A great many readers this month reported receiving alerts that their Social Security Number, name, address and other personal information were exposed in a breach at a little-known but aptly-named consumer data broker called NationalPublicData.com. This post examines what we know about a breach that has exposed hundreds of millions of consumer records. We’ll also take a closer look at the data broker that got hacked — a background check company founded by an actor and retired sheriff’s deputy from Florida.
On July 21, 2024, denizens of the cybercrime community Breachforums released more than 4 terabytes of data they claimed was stolen from nationalpublicdata.com, a Florida-based company that collects data on consumers and processes background checks.
The breach tracking service HaveIBeenPwned.com and the cybercrime-focused Twitter account vx-underground both concluded the leak is the same information first put up for sale in April 2024 by a prolific cybercriminal who goes by the name “USDoD.”
On April 7, USDoD posted a sales thread on Breachforums for four terabytes of data — 2.9 billion rows of records — they claimed was taken from nationalpublicdata.com. The snippets of stolen data that USDoD offered as teasers showed rows of names, addresses, phone numbers, and Social Security Numbers (SSNs). Their asking price? $3.5 million.
Many media outlets mistakenly reported that the National Public data breach affects 2.9 billion people (that figure actually refers to the number of rows in the leaked data sets). HaveIBeenPwned.com’s Troy Hunt analyzed the leaked data and found it is a somewhat disparate collection of consumer and business records, including the real names, addresses, phone numbers and SSNs of millions of Americans (both living and deceased), and 70 million rows from a database of U.S. criminal records.
Hunt said he found 137 million unique email addresses in the leaked data, but stressed that there were no email addresses in the files containing SSN records.
“If you find yourself in this data breach via HaveIBeenPwned.com, there’s no evidence your SSN was leaked, and if you’re in the same boat as me, the data next to your record may not even be correct.”
Nationalpublicdata.com publicly acknowledged a breach in a statement on Aug. 12, saying “there appears to have been a data security incident that may have involved some of your personal information. The incident appears to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”
The company said the information “suspected of being breached” contained name, email address, phone number, social security number, and mailing address(es).
“We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you,” the statement continues. “We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”
Hunt’s analysis didn’t say how many unique SSNs were included in the leaked data. But according to researchers at Atlas Data Privacy Corp., there are 272 million unique SSNs in the entire records set.
Atlas found most records have a name, SSN, and home address, and that approximately 26 percent of those records included a phone number. Atlas said they verified 5,000 addresses and phone numbers, and found the records pertain to people born before Jan. 1, 2002 (with very few exceptions).
If there is a tiny silver lining to the breach it is this: Atlas discovered that many of the records related to people who are now almost certainly deceased. They found the average age of the consumer in these records is 70, and fully two million records are related to people whose date of birth would make them more than 120 years old today.
TWISTED HISTORY
Where did National Public Data get its consumer data? The company’s website doesn’t say, but it is operated by an entity in Coral Springs, Fla. called Jerico Pictures Inc. The website for Jerico Pictures is not currently responding. However, cached versions of it at archive.org show it is a film studio with offices in Los Angeles and South Florida.
The Florida Secretary of State says Jerico Pictures is owned by Salvatore (Sal) Verini Jr., a retired deputy with the Broward County Sheriff’s office. The Secretary of State also says Mr. Verini is or was a founder of several other Florida companies, including National Criminal Data LLC, Twisted History LLC, Shadowglade LLC and Trinity Entertainment Inc., among others.
Mr. Verini did not respond to multiple requests for comment. Cached copies of Mr. Verini’s vanity domain salvatoreverini.com recount his experience in acting (e.g. a role in a 1980s detective drama with Burt Reynolds) and more recently producing dramas and documentaries for several streaming channels.
Sal Verini’s profile page at imdb.com.
Pivoting on the email address used to register that vanity domain, DomainTools.com finds several other domains whose history offers a clearer picture of the types of data sources relied upon by National Public Data.
