Today, Explained - Hackers probably stole your Social Security number
Episode Date: August 27, 2024Vox’s Adam Clark Estes explains why that might be a good thing. This episode was produced by Miles Bryan, edited by Matt Collette, fact-checked by Laura Bullard, engineered by Patrick Boyd and Andre...a Kristinsdottir, and hosted by Sean Rameswaram. Photo via Smith Collection/Gado/Getty Images. Transcript at vox.com/today-explained-podcast Support Today, Explained by becoming a Vox Member today: http://www.vox.com/members Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Recently, Vox's senior tech correspondent, Adam Clark Estes, got some bad news from his telephone.
I got an alert from my bank, which is Chase, and the message said,
your social security number has allegedly been compromised.
Allegedly was a word that I really held on to, as hope that maybe it wasn't true,
but then I found out there was a lawsuit about a huge data breach.
It comes from what may be the worst data breach ever, one reportedly that's resulted in the theft
of the social security numbers of every American. A couple weeks ago, it was confirmed me and a few
hundred million other Americans got their social security numbers stolen. But Adam didn't just
panic. He took action. He protected his information.
And on Today Explained, he's going to teach you how to do the same.
And he's going to argue, believe it or not, that this massive data breach is actually a good thing.
Get groceries delivered across the GTA from Real Canadian Superstore with PC Express.
Shop online for super prices and super savings.
Try it today and get up to $75 in PC Optimum Points.
Visit Superstore.ca to get started.
Today, explain Sean Ramos for him.
I've gotten spammy messages warning me that my information has been stolen.
You've gotten them too.
Adam Clark Estes recently got one that was real.
It's true.
We're always getting notified that our data is out there, that we're using a compromised password.
And there are so many of these alerts, we kind of stop paying attention to it.
Data breaches happen all the time.
I've been covering this space for over a decade, and I write about a big data breach maybe once a year.
So my first thought was like, OK, this is another one of those.
Every once in a while, they are a big deal.
You might remember Equifax.
The major credit bureau was compromised a few years ago, and that led to everybody's information getting out there.
Financial and cyber experts warn the Equifax hack has the potential to haunt Americans for decades.
But most of the time, it's kind of small time stuff. Your email might get leaked,
some personal information, maybe your address. And that might lead to spammers spamming you more
because they have your info. Your passwords might get out.
And that might mean that somebody in the Philippines has your Netflix login and is watching movies.
That happened to me once.
Really?
It did, yeah.
What did they watch?
House Cards.
It was.
It's still a popular show.
Okay, but this wasn't an email or a notification about your Netflix password.
This was about your social security number.
How did your social security number and that of hundreds of millions of other people get compromised?
The short answer is we don't know and we might never know.
But for the long answer, I want to zoom out a second and talk about the data brokerage industry.
There's a whole industry that buys and sells your data.
Sometimes this is data that you voluntarily given up.
Sometimes it's data that's been stolen.
You can kind of think of it as like a market where instead of produce, they're trading your information and sometimes social security number.
But in any case, there's lots of data about us floating around all the time.
And pretty much anyone can get that data if they have money.
Sometimes it's being sold out in the open and legit spaces.
Sometimes it's in the dark web
and sometimes it's for nefarious purposes like spamming you or
scamming you. And sometimes it's legitimate purposes. Like if you have a business
and you want to sell people background checks,
you would need data for that.
So what happened in this case?
Do we know?
We don't know exactly what happened,
but I can tell you what we do know.
And this is based on what some security researchers
have figured out and some details from that lawsuit.
So the breach happened due to a company
called National Public Data getting hacked.
And what we know about National Public Data,
it's a small company that sells background checks,
and it's run by a former sheriff's deputy, actor, and reality TV star named Salvatore Varine.
Hey, what's up, Sal?
What's going on, Big Mike?
Nothing much, man. What are you up to?
Nothing. How are you doing?
Hey, man, I got to tell you something.
I got a video.
I got 100% proof the Earth is flat.
You got to take a look at this.
Sal! Sal!
Mike is what they call a flat earther.
And, well, they think that the Earth is actually flat.
It doesn't seem like it's a very sophisticated operation.
They happen to get a lot of data,
and they weren't protecting it very well.
We know now that the password to break into their database was actually hidden in plain text in another website that was also owned by Sal.
So somebody broke in, stole all the data. about this hack earlier this year when on hacker forums, a known cyber criminal called USDOD
started talking about a huge database of social security numbers.
USDOD is a hilarious name for a hacker.
USDOD claim they stole 2.9 billion records of personal data,
and we're trying to sell them for $3.5 million.
But this hacker, they couldn't sell it.
And eventually somebody got a hold of it
and just posted it in a forum
and it's been floating around.
But earlier this month,
that lawsuit I mentioned was filed
and then National Public Data,
I think it was probably Sal himself,
admitted they'd been hacked.
