Get the top HN stories in your inbox every day.
throwup238
bhaney
> Someone created a magnet link yesterday
Are you against simply sharing the infohash here? I'd like to download the leak to see what information it has on myself and my family, but I don't really relish the idea of signing up for a breachforums account and sifting though its posts if I can avoid it.
hypeatei
Here is a strongly encrypted base64 version to keep hackers out:
bWFnbmV0Oj94dD11cm46YnRpaDozY2FhNzFmM2VjOGNiY2NjNmZjYTRmZWI3MTg1ZGEyYmFiMTQ5YmE3JmRuPU5QRCZ0cj11ZHA6Ly90cmFja2VyLm9wZW5iaXR0b3JyZW50LmNvbTo4MCZ0cj11ZHA6Ly90cmFja2VyLm9wZW50cmFja3Iub3JnOjEzMzcvYW5ub3VuY2U=
Allegedly, the password (also base64 encrypted) is:
aHR0cHM6Ly91c2RvZC5pby8=
Aeolun
Has anyone been able to reverse this base64 encryption? Whatever am I going to do with this?
Vicinity9635
I dug into this a little and one of the files is 164GB. How do you even work with these files? That is, how would I search for my SSN on my windows box?
majorchord
I can't believe HN mods think it's ok to leave this comment up. I don't know of a way to report it myself unfortunately.
AmpsterMan
I get it now, but I have so much imposter syndrome that I wasn't sure if this was ACTUALLY something I needed to figure out -__-
e40
Anyone know the size after the 50GB file is un7zipped?
EDIT: answer: 2 files, 176GB and 120GB, total is 298GB.
undefined
robustcollector
Elsewhere in this thread I posted a detailed commentary on what the torrent contains.
LorenPechtel
FYI: This is only the two social security files, not the whole breach.
lynndotpy
BitTorrent uses something called a "distributed hash table", for which there exist services to search it (btdig, etc). You can use one of those alongside the torrent name (NPD) to find it.
I haven't downloaded it, but my understanding is that the data comes compressed and with a (weak) password.
eks391
You can check to see if you were in the breach here:
https://npd.pentester.com/search
This will save you the effort of a 30min search per `grep` on the original breached files.
mr_wiggz
[dead]
flockonus
fyi that is likely to be a crime, at the very least has been cases of websites being punished for linking to illegally distributed IP (even if not hosting it).
bhaney
I'd be worried about legal repercussions if we were talking about the latest Disney movie, but this is merely the private information of a billion people. Never seen IP law give much of a crap about that before.
jmprspret
Is this NPD's "IP" though? Is my personal information that company scraped, now that company's intellectual property?
LorenPechtel
Where's the IP?
It's like phone books--a collection of data, no creative content.
undefined
qingcharles
Do you know if the Rhysida ones get torrented?
aa_is_op
Nobody's gonna pay that much money for it when you can get it from ad companies for pennies
1vuio0pswjnm7
Now everyone just needs to send their email addresses to HIBP, i.e., email HIBP, so he can connect these identities with IP addresses and working email accounts. For peoples' protection of course.
After everyone "has been pwned" then there is no need for HIBP. The answer is always "yes". Yet I am certain sites like "HIBP" will never go away. Something about email marketing.
Some HN commenter(s) will inevitably try to defend HIBP. But this comment also refers to sites "like HIBP" that use data breach dumps opportunistically to generate web traffic, collect IP and email addresses. Some folks just do not see what is wrong with the idea.
jve
There is trust involved here. And people trust Troy Hunt.
And of course you can download SHA ranges and do lookup offline: https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
He even previously encouraged to download via torrent, but now it seems there is a custom tool to download that data.
shkkmo
The offline lookup is just for passwords (the pwned passwords service) and is used to prevent people from using known breached passwords.
There is no offline availability for the Have I Been Pwned data on which emails were present in which breaches. Access to thus data is rate limited and paid API keys are needed for bulk access.
1vuio0pswjnm7
The downloads are the way to go IMHO. But this is coming a little too late. "HIBP" is already making money from "paid API" and other commercial nonsense. Profiting from data breaches. While posing as a hero, catering to a dedicated following. This is, IMHO, everything that is wrong with the web.
The issue I am raising is not whether a particular website operator claiming to be in posession of data breach dumps, that any web user can download themselves, is "trustworthy" or not. The point I am raising is the unnecessary data collection. If these downloads were available from the website from day one, then there would be no "paid API" nor partnerships with so-called "tech" companies or HN HIBP following. There would not be "HIBP" proponents trying to suppress any criticism of it, defending its every move despite its past mistakes. Most importantly, there would less/no need for "trust".