One of those domains is recordscheck.net (formerly recordscheck.info), which advertises “instant background checks, SSN traces, employees screening and more.” Another now-defunct business tied to Mr. Verini’s email — publicrecordsunlimited.com — said it obtained consumer data from a variety of sources, including: birth, marriage and death records; voting records; professional licenses; state and federal criminal records.
The homepage for publicrecordsunlimited.com, per archive.org circa 2017.
It remains unclear how thieves originally obtained these records from National Public Data. KrebsOnSecurity sought comment from USDoD, who is perhaps best known for hacking into Infragard, an FBI program that facilitates information sharing about cyber and physical threats with vetted people in the private sector.
USDoD said they indeed sold the same data set that was leaked on Breachforums this past month, but that the person who leaked the data did not obtain it from them. USDoD said the data stolen from National Public Data had traded hands several times since it was initially stolen in December 2023.
“The database has been floating around for a while,” USDoD said. “I was not the first one to get it.”
USDoD said the person who originally stole the data from NPD was a hacker who goes by the handle SXUL. That user appears to have deleted their Telegram account several days ago, presumably in response to intense media coverage of the breach.
ANALYSIS
Data brokers like National Public Data typically get their information by scouring federal, state and local government records. Those government files include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.
Americans may believe they have the right to opt out of having these records collected and sold to anyone. But experts say these underlying sources of information — the above-mentioned “public” records — are carved out from every single state consumer privacy law. This includes California’s privacy regime, which is often held up as the national leader in state privacy regulations.
You see, here in America, virtually anyone can become a consumer data broker. And with few exceptions, there aren’t any special requirements for brokers to show that they actually care about protecting the data they collect, store, repackage and sell so freely.
In February 2023, PeopleConnect, the owners of the background search services TruthFinder and Instant Checkmate, acknowledged a breach affecting 20 million customers who paid the data brokers to run background checks. The data exposed included email addresses, hashed passwords, first and last names, and phone numbers.
In 2019, malicious hackers stole data on more than 1.5 billion people from People Data Labs, a San Francisco data broker whose people-search services linked hundreds of millions of email addresses, LinkedIn and Facebook profiles and more than 200 million valid cell phone numbers.
These data brokers are the digital equivalent of massive oil tankers wandering the coast without GPS or an anchor, because when they get hacked, the effect is very much akin to the ecological and economic fallout from a giant oil spill.
It’s an apt analogy because the dissemination of so much personal data all at once has ripple effects for months and years to come, as this information invariably feeds into a vast underground ocean of scammers who are already equipped and staffed to commit identity theft and account takeovers at scale.
It’s also apt because much like with real-life oil spills, the cleanup costs and effort from data spills — even just vast collections of technically “public” documents like the NPD corpus — can be enormous, and most of the costs associated with that fall to consumers, directly or indirectly.
WHAT SHOULD YOU DO?
Should you worry that your SSN and other personal data might be exposed in this breach? That isn’t necessary for people who’ve been following the advice here for years, which is to freeze one’s credit file at each of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.
The main reason I recommend the freeze is that all of the information ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people.
But beyond that, there are numerous cybercriminal services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials, and some are now fully automated via Telegram instant message bots. Meaning, if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.
All Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus. It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for free.
If you haven’t done this in a while, now would be an excellent time to order your files. To place a freeze, you need to create an account at each of the three major reporting bureaus, Equifax, Experian and TransUnion. Once you’ve established an account, you should be able to then view and freeze your credit file. Dispute any inaccuracies you may find. If you spot errors, such as random addresses and phone numbers you don’t recognize, do not ignore them: Identity theft and new account fraud are not problems that get easier to solve by letting them fester.
Mr. Verini probably didn’t respond to requests for comment because his company is now the subject of a class-action lawsuit (NB: the lawsuit also erroneously claims 3 billion people were affected). These lawsuits are practically inevitable now after a major breach, but they also have the unfortunate tendency to let regulators and lawmakers off the hook.
