News [tom's guide] 2.9 billion hit in one of largest data breaches ever - full names, addresses and ssns exposed

[Lanyap]

If true/accurate , this is the largest personally identifiable information breach we've seen.

2.9 billion hit in one of the largest data breaches ever — full names, addresses and SSNs exposed

Stolen data was then put up for sale on the dark web

www.tomsguide.com

 

[balloonshark]

The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years, Social Security Numbers, and more, was stolen from National Public Data by a cybercriminal group that goes by the name USDoD.

Well this sucks. I'm already getting multiple letters per year now about my data being breached. This is going to keep on happening until extremely harsh consequences are dealt to the companies playing loosey-goosey with our data.

 

[Steltek]

Well this sucks. I'm already getting multiple letters per year now about my data being breached. This is going to keep on happening until extremely harsh consequences are dealt to the companies playing loosey-goosey with our data.

Yeah, me too. Seems like I get one every 3 months or so.

And, when they say this breach is going back 30 years, they aren't joking. A security company set up the data up where you can do generic searches by name, year of birth, and state of residence. My data appeared there like a dozen different times, with what looks like essentially every single address I have used in the last 30 years.

It really is getting ridiculous at this point.

NPD Breach Check - Pentester.com

npd.pentester.com

 

[Steltek]

Apparently, the breach also included email addresses, phone numbers, and alternate names as well.

So, everyone should be on the lookout for a huge increase in phishing attempts now. You especially might want to keep an eye on any elderly friends and relatives who have computers and use email.

 

[Brainonska511]

Well this sucks. I'm already getting multiple letters per year now about my data being breached. This is going to keep on happening until extremely harsh consequences are dealt to the companies playing loosey-goosey with our data.

This is why I just keep my credit locked down, use an offline password manager for long, random passwords, and turn on 2-factor when available. At least then, impacts of data breaches can potentially be minimized.

Locked credit can be mildly annoying, but 3 bureaus make it easy to do temporary thaws if you know you're about to have some sort of hard credit check when applying for a card or loan.

 

[Skyzoomer]

This is why I just keep my credit locked down, use an offline password manager for long, random passwords, and turn on 2-factor when available. At least then, impacts of data breaches can potentially be minimized.

Locked credit can be mildly annoying, but 3 bureaus make it easy to do temporary thaws if you know you're about to have some sort of hard credit check when applying for a card or loan.

I assume "offline password manager" is a local one as opposed to a cloud one. Computer password managers are dangerous. When a hacker breaches your computer, they can get the encrypted file. They can also install a keylogger to get your keystrokes to breach the encrypted file.

The safer password storage is to have passwords stored on paper and that paper file locked in a safe that's bolted to the floor. A big hassle but safe from computer hackers. Paper password storage along with phone or email 2 factor ID is the way to go. (Note that security questions are not safe 2 factor ID. When a company's data is breached, all of their security questions are also breached. So the ID thieves will know your mother's maiden name, father's middle name, first pet's name, name of your first boss, etc.)

Credit freezes at the 3 credit bureaus are useless. The ID thief has name, ssn, dob, address and other personal data. These are the things the credit bureaus ask for to lift credit freezes. IOW, the ID thieves have the info the credit bureaus ask for to verify one's identity. So they can lift credit freezes before they apply for a credit card under your name.

 

[balloonshark]

Just got a creditwise alert from capital one. My social and an address I used from the late 80's - very early 90's are on the dark web. Fun times. /s

 

[Steltek]

Just got a creditwise alert from capital one. My social and an address I used from the late 80's - very early 90's are on the dark web. Fun times. /s

Pretty much everyone's data is there after this particular breach. Fun times, indeed.

Personally, I think Congress should institute Singapore-style public caning as punishment for management at companies that won't encrypt their damned data. Guess it is too late now, though.....

 

[Lanyap]

Yeah, me too. Seems like I get one every 3 months or so.

And, when they say this breach is going back 30 years, they aren't joking. A security company set up the data up where you can do generic searches by name, year of birth, and state of residence. My data appeared there like a dozen different times, with what looks like essentially every single address I have used in the last 30 years.