In a statement on their website,
NPD acknowledges the breach and says,
we cooperated with law enforcement
and governmental investigators
and have implemented additional security measures.
This just sounds like, I don't know, like a Sopranos subplot.
Some guy named Sal, I'm assuming he's in New Jersey somewhere,
somehow compromises 270 million American social security numbers.
You're supposed to push Webistics.
Webistics is our pick of the week.
This is like supposed to be your most prized personal information.
How is this happening?
I know you just told us, but how is it not more secure?
Well, Sal's in Florida.
You're right to be kind of upset or surprised by this.
But first of all, social security numbers are not a super secure thing.
It's literally nine digits.
It's a number that you know and you're not supposed to tell other people about unless the right person asks you.
And then you have to trust that they're not going to tell anybody else about it.
You know, if you put it in a website, they put the little asterisk over it.
When you put in the number, that's how you know it's secure.
I got a question for you real quick. real quick, Adam. What's your social security
number? I almost did it. I almost told you. This is the number that we use to prove our identity.
And it's not a great system, but it's the system we've got. And sometimes you type it into a
legitimate bank website and they protect that data. And sometimes you type it into a legitimate bank website and they protect that data. And sometimes you type it into something that looks like your bank's website.
But in fact, you clicked on a link in a text message or email and you got phished.
And now your social security number is in the hands of hackers and probably being bought and sold on the dark web.
And how big a deal is it if your social security number is being bought and sold by hackers on the dark web?
How big a deal is this hack?
There are two questions there.
One is, how big of a deal is it if your social security number is out there?
Two, how big of a deal is this hack?
If your social security number is in the hands of a hacker, it can be a big deal.
They can use that to steal your identity, and that can be a real pain.
In terms of how big of a deal it is, it's huge.
I mean, in terms of scale, we're talking about not just hundreds of millions of people, but nearly 3 billion records were in this database that was stolen.
That doesn't mean 3 billion people were impacted.
That would be almost half the world's population.
But we do know that 272 million American social security numbers are in there, at least.
But I asked this question to a lot of data security experts, and what they told me was
really interesting.
They said it's bad and it's big, but a lot of this info was already out there.
They said a lot of these social security numbers actually belong to people that are deceased.
One security researcher I talked to people that are deceased. Oh.
One security researcher I talked to actually found himself in the breach and basically said that all of the information about him was either incorrect or outdated.
Nevertheless, it's a lot of information.
It's out there and it's not going anywhere.
The implication here is that this isn't the first time.
It won't be the last time.
Why does this keep happening, Adam?
Data breaches keep happening for a lot of converging reasons.
First of all, hackers are good at hacking.
They keep getting better.
As much as we try to protect our information in different ways, they figure it out and they hack.
It's what they do.
There's also a ton of data about us floating around online. And there aren't really there aren't really rules for companies who are trading this data. There aren't rules for them to protect it. There aren't privacy rules for consumers. And the data industry is largely unregulated. that. I mean, you know, as recently as a few minutes ago, I asked you for your social security
number. And of course, it's a crazy thing to ask someone. And yet online, it's just like,
there's free for all. Why aren't we doing a better job of protecting this information?
The internet has historically been lightly regulated or completely unregulated in some
spaces. The thinking here is that we have this powerful new communications technology.
So if we regulate it, we might limit its potential, namely its business potential.
Written before Facebook or Google were invented, Section 230 says in just 26 words
that internet platforms are not liable for what their users post.
But in the past couple of decades, there's been an increasingly loud chorus of people
that say we need better data privacy laws.
You might remember around 2010,
Mark Zuckerberg started talking about
how it was the end of privacy online,
how it was no longer a social norm.
People have really gotten comfortable
not only sharing more information and different kinds,
but more openly with more people.
And that social norm is just something that's evolved over time.
He got roasted for that at the time, but in some ways he was right.
We've been losing privacy online as we've been using the Internet more and more
because there's been nothing to keep companies from gathering data about us
and using that in various ways or selling it.
There have been a lot of attempts at a
comprehensive consumer privacy legislation. We've identified some basic principles to both protect
personal privacy and ensure that industry can keep innovating. Some states like California
have their own laws. Europe has historically been better at protecting its citizens' privacy. But in the U.S.,
these bills come up and they never seem to make it to law. So right now, we don't actually have a
national right to data privacy. Okay, so in the meantime, your information may be out there,
and it may stay out there there or it may one day soon
get out there. It all sounds kind of rough for our information, but you wrote an article for our
homepage, Vox.com, called The Massive Social Security Number Breach is Actually a Good Thing,
which is a very provocative headline. How is this a good thing, which is a very provocative headline.
How is this a good thing and for whom?
Well, the fact that I got an alert from my bank and ignored it, but then went back and said,
oh, no, I've got to do something about this is good.