Almost every time there’s a major breach of SSN data, Americans are offered credit monitoring services. Most of the time, those services come from one of the three major consumer credit bureaus, the same companies that profit by compiling and selling incredibly detailed dossiers on consumers’ financial lives. The same companies that use dark patterns to trick people into paying for “credit lock” services that achieve a similar result as a freeze but still let the bureaus sell your data to their partners.
But class-actions alone will not drive us toward a national conversation about what needs to change. Americans currently have very few rights to opt out of the personal and financial surveillance, data collection and sale that is pervasive in today’s tech-based economy.
The breach at National Public Data may not be the worst data breach ever. But it does present yet another opportunity for this country’s leaders to acknowledge that the SSN has completely failed as a measure of authentication or authorization. It was never a good idea to use as an authenticator to begin with, and it is certainly no longer suitable for this purpose.
The truth is that these data brokers will continue to proliferate and thrive (and get hacked and relieved of their data) until Congress begins to realize it’s time for some consumer privacy and data protection laws that are relevant to life in the 21st century.
Further reporting: National Public Data Published Its Own Passwords
Update, Aug. 16, 8:00 a.m. ET: Corrected the story to note that consumers can now obtain a free credit report from each of the three consumer reporting bureaus weekly, instead of just annually.
Update, Aug. 23, 12:33 p.m. ET: Added link to latest story on NPD breach.
What I don’t understand is where National Public Data got the SSNs from. The “public” sources cited (property, voter, marriage, etc) typically do not have SSNs associated with them.
We have the technology to “own” our personal information. But it would require a public key and a trusted personal storage service, and an authority that manages requests to USE BUT NOT KNOW personal information FROM OUR PRIVATE VAULT, ONLY WITH OUR PERMISSION. Paranoid folks can lock that down. Average folks can use some sort of default policy that at least tracks awho asked for what, when, and why.
In the US, this will be impossible to implement because of Money and (legitimate) fear of government incompetence. Add concerns about losing the private key. Leading to ideas about injecting an RFID tag with the private key signed by a central authority under your skin, AKA the Mark of the Beast. Also, we’re all terrified prime factoring with quantum computing will lead to brute force cracking of data with known plain text.
Meanwhile, you can be sure that anyone with no scruples can pull up a list of (Name, SSN, [Emails], [Cracked Passwords], [Health Information], etc.)
Compare this with escalation around breaking and entering. Locks get picked. Someone invents a better lock. Burglars and robbers switch to smashing in a door or window or chainsawing a hole in the wall. Homeowners buy pistols. Robbers carry submachine pistols.
The difference is, in theory, the virtual nature of information allows me to make my house invisible, encase it in two inch thick steel, and create 700 bogus empty virtual houses. That last choice would be the easiest, but current laws would result in being convicted of felony fraud. Only criminals will create fake accounts. 🙂
California requires data brokers to register ( https://oag.ca.gov/data-brokers ) with the state in order to fall under the protection of the law giving them Carte Blanche to gather, advertise, sell, etc any “public records” on anyone. If they are not registered, they can not operate as a “protected data broker”. The link above takes you to a 2023 list of data brokers who have registered however, that is an incomplete list as California has decided to no longer maintain it yet still requires data brokers to register. There is a registration page link within the page the link takes you to so you can see the limited information required in order to register as a data broker. This action was taken in order to amend the act and went into place effective Jan 1, 2024 which weakened the original act. Thank you Mr. Newsom!
@BrianKrebs
You might update your information on free credit reports only being available for free annually via annualcreditreport.com as they are now available on a weekly basis (see URL link below).
https://consumer.ftc.gov/consumer-alerts/2023/10/you-now-have-permanent-access-free-weekly-credit-reports
I have found it difficult to obtain some reports via that website and therefore go directly to each CRA’s website to do so. After setting up an account on each, there is no obligation to pay or sign up for “locking” or other pay services. However, the Experian site makes it a little less obvious that you can ignore their extra services. Innovis may also provide a weekly report, but I have not tested that yet.