HIBP is a particularly ugly symbol of the problem of web intermediaries/middlemen and everything/anything "as a service". As expected, HN commenters will not like this viewpoint as they may themselves be trying to profit from such intermediation and the data collection it enables. They may have even convinced themselves they are doing good.
dtquad
HIBP has been audited by independent 3rd parties.
MattGaiser
> After everyone "has been pwned" then there is no need for HIBP.
You can be repeatedly pwned with updated/different information. It is not a one and done thing.
vlovich123
And people are born and die
1vuio0pswjnm7
Using data breach dumps to get web traffic and IP/email addresses under the guise of "helping" is lame. Then partnering with so-called "tech" companies that collect data as a "business". Data collection is the cause of the problem not the solution.
undefined
d_burfoot
It's worth remembering that the main reason this kind of data breach is a real problem is mostly due to the incompetence of the IRS. For any serious financial organization, knowing a person's SSN, name, address, etc doesn't allow you to access or withdraw that person's finances.
But the stupidity of the IRS means that people are easily targeted by false tax return attacks. File a fake tax return for someone, using their SSN/name/address, but tell the IRS you changed address. Then the IRS sends your tax refund to the new address, and boom, you just collected some poor sod's refund. To add insult to injury, the IRS is probably going to audit the person whose refund you stole.
smileysteve
But not just the IRS; the banking system, most healthcare providers, states for most of a century, and the credit bureaus for REusing SSN as unique identifier "passwords".
daveguy
I agree. The IRS should be better funded so they can afford to update their systems and hire more tech experts.
grepexdev
I hope this is meant to be satirical. The IRS has a massive budget. Maybe just reallocate their current funds instead of giving them more is a better idea.
boston_clone
I don’t think the parent is satirical at all; as an enumerated power, the IRS needs modernization and better funding.
Recent hiring expansions have increased audits for high earners and generated additional revenue. Turbotax’s lobbyists are losing influence and we’re enjoying free filing options for individuals in some states. It’s also reasonable to say that a revenue service is not responsible for defining authentication security standards.
Why do you think reallocating funds is worth it as a response to this issue? Where would those funds go?
_uhtu
This comment is shockingly misguided.
The IRS doesn't have the authority to mandate the creation of a secure national ID system and enforce it's use by the financial system. Only congress has the ability to really do that. The IRS collects revenue.
Even if it did have that authority, it doesn't have the budget to accomplish that goal.
dingnuts
isn't it funny how no government service is ever at fault, it's always just a problem of funding? The IRS is good, just under funded. Public schools are good, just under funded. The NHS is good, just under funded. The roads are good, just under funded
except then funding is raised, and it's still a problem of funding. and inevitably, it's the evil side of the government (you know the one) that is to blame, even if there is no money to spend.
how does a public service determine when they have enough funding?
slg
This is neither a problem of funding or any government service being at fault. This is the fault of American culture. A national ID system sounds too scary to too many Americans. Politicians aren't going to waste their political capital on pushing through something so unpopular. It really isn't any more complicated than that. There is a huge desire for some sort of national ID system and SSNs are the closest we got so they filled the vacuum. It is silly to blame that on the IRS. It is a societal failure.
blackouthead
When exactly has funding EVER been raised for any of those things??
That's one of the biggest political fights in the past century: austerity, cutting public spending, and means-testing the fuck out of every social program the government even still offers. This has been the case since the 80s reagan-thatcher year. You can literally look at the budgets of major cities and easily see where the majority of spending goes. Hint: it ain't public schools. Were you not paying attention when people were talking about how much police departments get paid out of the budgets of their cities a couple years back? Have you EVER thought to actually substantiate your beliefs by actually looking up the policies that effect public spending and government budgets?
Is the answer "no"?
And it isn't just a problem with funding, it's a legislative and cultural problem too. But in the short term, without drafting up new laws or changing the culture of society, the best we can do to fix these issues is provide more funding.
jonathanlb
In the private sector, OKRs and KPIs are used to track performance and provide metrics on whether a company is meeting its goals. Boards review these metrics and decide on additional investments based on thorough cost/benefit analyses.
I imagine it's similar in the public sector, where funding is determined by the needs of the public, political considerations, long-term planning, and so on.
blackguardx
What you describe might be out of date. Someone tried to use my identity to file a fake tax return. The IRS caught it and now I get issued a PIN every tax season for kinda-sorta two factor auth.
CrispyKerosene
Troy mentions "data opt-out services. Every person who used some sort of data opt-out service was not present."
Anyone have experience with these sort of services? A search brings up a lot of scammy looking results. But if services exist to reduce my profile id be interested.