If only because I'm not the only person who had that reaction.
I've been hearing from my friends.
I think that I've been hacked from my friends. I think that
I've been hacked. What do I do? And there is something to do. And I think a lot of people
are going to do it. Okay, what you have to do with Adam when we're back on Today Explained. Support for today explained comes from Ramp.
Ramp is the corporate card and spend management software designed to help you save time and put money back in your pocket.
Ramp says they give finance teams unprecedented control and insight into company spend.
With Ramp, you're able to issue cards to every employee with limits and restrictions
and automate expense reporting so you can stop wasting time at the end of every month.
And now you can get $250 when you join Ramp.
You can go to ramp.com slash go to ramp.com slash explained ramp.com slash explained
r a m p.com slash explained cards issued by Sutton bank member FDIC terms and conditions apply.
The all new FanDuel Sportsbook and Casino is bringing you more action than ever.
Want more ways to follow your faves?
Check out our new player prop tracking with real-time notifications.
Or how about more ways to customize your casino page
with our new favorite and recently played games tabs.
And to top it all off, quick and secure withdrawals.
Get more everything with FanDuel Sportsbook and Casino.
Gambling problem? Call 1-866-531-2600.
Visit connectsontario.ca.
Support for Today Explained comes from Ramp.
If you're a finance manager, you're probably used to having to toggle between multiple disjointed tools just to keep track of everything.
And sometimes that means there's limited visibility on business spend.
I don't know what any of that means, but Ramp might be able to help.
Ramp is a corporate card and spend management software
designed to help you save time and put money back in your back pocket.
Ramp's accounting software automatically collects receipts,
categorizes your expenses in real time.
You can say goodbye to manual expense reports. You will
never have to chase down a receipt again. You can customize spending limits and restrictions
so your employees are empowered to purchase what your business needs and you can have peace of
mind. And now you can get $250 when you join Ramp. You go to ramp.com slash explained, ramp.com
slash explained, ramp.com slash explained. Cards are issued by Sutton Bank, a member of the FDIC Today Explained is back with Adam Clark,
S-Test from Vox.com.
And Adam, you wrote this thing that said that this whole social security number breach was actually a good thing.
You had friends texting you, calling you, asking what to do.
And you actually had an answer for them.
What is it?
Freeze your credit files.
What killed the dinosaurs?
The eyes of AIDS. your credit files. There are three major credit bureaus, Equifax, Experian, and TransUnion.
You can go to their websites and you can freeze your credit files. And that is going to stop
other people from opening accounts in your name. What does that even mean? I mean, I've heard that
before. I've certainly never done it. But what exactly does
that entail, freezing your credit files? Does that mean if I want to, like, I don't know,
apply for a car loan, I can't do it anymore? So basically, what those three major credit
bureaus do is they track everything about your financial life, who you have accounts with,
how much you owe to whomever. They're the ones that issue credit reports.
And if you want to get a car loan, the bank or whoever you're getting that loan from will want
to see your credit report to prove that you are who you are and you're a good person to
give a loan to. But when you freeze your credit files with those bureaus,
they basically won't let anybody else get access to that report. So that means you can't get a new car loan.
It also means the hacker can't come and steal your identity.
It does not mean that it will be that way forever.
You can unfreeze those files.
But if you don't need a car loan, you can go ahead and freeze the file and protect yourself.
But what if you do need a car loan?
You can unfreeze your credit file.
So depending on the credit bureau that you're freezing and unfreezing with,
and you should do all three,
it can take 24 hours or up to 72 hours to unfreeze the file.
But it's very easy, like the flip of a switch, to unfreeze it once it's frozen.
Okay, fair enough.
Is this something that you did when you found out that your social
security number had been compromised earlier this month? I did. I froze my credit files with all
three of the major bureaus. And I was worried that that was going to be hard and time consuming.
It really wasn't. It used to be and you might think that it is hard. I froze my credit files
a few years ago and then got really tripped up trying to unfreeze them because they gave me like a pin that I had to write down and quickly lost.
And I eventually got them unfrozen.
But these days, you just basically set up an account with a credit bureau, log in, freeze it, unfreeze it.
You're done.
It's really easy.
How long did it take?
How easy was it?
It took me less than 10 minutes with all three bureaus. And some of them I had to set up new
accounts. So like if you already have accounts, it's a couple minutes.
Okay. Does it cost money?
It is free.
It's free?
It's free by law. It's free. They also have to give you a credit report once a week if you ask
for it. But after that 2017 Equifax breach, some laws changed
and now it's free and easy. Huh. So there aren't laws to protect your social security number,
but there are laws that demand that this process of freezing your credit is free.
It's progress. Okay. Well, you know, I know this isn't your job to, like, help your colleagues protect their social security numbers.
But can I ask, since we're talking about this, that you just tell me how to do it and I'll do it right now while we're in this interview?
