Was your Social Security number leaked to the dark web? Use this tool to find out

This article was first published on August 14, 2014. It was updated on August 18, 2014 to include information about Pentester’s new tool. 

You’ve likely never heard of National Public Data, the company that makes its money by collecting and selling access to your personal data to credit card companies, employers, and private investigators. It now appears that the hacker group USDoD snatched about 2.9 billion of its records. Odds are that your records — including, possibly, your Social Security number (SSN) — are in those databases. 

Also: 7 password rules to live by in 2024, according to security experts

USDoD wanted to sell this data for the low price of $3.5 million. Ironically, before USDoD could profit from the theft, another threat actor, Fenice, swiped the data and released it on the dark web.

How bad is it really? According to the security organization Vx-Underground, the stolen data includes 

• First name
• Last name
• Address
• Address history (three decades’ worth)
• Social Security number

Vx-Underground also found that “the database does not contain information from individuals who use data opt-out services.”  These are sites or services that allow you to say no to a company or group that wishes to keep your records. 

That’s good to know, but for many of you, it’s probably a little late. 

Also: The best VPN services: Expert tested and reviewed

The leaked data, totaling 277GB, can be used for identity theft and fraud. Although the breach does not necessarily affect 2.9 billion unique individuals (due to multiple records per person), it still poses a significant risk. The information can be used to open fraudulent accounts, apply for loans, or even commit tax fraud.

How to find out if your SSN was leaked

There’s a site that can tell you if your SSN was leaked from the personal security company Pentester. It requires that you input your first name, last name, year of birth, and what states you’ve lived in. If your SSN is in there, the site will present you with a chart showing your address in the record and the last two numbers of your SSN.

If you don’t find your records associated with your current state or name, try searching for previous states and/or other last names. 

I tested this tool and found legitimate records listed. 

Also: Delete yourself from the internet with these online data removal services

As Richard Glaser, Pentester’s co-founder, said, “Names, addresses, and phone numbers might change, but your social security number doesn’t.” Financial institutions use SSNs to verify identity and comply with regulations when you apply for loans, credit cards, or investments. If you’re a US citizen, it’s the key to your identity. That’s why it’s crucial that you determine whether or not your SSN is out there. 

How to monitor your credit reports 

If your SSN was leaked, check your credit reports (Experian, Equifax, and TransUnion) for any unauthorized activity (and do so regularly going forward!). Report any suspicious transactions to the credit bureaus, via their websites, and place a credit freeze to prevent new accounts from being opened in your name. 

You can freeze your credit via the credit companies, Equifax Credit Freeze, Experian Credit Freeze, and TransUnion Credit Freeze. Some financial companies, such as Credit Karma, can also help you freeze your credit.

Also: How to freeze your credit – and how it can help protect you after data breaches

If you’re concerned that your data’s been being used against you, it’s time to use an identity theft protection and credit monitoring service to protect yourself. ZDNET recommends Aura as the best overall such service. 

It’s not enough to use these services, though. 

Beware of phishing attempts 

You should also stay vigilant against phishing attacks. Be cautious of emails, texts, or calls that attempt to solicit personal information. Scammers will use your leaked data to craft convincing phishing attacks. For example, I recently got an email purporting to be from my bank, which included my address, warning that my account had been hacked and that I needed to change my password from the included link Right Now.

Also: Stop paying for third-party antivirus software. Here’s why

Anytime you get a message like that, whether it’s warning you of something dreadful or promising you something that sounds too good to be true, don’t trust it. Never click on links from such emails or text messages. 

What to do if you’ve clicked on a phishing link

If you’ve clicked on a phishing link, don’t panic. Do, however, take these steps immediately: 

1. Disconnect from the internet and your local network immediately. This prevents any potential malware from spreading or communicating with malicious servers.

2. Back up important data to an external hard drive or a USB stick. This safeguards your information in case of data loss or corruption. 

3. Run a thorough antivirus check. Don’t have one on your device? Then, you should download an antivirus program to another computer, transfer its installation program to a USB stick, and install it on your affected machine.

4. Change passwords for all your online accounts, especially important ones such as banking and credit card accounts. Use strong, unique passwords for each account, and consider using a password manager.

5. Enable multi-factor authentication. Activate multi-factor authentication (MFA) on your accounts whenever possible. This adds an extra layer of security.

6. Watch your important online accounts. If you see any suspicious activity, contact the company as soon as possible. 

What to do if your SSN is compromised

If someone is using your SSN unlawfully or without your consent, you should take the following steps:

1. File a report with the Federal Trade Commission (FTC) at IdentityTheft.gov. This website will guide you through the process and provide a personalized recovery plan.
2. File a police report with your local law enforcement agency. While they may not be able to investigate immediately, having a police report can serve as important documentation.
3. Monitor your credit reports for any unauthorized accounts or activity. You can get free weekly credit reports from AnnualCreditReport.com.
4. As I mentioned earlier, you should place a credit freeze on your credit reports with all three major credit bureaus — Equifax, Experian, and TransUnion. This prevents new accounts from being opened in your name. You can also place a fraud alert on your credit reports, which requires businesses to verify your identity before issuing credit in your name.
5. Review your Social Security Statement for any suspicious activity, such as unreported income.

Next, contact the Internal Revenue Service (IRS) to prevent potential tax-related fraud. Here’s what to do: 

1. Contact the IRS: You can reach the IRS Identity Protection Specialized Unit by calling 1-800-908-4490. This line is dedicated to assisting individuals who believe they are victims of identity theft involving their tax accounts.
2. Submit an Identity Theft Affidavit: Complete IRS Form 14039, the form used to report suspected identity theft to the IRS. You can submit it online via IdentityTheft.gov, which will forward it to the IRS, or you can download the form from the IRS website and mail it along with your tax return to the address specified on the form.
3. Respond to IRS Notices: If you receive a notice from the IRS indicating that your SSN has been used fraudulently, follow the instructions provided in the notice. Typically, such notices come by snail mail. You may then be required to submit a Form 14039 or other documentation to verify your identity and resolve the issue.

This can be a long, tedious process. But, if you don’t check and — if necessary — protect your accounts, your identity can be stolen. Recovering from identity theft is much more painful than preventing it.

Also: Did you get a fake McAfee invoice? How the scam works and 2 things you should never do

Afterward, stay vigilant and continue monitoring your accounts and credit reports regularly. If you notice any suspicious activity, report it immediately to the relevant authorities and financial institutions. This is not a threat you can deal with once and then ignore. It’s one that will continue for the rest of your life. 

Yes, I hate that too.