JohnMakin
> Anyone have experience with these sort of services?
Quite a bit. Often if you request removal or opt-out, you'll reappear in a matter of a few months in their system, regardless of whether you use a professional service as a proxy or do it yourself. The data brokers usually go out of their way to be annoying about it and will claim they can't do anything about you showing up in their aggregated sources later on. They'll never tell you what these sources are. A lot of them will share data with each other, stuff that's not public. It's entirely hostile and should be illegal. I am trying to craft a lawsuit angle at the moment but they feel totally unassailable.
I'm extremely skeptical of any services that claim they can guarantee 100% removal after any length of time of longer than 6 months. From my technical viewpoint and experience, it is very much an unsolved problem.
adelie
my understanding is that there's a bit of a catch-22 with data removal - if you request that a data broker remove ALL of your information, it's impossible for them to keep you from reappearing in their sources later on because that would require them to retain your information (so they can filter you out if you appear again).
hedora
I’ve heard this claim, but they could use some sort of bloom filter pr cryptographic hashing to block profiles that contain previously-removed records.
There could also be a shared, trusted opt-out service that accepted information and returned a boolean saying “opt-out” or “opt-in”.
Ideally, it’d return “opt-out” in the no-information case.
hsbauauvhabzb
Sorry, I value my legal rights over the viability of the data broker industry. If they can’t figure out a way for lawfully not collecting my data, they should not collect data period.
laweijfmvo
1. They could be required to store a private copy of the removal requests, data that they can't sell (not ideal)
2. Sounds like "data brokers" that sell private information just shouldn't exist...
wodenokoto
They could store a hash.
lynndotpy
I've had a very bad experience with Liberty Mutual following a data opt-out from another service. They sent me on a runaround, ending with an email saying to follow "this link" to verify myself. (There was no link, only sketch.) I ended up getting a human on a phone through special means, and they sent me a fixed email with a working link.
I should be hearing back from them in the next 32 days, as this was 13 days ago.
dawnerd
I got a quote from them and immediately initiated a data removal request. It seems like it went through, got a link in the email. Thanks for the reminder that I might need to follow up to make sure they followed through.
shadowgovt
It's hard to make collection, aggregation, and sharing of facts illegal.
Not to minimize the harm that can be done by such collections, but the law is justifiably looking for a scalpel treatment here to address the specific problem without putting the quest to understand reality on the wrong side of the line.
digging
> It's hard to make collection, aggregation, and sharing of facts illegal.
Sure, but the US has a precedent in HIPAA. Not saying it's copy-paste, but... maybe it should be.
I would prefer the law be more restrictive than less, because I don't believe this is true:
> law is justifiably looking for a scalpel treatment here to address the specific problem without putting the quest to understand reality on the wrong side of the line.
I believe the law may use that noble goal as cover for the actual goal: restrict the ability of capital holders to accumulate capital as little as possible. Data sharing isn't a public good in any way. It's mostly not even useful for the targeting purposes it claims. It's extremely reckless rent-seeking that knowingly allows innocent people to have their lives wrecked by identity theft.
lupire
Europe figured it out.
harimau777
Instead of making it illegal, we could simply make the people who aggregate the data liable for making people whole if the data is misused.
mistrial9
this is true and nothing new.. mass "gray market" personal information services lept into markets since VISA and Mastercard fifty years ago, and somewhat before that with driving records, in the USA. The "pure land" of democracy in North America was never pure, and the Bad Old Ways have crept into the corners since the beginning.
JohnMakin
The difference now though is an attempt to legislate personal data collection, such as the CCPA. I strongly believe they are violating the law, and that if I opt-out or request removal, an answer of "oh well nuthin we can do" is not acceptable when my data re-appears either on their platform or on another platform they provided data aggregation services to.
fsckboy
>The "pure land" of democracy in North America was never pure
don't mix your pet grievances together, having full public knowledge of every person in your country is democratizing, frankly, an aid to democracy, not a hindrance. Not saying I want to live in that world, but it's not an impure democracy.
Norway (and others?) already publishes everybody's income statements. Not healthy imo but I guess would aid more accurate snitching (and envious resentment).
paulgerhardt
Consumer Reports just published (as in last week) a report[1] surveying a number of these services and found almost all of them to be a little bit effective, none of them to be highly effective, and the cheapest of the lot to be the most effective (EasyOptOuts).
Of note, opting out of a service by yourself by hand was only 70% effective ($0). Using EasyOptOuts was around 65% effective ($20) and using Confidently was only 6% effective ($120).
[1] https://innovation.consumerreports.org/wp-content/uploads/20...
