Was Your SSN Hacked? (Probably.)
Posted August 19, 2024
Chris Campbell
A massive data breach has left basically EVERYBODY vulnerable.
If it wasn’t already…
Chances are, your social security number is now sitting on the Dark Web.
It’s pretty urgent, so let’s cut to the chase.
We’re going to go through the BEST way to deal with this situation - from snout to tail.
First, we’re not sure why this isn’t bigger news.
Here’s what happened:
A hacking group called "US DOD" managed to break into the systems of a company called National Public Data.
These types of hacks happen all the time, but this one’s especially concerning.
National Public Data is who handles background checks - you know, the kind of checks that require all your sensitive information.
So we're not just talking about names and email addresses here. This breach exposed Social Security numbers, previous addresses, and even those security questions banks ask you when you forget your password.
You know, the ones like "What was the name of your first pet?" Yeah, those.
Bad news, because now hackers can link your SSN with your old addresses. Often, this is how identity is authenticated.
The scale of this breach is mind-boggling.
We're talking about the personal records of nearly 3 billion people potentially exposed. Yes, you read that right - billion with a 'B'.
This digital heist reportedly went down in April, and now there's even a class action lawsuit filed in a Florida federal court.
Nothing is Safe
Now, you might be wondering, "How do I know if I'm one of the unlucky 3 billion?"
Some people will wait for confirmation.
Don’t.
Assume the worst and take action.
So what can we do? The usual steps - credit monitoring, freezing your credit, and keeping a watchful eye on your accounts.
Tutorial: How to place or lift a security freeze on your credit report
That’s the first step.
Also, there’s this: Create an official Social Security account (before a hacker beats you to it).
Here’s the official link:
https://www.ssa.gov/personal-record/update-contact-information
On that link, you’ll be prompted to create an account with Login.gov.
There’s a specific way to set it up so you KNOW it’s secure.
Read This First
If you want the highest possible level of security, consider this:
During the account creation process, you'll be prompted to set up authentication methods.
These methods will determine who is able to access your account.
The page will look like this:
Some of these methods are FAR better than others.
- Security key (High)
- Government employee ID (Meh)
- Authentication app (Medium-High)
- Text or voice message (Low)
- Backup codes (High, depending)
The bolded are the ones I personally would choose.
Here’s why:
The top choice is using a hardware security key like a Yubikey. It's practically unbeatable when it comes to protecting against phishing and account takeovers. Plus, you don't have to worry about SIM swapping attacks.
If you have a security key on hand, then definitely go with this option. (It’s worth getting security keys. Only get them from Yubikey’s official website: Yubico.com
I’ve written a separate Yubikey tutorial here with everything you need to know.
Backup codes are the fallback option. Just make sure you store them somewhere safe offline. Best practice is to write them down and keep them somewhere safe - ideally more than one place.
Authentication apps like Google Authenticator are pretty good too. They're more secure than text messages and aren't vulnerable to popular phone hijacking methods like “SIM swapping”. (More on that in one second.)
Just remember to keep your phone locked down with a strong passcode. (Also, back up your authenticator codes in case you lose your phone.)
Tutorial: How to Back Up Your Authenticator 2FA Codes
Why Avoid Text (If You Can)
Text or voice messages? For most people, they're the LEAST secure option.
Only use them if you absolutely have to. They're vulnerable to SIM swapping, which can be a real headache.
Sim swapping is when a scammer convinces your mobile carrier to transfer your phone number to a new phone they control.
It's a sneaky and dangerous form of identity theft that can have serious consequences, especially when it comes to account security.
Since most people use text verification for their accounts, it can be highly lucrative.
Hackers are getting VERY savvy with this method. If you become a target, chances are they’ll find a way to take over your phone.
In fact…
Hackers have been known to have connections within mobile companies who authorize Sim Swaps for them.
It sucks that mobile carriers don’t have a better system for this. Maybe that will change with this breach.
But it has happened in the past - and will probably keep happening.
The key takeaway here is to use the strongest methods available to you.
Combine a hardware key with backup codes for the best security. If that's not possible, go for an authentication app. Whatever you do, steer clear of text messages if you can.