“Please enter your full name, address and SSN to check if you were exposed!”
There are only 1 billion SSNs possible with 9 digits, and at most around 350M living people who have them (the US population). This breach is international but SSN is a US thing.
9 digit social security number specifically might be, but a unique number tied to you that is often used as identification when it really shouldn’t isn’t, it’s a shitshow that has been implemented in many countries around the world.
The Finnish version was called an SSN originally for example, though now its a “henkilötunnus”, personal identity code.https://en.wikipedia.org/wiki/National_identification_number
And not all 9-digit numbers are used, so there are fewer than a billion. It sucks when organizations store them because the search space is so small it’s relatively easy to unhash them in a stolen database.
A lot of businesses use the last 4 digits separately for some purposes, which means that even if it’s salted, you are only getting 110,000 total options, which is trivial to run through.
Do TINs overlap with SSNs? Because businesses and non-citizen taxpayers have TINs instead of SSNs, but they’re used just the same.
This I don’t know. I remember reading that around 70%(?) of SSNs have been allocated, and there are enough left for a few decades. No idea whether corporation TINs come from that. I believe non-citizen taxpayers get similar SSNs to citizens. IDK if they pay into social security and collect benefits the same way.
Is there a simple way to find out if your Information was in this leak, and what information it is? I use haveibeenpwned for leaks linked to my email address, but from I read in this article, it’s not linked to my email address.
So how do I found out if my data was leaked without paying for a credit monitoring service?
We got notified by email from the credit monitoring our credit card provides.
Otherwise, how would the republicans get enough votes.
Who TF is “National Public Data?”
A company not dumb enough to store anything in the EU, that’s who. They’d be in real trouble now! Phew.
You’re kidding, right?
With a breach of this size, I think we’re officially at the point where the data about enough people is out there and knowledge based questions for security should be considered unsafe. We need to come up with different authentication methods.
We have different authentication methods. The hard bit is persuading people to use them.
Before people can be persuaded to use them, we have to persuade or force the companies and sites to support them.
Private keys for everyone.
You get a private key! And you get a private key! And you get a private key!
Indian accent: Hello, this is Microsoft support. Your private key is being hacked and you need to give it to us immediately for safe keeping.
WCGW?
Passkeys. They’re amazing.
Until you realize Apple allows the iPhone to airdrop them. Ugh.
Tying a password to a browser or device isn’t going to make it any easier. Use a password manager and set unique string passwords for everything. If the app supports it, use FIDO physical keys instead of Passkeys
… passkeys basically do all this without you having to know how. Your device /is/ the physical key and /you/ are the secondary auth. It honestly doesn’t get any easier for the user.
What options are there for migrating passkeys to a new device? Easy to lock you into that iPhone and you must use their migration tool when you upgrade. Or I just carry it on my keychain, no vendor lock in.
3rd party password managers are already adding passkey support. Passkeys isn’t an Apple only security technology. FIDO has its place but passkeys is the future for most people like it or not.
Do I need a subscription service for this passkey supported password manager? Or I can just buy a hardware key that can be used on my phone or any device, password manager supported or not. Seems like the freedom and portability of a physical key, like a key to your home or car makes a ton of sense.
Passkeys are based on and supported by the FIDO alliance.
You don’t need a subscription as you well know since you know what they’re based on. And I meant FIDO physical keys as you were alluding to. Why would I ever want another device to use with a device that already has biometric auth? That last a barrier of entry that’s too high for most people.
Even better would be to use certificates instead of passwords. What if every website gave you a certificate signed by them, and you store that in your password manager automatically.
Maybe that’s what passkeys are… Haven’t read up on them at all.
Basically with passkeys you have a public/private key pair that is generated for each account/each site and stored somewhere on your end somehow (on a hardware device, in a password manager, etc). When setting it up with the site you give your public key to the site so that they can recognize you in the future. When you want to prove that it’s you, the website sends you a unique challenge message and asks you to sign it (a unique message to prevent replay attacks). There’s some extra stuff in the spec regarding how the keys are stored or how the user is verified on the client side (such as having both access to the key and some kind of presence test or knowledge/biometric factor) but for the most part it’s like certificates but easier.
I really wish SQRL had taken off. It’s a lot like pass keys, but it used a central certificate to mint per-site certificates (along with per user per site certs if memory serves) and had proper methods of rolling it in and rotating the keys assigned to your account.
Pirate keys for sure. Not using one is just asking for a stranger to grab your booty.
I want a stranger to grab my ass sometime
But I enjoy a booty grabbing.
Pirate keys for sure.
Arrr… SA to ye all!
Start using Yubikeys and telling companies that don’t support them to support them.