0x2a
Permission Slip by Consumer Reports (automated):
Simple Opt Out (manual list):
SparkyMcUnicorn
I manually did a handful of opt-outs and am not in the list.
spdif899
I use permission slip and I am not in the breach as far as I can tell
eks391
Did you use a grep command? The file is too large for me to open and I have not used grep before to have confidence with it.
Edit: nvm, ``` findstr /i /r ".000000000." ssn.txt ``` did the trick in powershell, with the zeros replaced with the ssn. Also there is a star after each period that HN has changed to italicize the text instead of showing it.
roughsquare
"Not available in your region" bloody hell.
wongarsu
A lot of the data opt-out services are operated by or have the same owners as data brokers. So at the very least they are selling both the poison and the cure.
jmkni
If you're willing to tempt fait, the best way to 'opt-out' is to tell people, when they call asking to speak to 'your name', that 'your name' sadly passed away recently.
bragr
I knew someone falsely declared dead (probably a paperwork mixed up around pensions when his ex-spouse died). Without warning, he lost all of his pensions, social security, medicare, etc, along with most financial institutions freezing accounts and canceling credit cards. Many long phone calls, letters, and lawyers eventually resolve most, but that never fully purged the public and private death records so there would be random issue for the rest of his life (failing fraud checks, brief interruptions to pensions, trouble with the cable company).
avh02
You'd think something like that would require a death certificate to actually happen
autoexec
I prefer to just never answer a phone call unless I know who is calling and it's someone I know personally and want to speak to. Even then, those people know I'd rather they text anyway so when they do call it's more likely to be really important.
actionfromafar
I have tried that, with a particular caller. They always call back.
rolph
that sounds very traumatizing, next explain that you have,
filed for injunctive relief from emotional duress due to actions of defendant.
and cant speak any further as instructed by legal cousel
j-bos
Could cause you to be listed as deceased in some database sending your life into a Kafka story.
lupire
"How do you know he's dead?"
"I called him on the phone and he told me!"
dawnerd
Data brokers don’t care. Whoever calls you will move on but that’s it.
laweijfmvo
I have used (free trials) and currently use (discounted annual) a service called incogni. It's hard to really verify what's going on, but they at least show the brokers they are contacting on your behalf, and I've directly received confirmations from some.
Anecdotally, searching my name on Google pretty much no longer returns those scummy "People Finder" pages that just scrap any public records they can find.
That said, I hope incogni is happy enough with my money that they themselves don't do anything scummy.
Also, freeze your credit at the big three. do it now.
0x2a
And turn on the Global Privacy Control header in your browser:
undefined
zikduruqe
In the past I have just searched for my own name. And when I found a match, I would go to that site and request to be removed. It is a lot of work, but thus far it has been successful.
And I say this, because I was on a TV show years ago, so my real name is all over the internet from an entertainment point of view. But, if you search my real name, there are little to none pointing back to "public record" websites and the such.
silisili
Many seem scammy, and I went through the search before and gave up.
Then, as fate would have it, a HNer(tjames7000) mentioned he made EasyOptOuts for this reason, so I signed up. Cheap, seems effective, absolutely no complaints.
johnnyballgame
Extreme Privacy by Michael Bazzell is a great resource to learn how to limit exposure to these aggregator services.
blackeyeblitzar
It is crazy to me that data brokers are even a legal form of business. All of these services should be opt in at minimum. If they are obtaining publicly available information and making it easier to access, they should have to maintain insurance or a deposit with the government to compensate victims of cybersecurity incidents. Telling people to get credit monitoring is in NO WAY an acceptable way to make us whole. They need to pay for a lifetime of monitoring and INSURANCE up to the net worth of affected individuals. This needs to become law ASAP.
SteveNuts
We're two decades into "The Digital Millennium" and our laws are still stuck in 1999 (except for the ones that ya know, allow dragnet spying).
I'd wholeheartedly support any candidates that push for a data/privacy "Bill of rights".
acdha
I’m optimistic for Harris, not just because she’s so much younger and less beholden to industry, but because she created an entire unit for privacy protection when she was the California AG:
https://oag.ca.gov/news/press-releases/attorney-general-kama...
krageon
There has never been a US president that had anything close to ethical behaviour (to wit: the ones that existed after drone strikes became a thing all signed off on drone strikes. Those hit a lot of innocent people. The US has never stopped having slavery. I could go on). It is really the height of fanciful thinking to believe that the flavour of the month US leader will be any different.
themaninthedark
Good news, the Fifth Circuit court just ruled that Geo-fenced warrants are illegal!
https://arstechnica.com/tech-policy/2024/08/5th-circuit-rule...
