Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Social Security Number Compromised — What to Do?

It’s not going to get better any time soon.

Billions of records of personal information, including Social Security numbers, has been exposed. What to do?
An image representing the aftermath of a major data breach. The image should depict a desktop with a computer screen displaying a warning message about a security breach. Surrounding the computer, there are items like a credit card, bank statements, and a Social Security card, symbolizing personal data. The scene is tense and chaotic, with a newspaper headline about the breach visible in the background. The overall mood should be one of caution and urgency, emphasizing the need to protect personal information.
(Image: DALL-E 3)
Question: Right now what worries me most is the info on the news about all accounts being hacked in the USA. I do keep an eye on my bank accounts and emails and will be putting a freeze on the credit bureau on my accounts. Is there anything else I can do?

This one feels messy.

Let’s look at what happened and what (little) we can do about it.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Your SSN exposed

A massive breach exposed millions of Social Security numbers and personal details. To protect yourself, monitor your credit score, bank accounts, and credit card transactions. Consider locking your credit. Be extra careful with emails, especially those exposing personal information. Vigilance is critical.

The breach

Via Bleeping Computer:

Background check service National Public Data confirms that hackers breached its systems after threat actors leaked a stolen database with millions of social security numbers and other sensitive personal information.

The social security numbers are bad enough, but it gets worse.

The breached data may include names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses.

It feels messy because of the sheer quantity and breadth of the information stolen. The good news, if you want to call it that, is that several experts who’ve looked at the data question its accuracy. That’s not enough to remove the concern, though.

As someone who’s had background checks performed1, I suspect some of my data is in there. Lovely.

Here’s what I do and recommend you do as well.

Watch your money

Make sure to monitor three things.

  • Your credit score. (Via the credit bureaus, services like Credit Karma, or even your credit card provider.) Ideally, set up a notification for any major changes and any new accounts being created in your name.
  • Your credit card transactions. Either sign up for notifications on every transaction, as I do, or sign in to the credit card provider at least once a week to make sure you recognize all the charges.
  • Your bank accounts. Make sure there’s no unauthorized activity and that no new accounts have been created in your name. (I find it really helps to have a smaller/local bank where folks know you.)

The issue, as you might expect, is identity theft. The information gleaned from the breach — or any breach, for that matter — can be used by thieves to create fake accounts in your name. They then make large purchases or withdraw large amounts of cash, leaving you holding the bag. It’s not always possible to undo the damage, and even when it is, it can be a lengthy and painful process.

You can also consider locking your credit at all three major reporting agencies. This can be a complicated process to set up and manage when it comes time for a legitimate credit check to be performed. I have mine locked and had to jump through a few additional time-consuming hoops when I wanted to open a new credit card account.

Watch your email

The more information hackers have about you, the more easily they can fool you. After every breach like this, they have more and more information: now, apparently, including Social Security numbers.

The result: be very, very careful when dealing with financial and other online accounts.

Always make certain you’re going to the right website.

chase.com website URL
Check the website URL. (Screenshot: askleo.com)

In the example above, note there are no warnings next to the URL and it’s the URL we expect: chase.com. If it’s something else, say chaseonlinebanking. com2, don’t trust it. Use bookmarks you have set up, or type in the correct URL yourself. Do not use links from emails.

Be careful with email notifications. Phishers will do exactly what I just described: use a “close enough” looking domain or URL to trick you into clicking. When you do, you’ll land on a site that looks almost exactly like the site you expect… except it’s not.

Because of the breach, those phishing emails can now be tailored directly to you. They can use the information to make their emails look frighteningly realistic.

An example of how the information can be used

Consider this email message.

To: leo@askleo.com
From: my bank

Hello Mr. Notenboom,

In light of recent breaches and other suspicious activity
we're re-verifying the information we have on you.
Please review the following:

Full name: Leo Notenboom
Address: <my actual address>
Phone: <my actual phone number>
SSN: <my actual Social Security Number>
<etc.>

Please click one of the following links:
  The information is correct.
  The information is incorrect.

Thank you for your prompt reply,

<Some official sounding name>
Your bank

Assume that this message comes complete with your bank’s logo and presentation style. It looks like it could really be from your bank. Look at how much they know about you!