@Quid
“After setting up an account on each, there is no obligation to pay or sign up for “locking” or other pay services.”
Locking is not the same as Freezing. Freezing was created in the Fair Credit Reporting Act (FCRA) and prevents anyone from running a “credit check” with a CRA reply like “request denied file frozen”. Locking is an invention of the CRA’s and a reply would be like “here is the file, but file is locked so do not use”. Why? A frozen file makes the CRAs less money. BTW the CRAs have been playing fast and loose with their process of freezing and thawing almost to the point making it undesirable for consumers to use it.
As a former Credit Bureau employee and one who developed the original file freeze process at TransUnion, a Lock and a Freeze are technically the same. What it does to your credit report to stop your credit report from being returned in non-exempt permissible purpose situations, is the same. For example, if a credit pull is in connection with a credit application, both a locked and frozen file will not be returned. That is a non-exempt permissible purpose. It the credit request is for the collection of a debt, an exempt permissible purpose, then the credit file will be returned fully to the requestor for both locked and frozen files.
The difference is user experience. The Lock is a feature that is incorporated in to the credit bureau (certainly at TU) for profit monitoring products. The file freeze is what is offered by the bureaus directly and in compliance with state laws (there is no federal law on file freezes).
Essentially a lock is just a rebranding of a file freeze. Works behind the scenes exactly the same. And when I was at TU, you went directly in to a credit file, a lock would look just like a freeze.
If the lock is the same as the freeze why create confusing new terminology? Are you saying the lock doesn’t allow more info sharing for the bureaus?
I would like to hear Steve’s answer to this as well.
“The difference is user experience. The Lock is a feature that is incorporated in to the credit bureau (certainly at TU) for profit monitoring products. The file freeze is what is offered by the bureaus directly and in compliance with state laws (there is no federal law on file freezes).”
I’m going to guess that means they can use “locked” credit data for internal marketing of financial products directly, so the (paying?) user can see their data through the service portal but nobody else can access it for the usual credit checks. Whereas the freeze is just all blocked to comply with laws as it’s mandated to be offered. So a lock makes the agency money potentially, a freeze does not. My guess.
Its simply branding. File freeze was a term coined by the State of California when they passed the first file freeze law. Other states copied that, and once there was a critical mass of states, the bureaus just made freezes available to everyone.
But the terms are wonky. You “freeze” the file. If you want to remove it you could “unfreeze” it. If you wanted to temporarily remove it to process a loan, the legal term was usually “lift” or “temporarily lift.” Others would say “thaw”.
And then there were two ways to temporarily lift it. One with a date specific range where it would be unfrozen. At TU that range could be between 3 and 30 days. The other way was to use a PIN. The PIN would be valid for a range of time yet had to be provided to the company running the report. If they input it when requesting the file it would come through. No PIN or wrong PIN, file was still frozen. Problem was, most report users had no way to accept the PIN’s in their archaic systems. So we would always recommend the date range.
All of this is confusing. Locking / Unlocking sounds better, is more easily understood and aligned with terminology card issuers were using where you could lock your card. Discover was one of the originators of that.
Frankly the file freeze thing was a mess for more than a decade. It has more or less normalized now. The Equifax breach pushed that along. However, I still believe the industry would benefit from federal law, creating consistency and hopefully updated terminology.
If you really want to go bonkers, look at some of the state laws on freezing files for minors, commonly referred to as “protected consumers.” In addition to minors it typically includes people living under conservatorships. For the former, they shouldn’t have a credit file. So how do you freeze something that doesn’t exist? You have to create a file for the minor and freeze it. Yet creating that file can make it more likely to expose a minor’s SSN, etc. Happy reading.
Thanks! I somehow missed that memo. I’ve updated the story.
Government files also include: driver’s licenses, hunting licenses, fishing licenses, gun licenses, any professional licenses, building permits, speeding tickets,… it’s a very long list. And you can’t opt out. The money from the sale of government information goes into a shush fund of the government sellers. It’s all off-budget. They are are addicted to the sweet, sweet, money from selling your information. Government service is a license to steal.