Since this is in conflict with a Fourth Circuit ruling, we will probably see it in front of the Supreme Court.
_moof
> It is crazy to me that data brokers are even a legal form of business.
Ah, yes, but they're businesses, you see - the most important class of entity in America. We the people can evidently go fuck ourselves if it means some scumbag gets to make a buck.
datadrivenangel
"there were no email addresses in the social security number files. If you find yourself in this data breach via HIBP, there's no evidence your SSN was leaked, and if you're in the same boat as me, the data next to your record may not even be correct. "
Seems like Troy is skeptical about this being a real full breach?
fullspectrumdev
A lot of these data brokers hold wildly inaccurate information.
LeifCarrotson
You too can be a data broker!
for (i = 0; i < 900000000; i++)
insert(first: random_firstname(), last: random_lastname(), ssn: i);
ryanisnan
You probably are posting this as a joke, but without a clear technical solution to this problem, flooding the industry with bullshit data seems like a great avenue.
calvinmorrison
In fact there are far fewer valid Socials. They follow a system where guessing a number of digits is fairly determined based on year and state of birth
LorenPechtel
Yes, but they can also be pretty accurate.
While I have never dealt with one of the paid services someone ran one on me as an example of what is out there (nothing malicious about it) and just about everything on it was accurate or close to it. Only one thing on it wasn't at least pretty close to the truth--it had me living in a state I've never set foot in. And quite a few other people seemed to have the same address at one point or another.
michaelt
I'm in the UK so I have no Social Security Number, and I still got the HIBP e-mail.
When I looked into it, it turns out the "original" breach is comprised of files named ssn.txt and ssn2.txt which only contains Americans details, and doesn't contain any e-mail addresses.
It seems what happened is there was one leak of US SSNs which the leakers attributed to NPD, then some people bundled that leak up with a bunch of other data (including e-mail addresses and details of non-americans) and who knows if the latter data actually came from NPD?
Dalewyn
>the data next to your record may not even be correct. "
American Express by way of Experian alerted me to my SSN having been leaked precisely by this incident.
The number was seemingly correct, but everything else associated with it such as name and address were nonsense.
So assuming we're talking about the same thing... can confirm?
throwup238
I don't think it's a "full" breach because I assume that would include many tera/petabytes of original source documents rather than just a CSV of PII, but it's definitely a real breach.
I looked up several family members and although most of the phone numbers and addresses were out of date, they were accurate as were the listed social security numbers. However, it didn't include any of the more recent immigrants in the family or myself, possibly because I take opsec seriously.
Funny enough it looks like it has data for Tom Brady, former FBI director James Comey, Barack Obama, and Donald Trump (just some of the names that popped into my mind to look up).
EvanAnderson
For years I've said the entire SSN database just needs to be published alongside legislation strictly assigning liability to any company who defrauded as a result of using the SSN as a "secret". That would fix the problem with SSN's and "identity theft" quickly.
Part 1 has been accomplished. Let's get part 2 going!
Aside: It amazes me how the American public has allowed defrauded companies to assign the company's loss as a liability to innocent individuals (in the form of "identity theft"). It would be great if we could get that changed in the minds of the public. A well-informed public could collectively turn "identity theft" into the "bank's problem" (from the old adage "If you owe the bank a billion dollars they have a problem..."). The insurance industry would swoop in as the defrauded parties start making claims and shoddy security practices would get tightened-up.
(Edit: I fear insurance companies coming in to "fix this" to some extent-- citing my experiences with PCI DSS compliance auditing and Customers who have had 'cyber insurance' policies coming with ridiculous security theatre requirements. Maybe we can end up with something like a 'cyber' Underwriters Labs in the end.)
(Also: Yikes! I hate that I just typed 'cyber' un-ironically.)
janalsncm
Identity theft is a very clever term to shift blame from the company to the consumer.
It’s a comedy bit but I take its point seriously: if the bank gives away money, it’s the bank’s job to make sure it is repaid. Not mine, unless I was actually a party to the agreement.
Eji1700
Well then you're up against the wall of digital verification.
I know there's a fuck load of situations where the banks are 100% screwing the customer to their benefit, but there's a legit conversation about people who give out their passwords, or claim they did, when money gets wiped out.
If you meet all the requirements to identify yourself to the bank, at what point does the bank have to say "this is that person, and that transaction is legal".
Now granted:
1. With passkeys and biometrics and 2FA we've got a lot of better ways to make these accounts secure, and hopefully more idiot proof. I'm hoping we start getting rid of email/phone for 2FA as a valid option though.
