what the data is just that something matches it, stored as the results of a one-way hash function.
The problem is that most of the data you’re going to want to secure is pathetically tiny. 10 digit SSN? My phone can brute force that in a few minutes if you’re doing raw hashes. Gotta salt them. But now you have a tradeoff decision, salting every one uniquely is best but now your comparison needs to do [leaked data] × [customers] checks to find matches. Same salt on all of them and as soon as one is cracked they all are.
Is there a simple way to find out if your Information was in this leak, and what information it is? I use haveibeenpwned for leaks linked to my email address, but from I read in this article, it’s not linked to my email address.
So how do I found out if my data was leaked without paying for a credit monitoring service?
We got notified by email from the credit monitoring our credit card provides.
How did this company leak 2.9 billion people’s info, including SSNs, when the population of the US is only ~350M?
Is “National Public Data” collecting info on everyone internationally? So many questions…
When applying to a US government position with a certain security clearance, they will do background checks of you, your family and extended family, if need be.
And I’m sure that can be the case for any employer who needs background checks. That being said, I also suspect some of these people in the database are dead.
I just assume ssn is for a us audience and its worlwide with equivalent numbers but who knows. I mean there are only 8 bil on the planet so thats like everyone except maybe china, india, and africa
Read the article? Your questions are answered there.
Go ahead, steal my identity. See if you have any better luck with it.
I keep all my credit reports frozen. These days, everyone should.
Keep in mind there are 4 providers now, not 3!
Oh? Who’s the new one?
ETA: I got woosh’d, didn’t I? I just came off night shift and it’s not even 8AM. That’s my story and I’m sticking to it.
I am. Your login is locked unfortunately. Send me your username and password if you want to unlock it. It’s fairly common. You’ll get your credit score as well.
Such a helpful employee!
User: DaftPensioner Pass: GoRockettes1964!
There are actually more than 3 providers and you should put a freeze on everything you can. You only need unfrozen credit for applying for new lines of credit (loans, credit cards, etc), and unfreezing is a quick process (15 minutes or so).
Here’s a pretty comprehensive guide for protecting yourself: https://old.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/
It’s better to take these steps before you get your identity stolen rather than after. These steps can prevent your leaked information from being used against you.
Seems like this post is two years old at this point. Is it still valid?
Even if some of the information is outdated, although I believe it’s all still valid, the main points / TL;DR are absolutely relevant. It’s unlikely that the main bureaus will change, and although the exact steps for freezing may change over time, the emphasis on freezing is important.
makes sense, thanks
Nope, I’m serious. https://innovis.com/
They’ve grown enough to require locking. There’s also https://www.chexsystems.com/ which many banks use for opening checking accounts. They’re unique because they handle stuff that doesn’t show up in a credit report.
Is anyone else completely unable to register on chexsystems? Usually when this happens I can’t tell if it’s because of my privacy settings or a legitimate fuckup on the server’s end.
Good god. Thats like, every person that has ever used a computer probably. Fuck.
This explains why I’ve been getting so many Indian scam calls the last few days.