The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years, Social Security Numbers, and more, was stolen from National Public Data by a cybercriminal group that goes by the name USDoD. The complaint goes on to explain that the hackers then tried to sell this huge collection of personal data on the dark web to the tune of $3.5 million. It’s worth noting that due to the sheer number of people affected, this data likely comes from both the U.S. and other countries around the world.
What makes the way National Public Data did this more concerning is that the firm scraped personally identifiable information (PII) of billions of people from non-public sources. As a result, many of the people who are now involved in the class action lawsuit did not provide their data to the company willingly.
What exactly makes this company so different from the hacking group that breached them? Why should they be treated differently?
All depends on the terms of use from those that provide the data to them that they scraped from. I bet they never expected a customer to do it.
I feel like that might be bad phrasing on the part of the article. They mainly aggregate public records, like legal document style public records, and they also scrapped data from not-(public record) data, which isn’t the same as (not-public) record data.
I feel like I would want more details to be sure though, but scrapping usually refers to “generally available” data.
That all depends. If they’re pulling that private data for use in questionnaires, the terms may not allow them to save it, but they scrape it from the form.
Yeah, it definitely might still be a bad data source,and it’s shady either way, just pointing out that “not public data” has a few meanings, and not all of them are synonymous with “private data”.
Same with the big three credit reporting bureaus Equifax and whoever the fuck. Did anyone ever give them permission to horde all of their personal info? I don’t think so.
the U.S. and other countries “around the world”
meaning, for those of us living on other planets, we are completely safe … such a relief ! /s
It’s best to say around the world just so who ever is reading it doesn’t think it region specific.
For example, they could say “the U.S. and other countries in the western hemisphere.”
How do you like : “worldwide (including self centered U.S.A.)” 🤣 ?
The other way works better since National Public Data is based in Florida and because of the name of the company. If it said “International” instead of “National” the readers would assume it is international data.
Based on the location, name of the company, and the breach mentioning social security numbers, stating the US first is the most logical.
This is why I don’t go to the National House of Pancakes.
Any company accumulating, aggregating, and centralizing every piece of private and public information under the sun about people is a ticking time bomb (and that is a lot of companies these days).
We need harsher penalties for these assholes, and a privacy amendment so that we actually have some rights when dealing with them.
Also, from a national security perspective we need to make sure this isn’t a slow attack to make westerners more vulnerable than other places that aren’t liberal democracies.
A complaint submitted to the US District Court for the Southern District of Florida claims the exposed personal data belongs to a public records data provider named National Public Data, which specializes in background checks and fraud prevention.
What’s with these companies nobody has heard of causing massive fuck ups?
Because companies you’ve never heard of are the ones doing the infrastructure and data warehousing for the public-facing companies you have heard of.
Seems like a good way to have an infosec weak spot…oh…
It’s capitalism. Do you hate America or something?
Do you hate America or something?
Everyone hates US politics. Even people from the US hate it.
Alrighty, brainstorming time people. If you could write some practical laws, what protections do we need to stop these from happening.
I’m thinking 3 categories: Reporting, oversight, and accountability.
Reporting: all entities holding personally identifiable information (PII) must reach out once every 12 months. This hopefully unveils seedy brokers relying on obscurity. Maybe a policy to postpone notification up to 5 years (something like that) may be available as opt-in.
Oversight: targets of PII have oversight of what is collected/used. Sensitive information may be purged permanently upon request.
Accountability: set minimum fines for types of data stored. This monetary risk can then be calculated and factored into business operations. Unnecessary data would be a liability and worth purging.
How about a government-sponsored, non-profit authentication service? That is, it should be impossible to get a loan, open a line of credit, or anything else in somebody’s name, without the lending institution verifying that it’s actually on behalf of the named individual. Eliminate the security-through-obscurity technique of using bits of easily-leaked personal information as a poor substitute for actual authentication.
I mean, (as a comparative example) I have to go through an OAuth2 consent dialog to connect a third-party app to my email account, yet somebody can saddle me with huge debts based on knowing a 9-digit number that just about everybody knows? It’s the system that’s broken, tightening up the laws on PII is just a band-aid.
This so much. In fact, go a step further and have a few competing auth services, with some regulatory oversight for managing that much pii.
The US system is broken. I have a tax file number in Australia, which is the broad equivalent of a US SSN, and you know what someone can do with it if they also have my name and DOB? Fuck-all, except file my taxes for me, because you can’t use it as an identifier anywhere else than the Australian tax office.
If I want a loan or a credit card or to open a bank account or any number of things , I need enough verifiable documents including photo ID to satisfy the other party that I am really them. Basically it’s a points system where any form of government photo ID gives you about 80 points and any other item of identifiable data gives you 10-20 points and usually you have to clear 100 points to be “identified”.