You should provide evidence of that “slush fund” “off-budget” claim like Mr. Krebs does when he presents information. Not just random accusations . . .
I thought BreachForums was seized after several domain takeovers?
They created a new domain again?
“The site was again shut down and the domain seized on May 15, 2024, though the domain was back under the owner’s control just hours later. ” -wiki
I don’t know about yours, but my SS card says, “For social security and tax purposes — not for identification”.
D’oh!
this is plain theory of identity. Your SS card is an attribute document, not an identity document because the entity that issues your SS card does not have an authoritative citizen register. Only entities with an official citizen register can issue identity documents.
Many people don’t care about this difference, but it is the case anywhere in the world. Passports and identity cards (in countries that have them = practically all except US and UK) are issued by the ministry of interior, which oversees the local authorities that lead the citizen registry or registries.
Any other official documents (drivers licenses, voting cards, whatever) are issued by another entity under a different ministry which is not allowed to have a “source” register. They rely on information from the authoritative register and only indirectly point to it.
In other words: a Passport or ID card says “I, country X, hereby confirm that I have a citizen with the name and information stated in this document”. Any other official document says “I, the Y authority of country X, hereby confirm that the citizen referred to the name on this card (if they really exist, which I cannot ultimately verify), has the attribute Z” (e.g. may drive a car of class B2, or is a licensed attorney or whatever).
It means that physical possession of a social security card cannot be used to prove that it belongs to the person presenting it. That’s all.
The SSN is the only truly unique global person identifier we have in the US. There is absolutely nothing wrong with having such an identifier. Quite the opposite, it makes sense to have such a number and it is very helpful (given that many people share the same name). The problem lies not with the existence of a unique identifier but with various entities’ obviously false assumption that this number is only known to the person to whom it belongs and as such their reliance on it for authentication purposes.
My parents got me an SSN when I was born (1958) and I still have the original little cardboard “explanatory holder” to which the Social Security card was attached. It explained all about how “some day, when you enter the workforce, you will need this information.” But my favorite line on that entire card was “NOTE: your Social Security number should never be used as a form of personal identification.”
@BrianKrebs – your last paragraph is spot on:
“The truth is that these data brokers will continue to proliferate and thrive (and get hacked and relieved of their data) until Congress begins to realize it’s time for some consumer privacy and data protection laws that are relevant to life in the 21st century.”
We have GDPR in Europe, which protects individuals (citizens in general, and when acting as customers) and implies significant costs for breached companies not having this in place – so you definitely need something similar!
GDPR do not protect you against identity thefts.
But it does aim to keep your PII in fewer places and hopefully more securely so.
Like someone has pointed out annualcreditreport.com can be obtained on the weekly basis now. But the process is anything but easy. I bet it is deliberately designed to discourage people. In my case it doesn’t even work. One bureau refuses my login and always tells me to call them. I tried it once and was put in an endless call waiting. I eventually hung up.
Also freezing your record is less than ideal. It may affect your insurance premiums because those companies check your record behind your back. I’ve gone through this before when my auto insurance premium started going up.
The only way to ensure we, as consumers, have a fix for this problem is through the federal legislation that will impose a heavy monetary fine on any company that loses our PIA. In the U.S., unfortunately money is the language of security.
annualcreditreport.com appears to be worthless if you live overseas since it requires a current U.S. address for you to request your credit reports. Unless I’m missing something, the comment section doesn’t even provide an entry for email address so they can’t even respond to you if you ask a question.
I lived overseas for many years (up until last year). It is indeed difficult to access your US credit reports directly or via annualcreditreport.com from overseas, but it is not impossible.
First of all, you need to use a VPN that shows your IP address as located in the US. All the credit bureaus and the reporting website block access from non-US IP addresses, so without doing this, you will ever get past the login screens.