2. The moment the police are treating it as an identity theft case, the bank should be required to pony up. I don't know if that's the case (and wouldn't be surprised if they fight it tooth and nail), but at that point you have a state or federal entity acknowledging this is not a legit transaction, and therefore you should be compensated by the bank, and they can get their money back from the insurance companies that insure against this kind of thing.
autoexec
> If you meet all the requirements to identify yourself to the bank, at what point does the bank have to say "this is that person, and that transaction is legal".
Our current system is entirely built on ridiculous levels of trust, mostly for convenience / cost saving reasons. I've made payments over the phone with nothing more than the information found on the bottom of every check I've ever sent. I routinely hand my credit card to waitstaff making 7.25 an hour and in that moment I'm handing every last one of them the ability to snap a photo of my card on their phones and go on a shopping spree at my expense.
As insane as our system is, it's mostly worked. Even though I've been made to pass around my account info countless times, I've never once had my accounts cleaned out. If a single mother with less than 1k in her account gets robbed, I have a hard time blaming her. She had zero say in the design of this system, and she's the person least able to deal with the cost of the consequences of it.
On the other hand, I have very little problem putting the blame on the banks which do control much of the system and who can more than afford to cover the costs of such incidents. This puts a small amount of financial pressure on them to improve the systems they've created and forced the rest of us to use in order to participate in society.
There are all kinds of things they could be doing to reduce fraud, but they don't. Mostly for convenience / cost saving reasons. I consider their refusal to take even simple steps to improve the security of their systems as their implied consent to continue accepting the responsibility for the still rare instances where criminals take advantage of their inaction.
coder543
The Google Authenticator app (just as a mainstream example) was released 14 years ago. When we're still waiting for a lot of banks to even support TOTP, consider me unimpressed with the level of effort banks are putting into securing my accounts.
GoblinSlayer
>Well then you're up against the wall of digital verification.
That's whole point, they should use standardized authentication process. The problem is that they don't use any authentication at all. They just give money away because they can extort them back from unsuspecting victim like some gangsters.
pests
How do you feel about the recent case where a caretaker for a disabled person who was given permission and access to use the person's cards, banking app, etc ended up stealing from the person. The banks response - they had given the caretaker access so it was their fault.
Even if you have all the passwords and bioinformatics, passkeys, 2FA, etc - how can you prevent theft like this?
lupire
Banks should get insurance to cover their negligence. They weren't careful.
sorokod
The obligatory Mitchell & Webb sketch
EvanAnderson
YES!
I couldn't remember their names and absolutely was thinking of this.
dredmorbius
It's not even necessary to publish the database. Pass a law, or even possibly a regulation or court instruction, that SSN is not a sufficient basis to establish identity, and that any unauthorised financial transaction, legal document, commercial transaction, or other use relying on SSN is considered prima facie uninsurable fraud.
Use would likely diminish markedly.
al_borland
Ever since the Equifax breach I’ve been a proponent of a new national ID program to replace the SSN, that can be designed for what the SSN has become and tolerant to these never ending data breaches.
Maybe this will give a second chance at a conversation around that, but I’m not too hopeful.
kube-system
US law does generally make fraud the bank's problem. Identity theft isn't loophole in this, it is a situation in which there is a logical ambiguity in differentiating one fraud from another. If they just believed everyone who said "it wasn't me that spent that money!" that would just be opening another vulnerability.
EvanAnderson
I think we've got liability pretty well buttoned-up in the banking industry. I'm more concerned about the non-bank businesses. (I recently obtained utilities at a new house. All three utilities-- electrical, gas, and water/sewer-- use my SSN as an authenticator for my account. In 2024.)
kube-system
It isn't great, but I don't think there's much risk there. There's not really much of a motivation for some random person to get into my utility account. The balance is never positive. Utilities are physically bolted to my house. They're pretty heavily regulated too. If someone wanted to steal electricity from my house, they can use the outlet on my patio that has zero authentication whatsoever.
meowster
When I obtained utilities for my house, none of them required my SSN. The water company asked, but I declined, so they asked for a fax of my DL (which I could have probably photoshopped, but didn't).
Just because people ask for something, doesn't mean you have to give it to them. I leave fields blank all the time on different (paper) forms (including when they ask for SSN), virtually no one hassles me.
GoblinSlayer
I maintain my utilities account by email.
h_tbob
As crazy as it is… kinda smart lol
undefined
quantumfissure
For non-Americans (and Americans) that don't quite understand what SSN is and why it's a problem, CGP Grey [1] has a great (and short) video about the history and why it's not technically an identifier, but has become one.
aryonoco
It's so interesting how Australia went the other way and actually banned the use of any government-issued ID number as a primary identifier by any organisation other than the government department which issued that ID number.