So my passport plus my driver’s licence is enough. My driver’s licence plus my non photo ID government Medicare card or my official original copy of my birth certificate is enough. My driver’s licence and two bank or credit cards is enough. About 5 or 6 things like my birth certificate, electricity bills in my name or local government rates notices and bank cards is sometimes enough, although photo ID from somewhere is usually required, or you need a statutory declaration from someone in good standing saying that you are who you say you are.
This kind of thing, while slightly more inconvenient, requires a number of physical items that can’t be easily stolen en-masse. I carry enough of them in my wallet that I can do anything I need to do, as my driver’s licence provides photo ID. People who don’t drive or have a passport can scrape together enough bits and pieces to usually get by.
So it’s time for a change. But it doesn’t have to involve technology or a huge shift in the way of doing things. It just requires a points system similar to what I describe. Whether the US can effect that change now with the millions of systems that rely on a SSN for a trivial key in a database in some small retailer somewhere, I don’t know.
That’s basically how it works in the US too. For example, for a form I-9, Employment Eligibility Verification, you need a passport, OR both proof of identity and proof of citizenship: https://www.uscis.gov/i-9-central/form-i-9-acceptable-documents
It’s similar for stuff like state drivers’ licenses.
The thing is, a federal domestic ID is all but prohibited. We have to have passports for international travel, but too many people are against federal ID because of “muh privacy”, even though it means we just end up misusing SSNs and companies like this one compensate by collecting multiple data points on each person.
PII data at rest (i.e. in a database) must be encrypted.
If the DB is running, it’s not at rest. Clients side encrypted data would be the way.
I think my definition is pretty standard: https://en.m.wikipedia.org/wiki/Data_at_rest
The catch is interpretation, which the wiki points out:
“Inactive data” could be taken to mean data which may change, but infrequently.
Any company like this one would consider this data “in use” but “inactive” because any person could need a loan at any point.
Ok, bit of an outlandish idea, but how about something like:
- Decree that information about a person is the property of that person, and therefore cannot be possessed without compensation. Think of it like intellectual property, but for your personal information
- Set a standard royalty - say $0.05/year - that must be paid to the owner of that information for as long as that information is held. This forms an incentive to not hold information you don’t need, and gives visibility to all the places that are now forced to contact you every year to pay you the royalty
- Places where you have an explicit contractual relationship with (utilities, banks, …) could have a clause to set the royalty at $0.00, but this can’t be extended to third parties - strong incentive not to transfer information to third parties
- Unauthorised transfer or loss of information could be considered IP theft, and result in significant civil penalties
Wow, you just reminded me of a data use policy I wrote up when I was young and sent a data broker after a security breach!
They laughed at me.
You and I think alike here.
Oversight: I would add a mandatory security audit annually, that they have to pay for, and which occurs during a given quarter at random (so you can’t “put on your best face” for a single day).
The security audit cost is partially subsidized if they agree to a second audit 6-9 months after the first (tax funded).
Accountability: I would add Prison time as a minimum penalty for the CEO and CIO, and the punitive damages must be a percentage of their profits (no flat rates), which is in addition to any compensatory damages awarded to plaintiffs. The penalty shall be used to help pay for future audits.
I think we also need levels of PII or something, maybe a completely different framework.
There’s this pattern I see at work where you want to have a user identifiable by some key, so you generate that key when an account is created and then you can pass that around instead of someone’s actual name or anything. The problem though, is that as soon as you link that value to user details anywhere in your system that value itself becomes PII because it could be used to correlate more relevant PII in other parts of your system. This viral property it has creates a situation where a stupid percentage of your data must be considered PII because the only way it isn’t is if it can be shown that there is no way to link the data to anybody’s personal information across every data store in the company.
So why is this a problem? Because if all data is sensitive none of it is. It creates situations where the production systems are so locked down that the only way for engineers to do basic operations is to bend the rules, and inevitably they will.
Anyway, I don’t know what the solution is but I expect data leaks will continue to be common passed the point when the situation is obviously unsustainable
2 billion social security numbers? What’s the population of the US?
More than US.
And again they will fail to punish the company responsible for protecting this data for their criminal neglience.
Because that might damage shareholder value
It really should. The shareholders did profit from not investing in security until the incident. Let them suffer.
Good god. Thats like, every person that has ever used a computer probably. Fuck.
Is this why I got the latest scam email saying I need to pay $4k in bitcoin else a video of me wanking would be leaked.
Oh shit sorry. I must have accidentally sent that email to the wrong person. I meant to send that to my dad.
How about you send it to me instead and I’ll pay you the 4k
Ok