Second, you need to merely input a VALID US address. It does not have to be your current address, it just needs to be a US address that passes a simple verification check to show that it is a valid address. Although you could pick any US address, you shouldn’t, because the credit bureaus sell your info, which means that credit offers and junk mail will be sent to your name to whatever address you use (even if you have opted out of having your info sold for advertising purposes). I used a family member’s address, as they did not mind getting the junk mail.
Third, you MUST input a valid US mobile telephone number. It does not have to be yours, but it needs to belong to someone can quickly relay a texted single-use security code to you.
If you do these three things, you can look at your US credit bureau reports from overseas.
Dennis comment is correct.
One of the 3 credit bureau’s web sites to request your credit report does not work and has not for some time now. I have tried many times, requesting either my credit report or my wife’s and after entering all of the information, it comes back as”not available at this time” I emailed Annual credit Report asking about the problem and was sent a form to request my credit report via snail mail. That is not a solution.
For a year or more I’ve been able to freeze, then thaw, my accounts at four CRAs: Experian, Equifax, TransUnion, and NCTUE.
Not that you don’t have a Real Problem, but perhaps further effort would resolve this (clearing cache, trying a different browser, etc.).
Good luck! Our lives are fer shure real complicated!
FYI. Equifax has had a 5-year known-issue with locking users out of their Equifax account when trying to login to freeze/unfreeze. Just search “Equifax login” on Reddit. The best solution so far is to call Equifax support and choose the option to lift freeze, then request an actual agent. Tell the agent you have no luck accessing site and to send a pw reset link. Hope this helps!
The real hacker behind this breach is Wumpus aka Anthony Garced. He hacked Zacks.com and he hacked this!
Is there a way to schedule a recurring request to have your credit reports sent?
Local, state and Federal governments are so grossly negligent with our personal information being stored on databases connected to the Internet or selling the data without redaction. It is disgusting. Then governments think we are so stupid to go for Digital ID and digital money so we can all wake up broke. They truly are crazy.
Here is the lawsuit that has been filed and all the ways the hackers can use your data. https://www.bloomberglaw.com/public/desktop/documentHofmannvJericoPicturesIncDocketNo024cv61383SDFlaAug012024CourtDoc?doc_id=X6S27DVM6H69DSQO6MTRAQRIVBS
Looks like Salvatore Verini is running for the hills. His Florida office has a voice mail referring calls to the California office. A real person answered the phone in CA and I left my name and number for him to call me as he wants to charge for fixing 25 critical items and 1 high profile item. NPD has collected information on me for 38 years and if it wasn’t for the news, I would not have known. Both myself and a family member have phone numbers that are out of state in our records and never belonged to us. We also have credit monitoring and neither of us were notified of this breach. So Life Lock and the rest are a waste of money adding to the fraudulent environment we all currently live in.
We froze our accounts, however, it is pretty much useless with TransUnion as they provide no confirmation number to unfreeze and will use your personal information published all over the dark web to unfreeze. Sorry but you can’t cure dumb. It is literally impossible to have privacy thanks to the incompetency starting at the top of the pyramid of the WEF, Davos and IMF group and trickling on down. Even my state lost my birth certificate for the National ID driver’s license without any explanation and I had to provide it again. Three months after renewal, the news reported the Chinese hacked the driver’s data base. I think I am starting to understand the sovereigns, which is sad that they are more right than wrong.
Considering the magnitude of this breach I’ve been surprised how little coverage there has been about this in mainstream media. And the “expert” they use in their story usually isn’t very expert about what happened or how to react; just rehashing what’s already been said.
It’s also frustrating to know that about the only thing we can do is freeze our credit knowing that the credit bureaus are making it increasingly easier to for someone else to unfreeze without a PIN by supplying KBA using what is now publicly available data.
Recalling the ease that Experian allowed accounts to be hijacked going back to 2022; does anyone know if they ever fixed that or is their account security still incredibly bad?
I don’t think they ever fixed it. I checked a few months ago and it still allowed anyone to re-sign up as anyone else. Notification email only after someone has assumed your identity/account.