It really is getting ridiculous at this point.

NPD Breach Check - Pentester.com

npd.pentester.com

I checked my address in Louisiana where I grew up and moved away from in 1993 and it's in the list. Also all of the addresses where I lived in Alabama (3) are listed with phone numbers and SSN. No DOB though.

 

[mindless1]

And, when they say this breach is going back 30 years, they aren't joking. A security company set up the data up where you can do generic searches by name, year of birth, and state of residence. My data appeared there like a dozen different times, with what looks like essentially every single address I have used in the last 30 years.

NPD Breach Check - Pentester.com

npd.pentester.com

Among others I found an address from 38+ years ago. One entry had my DOB, but it was off a bit.

 

[compcons]

If you haven't already, go to the big three credit reporting agencies and freeze your credit. They all have the ability to setup free accounts for this. One of them was harder to find to setup the free account. Minor inconvenience when you need to apply for credit, but it is pretty easy to login and unfreeze.

And for the love of all that is holy, use different, complex passwords for each agency.

 

[pcslookout]

This is a given to happen. Already has with other sites and companies. I just assume all my info is already out there once connected.

There is no 100% way to prevent it. You can try though.

 

[Steltek]

This is a given to happen. Already has with other sites and companies. I just assume all my info is already out there once connected.

There is no 100% way to prevent it. You can try though.

This is completely true.

About 20 years ago, I was a victim of identity theft. The first I heard of it was when a fraud investigator for Home Depot called me up on Labor Day and said, "Hey, do you know there is some guy running around in Silver Springs, Maryland with an ID with your name and identifying information on it? He just tried to buy a bunch of stuff at one of our stores and we turned him away."

That phone call started one of the most miserable 3 year periods in my life trying to get it all straightened out (and, even then, it took more like 5-7 to get it all off). And, the only connection I had with Silver Springs MD at that time was that was were my (then) federal health insurance was based. The insurance company basically laughed at me and wouldn't help when I tried to get them to investigate. Suffice it to say, I changed insurances the next open season and still, to this day, discourage people from signing up with my prior one (it was the APWU [the American Postal Workers Union] federal health plan, BTW).

 

[Brainonska511]

This is completely true.

About 20 years ago, I was a victim of identity theft. The first I heard of it was when a fraud investigator for Home Depot called me up on Labor Day and said, "Hey, do you know there is some guy running around in Silver Springs, Maryland with an ID with your name and identifying information on it? He just tried to buy a bunch of stuff at one of our stores and we turned him away."

That phone call started one of the most miserable 3 year periods in my life trying to get it all straightened out (and, even then, it took more like 5-7 to get it all off). And, the only connection I had with Silver Springs MD at that time was that was were my (then) federal health insurance was based. The insurance company basically laughed at me and wouldn't help when I tried to get them to investigate. Suffice it to say, I changed insurances the next open season and still, to this day, discourage people from signing up with my prior one (it was the APWU [the American Postal Workers Union] federal health plan, BTW).

Identity theft isn't fun.

My own experience started from a real estate agent who helped us find an apartment in the Boston area. She stole my license info (or perhaps her shady BF did). BF then used the info to rent a car on two separate occasions. First time I learned there was an issue, a local police officer called and asked if I had rented a car from Hertz (no). Second time was about a year later: first, a risk manager from Enterprise contacted me about a car rented from Logan, then a state trooper. They eventually indicted the guy for that crime and a few others and he spent 3 years in federal prison. Of course, a year after the Enterprise incident, they tried to send the bill to collections, so I had to jump through a series of hoops to get them to fix that. Some bean counter probably trying to clear up old debts with whatever names were attached.

Fortunately, after the first incident, I locked my credit - it was a wakeup call to do that stuff. Annoyingly, states make it difficult to report fraud on a license number or don't track when licenses are turned in because people move to another state (ie, my case), the old ID # that was used to commit fraud was still "active" for rental cars. I did try to report my initial fraud to NY, because maybe they'd flag the ID number, but obviously that didn't work (since there was a second incident). Pretty stupid system we've set up.