In the 80s, the very popular Aussie prime minister, Bob Hawke wanted to introduce a National ID card, complete with a unique number, that would then be used for everything from Medicare to tax filing. The government however did not have the numbers to pass it through the Senate. Hawke called a double dissolution (dissolving both lower and upper houses of parliament) over the issue. He was returned to power after the election but still without a majority to get the bill through.
There were then attempts to use "other" government issued ID cards like the Medicare number, for this purpose. To prevent this, a few years later, a bill was passed that would prevent any such use.
In reality, this means businesses can ask for government issued numbers but it has to be optional and voluntary, and never used as a primary ID. When I go to my doctor for example, I can provide them with my medicare number, in which case they will claim the Medicare rebate on my behalf automatically, or I can refuse to provide them this number, pay the doctor's fee in full, and claim the rebate from medicare myself separately. Similarly I can provide my bank with my tax file number, in which case they will automatically tax my interests earned according to my income band. Or I can not provide them my tax file number, in which case they'll tax my interest rate at the highest income band, and I can then get the money back from the tax office when I file my tax returns at the end of the year.
In Australia we don't have a Bill of Rights. We don't even have a right to freedom of speech. The police can ask us to unlock our phones without a warrant; etc etc. Yet when it comes to privacy, our laws are very clear. For a country with such a history of protecting individual liberties, it always amazes me that the United States takes such a laissez faire approach to privacy.
bobnamob
Shorten announced details yesterday of another attempt at an Australian digital id that actually seems informed by Optus and Medibank
https://www.abc.net.au/news/2024-08-13/trust-exchange-digita...
acchow
Not only an identifier, many places use it as a secret.
chii
Plenty of places also use mother's maiden name as a password/secret too.
beretguy
DBA at my previous job wanted to use SSN as a primary key. I felt like I’m talking to a child trying to convince him not to do that.
fragmede
The video doesn't quite get into the problem of identity theft, which is when someone uses your stolen creds to claim they are you, and then go on a shopping spree which may include buying a car under your name. You shouldn't be liable for debts incurred after having your identity stolen but proving that is a lot of work.
sangnoir
> You shouldn't be liable for debts incurred after having your identity stolen but proving that is a lot of work.
The first step is to call it what it is: fraud by misrepresentation. The owner wasn't deprived access to their identity (a key component of theft), they weren't even involved in the transaction. Companies want to have their cake and eat it - have low barriers to making sales/offering loans without rigorously verifying the identity of the person benefiting and be shielded from losses when their low-friction on-boarding fails lets in fraudsters.
If a home buyer is duped into transferring deposit into a fraudsters account, they don't blame it on corporate "identity theft" and put the escrow agent on the hook by default.
adamomada
I never really understood why the onus is on any person to prove they didn’t do something. Shouldn’t the shaggy defence be sufficient?
e.g. You get hauled into court for a lawsuit demanding the loan repayment, for a loan someone else used your name to get?
- It wasn’t me.
jandrese
The reason the Shaggy defense doesn't work is the default assumption of the courts is that you're a deadbeat trying to game the system. This assumption comes about because in the majority of cases it is the truth. The system would be a lot nicer if there weren't people trying to scam it every hour of every day of the week.
kube-system
When someone named adamomada comes to the bank for a loan, the presumption is that adamomada will repay the loan.
If they knew it wasn't you, they wouldn't have written the loan in the first place. They're asking you to repay it because they really do think it was you.
If "it wasn't me" was all anyone had to do to get out of paying a loan, many people would do it.
enlyth
Is that even a Shaggy defense? The whole point of the Shaggy defense was that it's saying it wasn't you despite overwhelming evidence ("She even caught me on camera - it wasn't me")
But in this scenario, there is basically zero evidence it was you
acchow
"Identity Fraud" is institutionalized victim blaming. The claim is that the person who's identity was stolen was defrauded (and they should protect themselves or fight back), but in reality it was the creditor that got defrauded.
undefined
CivBase
"Identity theft" is just fraud, rephrased to make us the victims instead of the defrauded companies.
That's why SSNs are still such a big deal. Why fix the problem when you can just make it someone else's problem?
krackers
As brilliantly satirized by the mitchell & web sketch https://www.youtube.com/watch?v=CS9ptA3Ya9E
freehorse
In many other places SSNs are non-sensitive data. There is not much one can do just knowing a SSN. Usually one has to do some kind of verification (eg using some sort of authentication app, if online). Which is why it is so confusing.
sudo_bang_bang
It’s both a username and a password
left-struck
> The problem with verifying breaches sourced from data aggregators is that nobody willingly - knowingly - provides their data to them
This is a bit of a tangent but I feel like if we can prove this statement then these data aggregators should be made illegal. How can you consent to something that you don’t know you’re consenting to? Likewise why do these entities have the right to collect detailed personal information like SSN without your explicit, beyond reasonable doubt, consent? To me this is the most obvious failure of the legal system, it clearly goes against well established legal principles that a basic requirement of an agreement is that all parties know what they are agreeing to.