Also freezing your record is less than ideal. It may affect your insurance premiums because those companies check your record behind your back. I’ve gone through this before when my auto insurance premium started going up.
That’s how they coerce you into compliance with the whole credit report system. Fiscal punishment for doing nothing but legitimately, logically and legally protecting access to your personal information. Plus it’s such an intrusion on your right to privacy. A bank may need to know my credit worthiness, but it really is not an employer’s business, IMHO. Nor anybody else’s really unless I’m doing a business transaction that requires credit. It’s so sad that without that credit report, and a good credit rating, it is much harder to live in America.
Hence, when I crossed a certain threshold in age, I froze it all, they can kiss my derriere on the whole credit thing, and I’ve been diligently trying to get my credit score to zero before I give up the tent. It’s taken me years, but I’ve gotten it down to the score of 4!
Remember where to check to see if your stuff is running outside of the barn:
https://haveibeenpwned.com/
What about the impact of resetting account passwords where only an email address and social is needed. For example, go to PayPal.com, click Forgot Password, put your email, select reset with Social, put that in, enter new password, you’re now in My Account with full access. In my case I have 2FA setup and it didn’t even ask for this after changing my password. Shocking. I also checked Chase.com, just need your card number and social and boom, it not only then reveals your username onscreen, it lets you reset password, again, bypassing 2FA. These compaines need to update their password reset processes to not be based off social.
It should never have been based on SSN in the first place. That’s ridiculous.
“go to PayPal.com, click Forgot Password, put your email, select reset with Social”
I think you need to reconsider the setup config for 2FA in your PayPal account. The only 2FA option I have chosen for account access is a hardware security key. Therefore, for account recovery purposes, that is the only 2FA option PayPal offers me after entering my email address. You need to actively remove the less secure options from your PayPal security settings ie; Social, SMS etc and ONLY use OTP codes, Authenticator app or a hardware security key.
The banking institutions , however, are a totally different kettle of fish. In my jurisdiction, not the US, https://2fa.directory lists 3 main categories of interest; Banking, Finance and Payment Platforms, all have wildly different attitudes towards 2FA implementation. Only 10 out of 30 (30%) banks offer the service, that is, 2 thirds DONT!! Whereas, finance and payment platforms list 33 out of 43 (77%) and 29 out of 35 (83%) respectively, that DO.
I personally have linked any banking and finance services that require online activities to my PayPal account because of their security and charge back features. Anything else, I visit the branch personally. Convenience be damned.
For credit card masking use Privacy.com or Ironvest.com.
The second reference to Have I Been Pwned use the incorrect address haveibeen(o)wned.com.
I thought it was odd when my browser told me I could not connect using https.
One thing that isn’t getting much mention is now that (almost) everyone’s SSN is public there is a high likelihood of increased tax fraud. It is probably best to go ahead in request a PIN from the IRS in addition to everything else we need to do to protect ourselves. Better yet would be if the IRS acknowledged the need and proactively issued taxpayer PINs to everyone.
Thank you, just did this!
Why do these ‘data broker’ websites all look like they were created in 1997? When NPD breach was first reported, and I did a bit of research on them, I just assumed it was a criminal front to begin with, based on the child-like website — but now I see all of these ‘data broker’ outfits look/feel the same.
I think I’m now back in the “they’re all criminal fronts” camp.
Thank you, BK, for shining the light on this awful ‘industry’. Keep the pressure up on the ‘credit bureaus’, too!
“…Americans are offered credit monitoring services. Most of the time, those services come from one of the three major consumer credit bureaus…”
And some non-credit bureau monitoring is worthless if you freeze your reports. Got free monitoring due to a breach with IDX. Except they never show anything about my credit files. Put in several support tickets, but never get a response.
I suspect it’s because my reports are frozen. Of course, with by reports frozen, the monitoring isn’t really needed, but still. My [free but tries to upsell continuously] Experian account does tell me about changes to my credit file though.