Except it’s not from your bank at all, no matter how good it looks. Instead, a hacker or thief has:

  • Collected a bunch of accurate information about you from one or more breaches.
  • Created a fake email that looks like it comes from your bank.
  • Included a bunch of accurate, personal information about you to make it look legit.
  • Asked you to click a link in that email.

No matter which link you click in my example, you’d be taken to the hackers’ site, where they might try to get you to sign in to your bank on a webpage that looks just like your bank, thus giving the hacker your online banking credentials.

Or, as I mentioned above, all that accurate information about you might be used to open a new bank or credit card in your name.

Do this

Everything above sounds pretty scary; hopeless, even.

It’s not.

All it requires is your attention.

  • Pay attention to your finances to make sure nothing suspicious is going on, and reach out to the financial institution if it looks like there may be.
  • Pay attention to the messages you get no matter how much they seem to know about you. Don’t click on email links unless you’re absolutely positive they’re legit (even then, I bypass them and visit my bank directly using a bookmark I’ve saved).

It’s unfortunate that we’re in this position, but it’s not likely that things will change soon. Be it this breach, the next one, or the one after that, your vigilance and the security steps you put into place are required now more than ever.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: Part of my volunteer work requires periodic background checks.

2: This appears to redirect to a malicious site. The additional space before the .com is to ensure it’s not clickable here.

References

8 comments on “Social Security Number Compromised — What to Do?”

  1. MoneyTalkNews did an excellent article about how to and why you should lock your Social Security Number to stop unauthorized access to your Social Security account. This in addition to the things mentioned in this article.

    Do read the complete article, it is thorough and informative with several sub headings.

    I am not sure if I am allowed to post a link, so instead you can search for the article, which is entitled:

    “How to ‘Lock’ Your Social Security Number — and Why You Should”

    Reply
  2. In these times, people will have to get proactive in protecting themselves. Whether one is drawing Social Security benefits or not, go to https://ssa.gov and establish a login for My Social Security. Go to https://irs.gov and again establish a login and request that one gets a PIN for filing their tax returns. Both sites now require and use a Login.gov or Id.me account using 2FA to login.
    That’s in addition to putting a freeze on one’s credit reports at all FOUR credit bureaus: Transunion, Experian, Equifax, and Innovis.
    My wife and I both were caught up in the National Public Data breach. Based on the notifications we received, the data appeared to be almost 10 years out of date based on when we changed the house phone number. More concerning was my wife’s SSN is also associated with a completely different name, address and gender. We’ve seen no evidence that it was used for financial purposes, since I’ve had everything locked down when I got caught up in the OPM data breach which was disclosed in 2015. I suspect it was used for ID purposes.
    It has been a headache at times, but so far there’s been nothing on the radar since I took action.

    Reply
  3. After receiving a few letters from different banks informing me that they could not open a new account because of my credit freeze, I got a Citi debit card in the mail. I am so confused as to how they got past the freeze AND how a debit card will help scammers.

    Reply
  4. I found this USA today article helpful, especially the warning not to enter your social security number (SSN) into random web sites (that may not be legitimate) to check if you’ve been hacked. It lists links to two sites where you can check without having to enter your SSN. https://www.yahoo.com/news/dont-tricked-check-social-security-193623199.html :

    “…The following are reputable websites that don’t require Social Security numbers to be submitted, according to CNBC:

    NPD.pentester.com — Only requires people to submit their first name, last name, state and birth year.

    NPDBreach.com — People can search for their information using their full name and zip code, SSN
    OR [emphasis added] phone number…”

    Reply
  5. Su: You said you got a debit card, not a credit card. This is your money that the bank wants you to spend, so they don’t care about checking your credit.

    A debit card is a blessing to scammers and banks. Your money – ALL your money – can be easily stolen and the bank doesn’t have any responsibility or liability. Don’t use a debit card if you can help it.

    As for credit cards and credit freezes: In addition to the three well-known credit agencies there are at least 4 more out there. And banks have their own databases, especially if you’ve ever had an account with them.

    Finally, for the Joke Of The Day: National Public Data is asking people to enter more personal information on their website so they can tell you if your info has been stolen!

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.