Obviously there is some leeway with agreements where it’s not possible to clarify every eventuality but lets say if you’re applying to rent a place through an online form and that form shares your SSN to a data aggregator, it should be extremely clear about that, and possible to out out while still allowing you to complete the rental application without discrimination.
It’s like, it should be possible to show that no one, with in reason, consented to sharing their data with this aggregator because no one is able to confirm that they did. Sure one person could forget, or lie, but 100s of millions of people? No. Clearly almost zero people knowingly consents.
Hnrobert42
I have been using a different site@mydomain email address for every service I've used for the past 15 years. I can point to exactly which site breach furnished my email address to the aggregators.
al_borland
Care to call out some bad actors so others know to avoid business with them?
I recently started using unique emails for everything I sign up for. Thankfully I haven’t seen anything yet, but I have little hope it will stay that way.
klabb3
I second this request of releasing the results of this “digital tracer dye” experiment. If their respect for your personal data is that low, they deserve to be named and shamed. And more.
Hnrobert42
Surprisingly, there aren't that many. When I started, I thought I would catch my email address being resold. The only reseller has been Democrat politicians or funding sites like Go Blue. The other one is Engagez, which is some kind of tech vendor expo I signed up for with some meetup event.
The most widely spread breached address is LinkedIn by a wide margin. Houzz is second. Zynga, Imgur are also in contention.
When I started getting porn spam from the Diver's Alert Network, I alerted them to a breach. They misunderstood and just told me how to change my password.
The most annoying thing is that I found my personal robert@ email address is HIBP under the evite breach. I so jealously guard my personal address. A well meaning friend invited me to something with evite. And that's all it took.
undefined
left-struck
I like email forwarding services, like ddg, mozilla’s relay, iCloud’s hide my email and simple login. Unique password and email address for every website, plus, like you said if your unique email shows up somewhere it’s a smoking gun.
undefined
undefined
araes
I was wondering why Google suddenly turned on "prompt authentication" on zero-security feature accounts yesterday. Now I "must" have a phone nearby to use Gmail... Tap to authenticate every time you want to look at ... ad spam.
With this, Ticketmaster, and the CDK Global car theft, is there anybody on Earth who doesn't need data protection? Poor people in Somalia need data breach notices. People who are not even on the WWW need data breach notices...
esmeraldametteo
I recently hired the experts of {hacker11tech (@) gmail com} to help me track my spouse's GPS location, as I suspected infidelity. They provided me with accurate and timely information, revealing that my spouse was frequently visiting another person's location instead of going to work as claimed. Their expertise and professionalism were very impressive, and their ethical approach ensured a discreet and confidential process. The evidence gathered was comprehensible and reliable, giving me clarity that I needed to address the situation. I highly appreciate the {hacker11tech (@) gmail com} dedication helping to uncover the truth while maintaining ethical standards, their services was valuable in helping me make decisions about my relationship. I highly recommend this team {hacker11tech (@) gmail com} for anyone seeking reliable ethical practices and their commitment is reassuring.
hn72774
Anything the average SSN holder should be doing proactively?
NineStarPoint
You could freeze your credit, it you wanted to be careful. Realistically though, you should have already been monitoring to check if unexpected things were being done in your name. I’ve presumed that all our SSNs have been out there for years now due to one hack or another, that this hack just makes it indisputable doesn’t change much.
tmountain
What's required to freeze/unfreeze your credit? Your SSN and address info? All of that is in the breach for millions of people.
gosub100
Just like a lock on the door, it raises the barrier to a non trivial level. It does not give you a ft Knox level impenetrable fortress.
I recently froze my credit with the big 3 and it was easier than I pictured. I don't know if they slow you down if you try to unfreeze it immediately after clicking "forgot password".
mherkender
Freeze your credit with the three major credit agencies. Set up an IRS pin.
Get the top HN stories in your inbox every day.
> While the specifics of the data breach remain unclear, the trove of data was put up for sale on the dark web for $3.5 million in April, the complaint reads.
I guess they failed to sell it because links to the leaked data on usdod.io have been available on Breachforum/Leakbase for over a week now. Someone created a magnet link yesterday and it's fully seeded so speeds are fast.
The data in the breach is irreversibly public now.