Because my social security number must just be out there, unfrozen, just baking in the hot sun.
Hey, freeze.
The heat is on.
Yeah, let's do transunion and instead of asking you to google it uh which is
like what you tell a friend let's just go to transunion.com and then i'll walk through it
with you oh i already googled it but i'm still there we ended up in the same place okay i'm at
transunion.com uh there's a nice lady smiling at me she looks very happy her credit's probably safe
at the very top adam i don't know if're aware, it says impacted by a recent data breach. Not just a twink-wink. Visit our What To Do After a Data Breach page for information.
We have feedback because we have you. What do I do?
Click on Member Login.
Member Login. Got it. Very clear.
Cripe monitoring service center true identity.
Oh, third person says dispute. Manage to freeze.
Third person says dispute. Manage to freeze.
Add follower or viewer.
Dispute.
Okay.
Okay, login. Do I have a login?
I would, if you're not sure Go ahead and click
Create account
First name
John
Middle name
Secret
Last name
Rom's from
Address
Have you lived here
For more than six months?
Indeed I have
Email
Noelle at
King.com
Mobile number
Easy peasy
Date of birth
March
Oh and they want a
Adam they want the last
Four of my social
Should I trust them with it?
I think you can trust them with it.
I always say double-check the website.
If it's the website you want to be on,
if you are, it's transunion.com.
Okay, please send me a couple tips
and news about my service,
including special offers and transunion.com.
Hell no.
Okay.
Create a password.
Miles Brian 123.
Oh, they do not like the strength of that password.
Wow, they really want a serious password.
12 to 64 characters.
64 characters? Y to 64 64 characters yes
64 characters sounds like an oceans 11 movie you know what i mean that's awful that's awful
um okay i don't know man this is like a much more i mean uh we can jump to the party episode right
talk about password managers isn't that placing a lot of trust in these services gotta trust somebody
i'm not so sure.
Oh, credit freeze. There's a little snowflake.
Yes, that's me. A little snowflake.
Your report does not have a credit freeze in place.
It says it's available.
And then there's a huge button that says add freeze.
That's the button to click.
Doing it.
Okay, it says once your credit freeze is in place, you may leave the freeze in place to ensure your credit report is not accessible for new credit applications.
You may also choose to remove the credit report entirely.
It's up to you.
Okay, I'm going to continue.
That's the option.
Continue.
Thank you for your request.
A freeze is now in place. Oh my God, I'm so excited.
I'm out of my water.
A freeze is now in place on your TransUnion credit report.
It will stay in place until you request its removal.
You have now prevented others from viewing your TransUnion credit report.
Help prevent identity thieves from getting credit in your name.
Did we do it?
We did it.
Wasn't that easy?
You know, it wasn't hard.
It wasn't hard.
Was it annoying?
You know, mildly.
But what?
You're saying that, you know, there's a payoff.
Yeah. Well, do you know what's more annoying than doing that i can guess it's getting your identity stolen but wait i have to
do this three times now like i've done it once i have to do it two more times with with what
experian and equifax yes how much do you want to sit here while i do those two i don't mind
that's sweet of you i bet our producer does mind How much do you want to sit here while I do those two? I don't mind.
That's sweet of you.
I bet our producer does mind.
He just wrote to me, I mind.
Okay, what if you have kids?
Do kids even have credit?
Is this just like a 18 plus thing?
Kids have identities, which is the big thing here.
When your child is born in the United States, they're given a Social Security card and number on it, and they have an identity. If you have a young child, they probably don't have a credit file yet, but you can actually contact the credit bureaus, get them to create a file, and then freeze it for you to protect their identities.
And experts tell me you should do this.
So if you've got like four kids, you do have like an afternoon's worth of work ahead of you here.
Maybe not an afternoon. It's a little bit different than freezing your own credit file.
There's a form involved that you actually have to mail in, but it's worth doing because actually child identity theft is rising more quickly than adult identity theft.
And you might not even know your child's identity has been stolen until they're 16 or 18 and
get their driver's license or apply for a student loan.
And if they find out at that point in time, their identity has been stolen and they have
multiple credit cards that are maxed out and a mortgage on four houses in Florida, probably,
it's going to be a huge headache. So it's worth taking the small step now to avoid that headache
in the future. To get back to the title of your recently published piece at Vox,
the massive social security number breach is actually a good thing. Is it a good thing because it will encourage people to do what I just did to freeze their
credit?
Is that the argument you're making?
The argument I'm making is that it's a good thing because we're talking about this right
now.
It's a good thing that my friends were asking me about how to freeze their credit files.
And it's a good thing that a lot
more people are going to do it. It is the first line of defense between you and identity thieves.
And like one security expert told me, if you haven't had your identity stolen yet, it's not
because you're special. It's just because they haven't gotten to you yet. The information about
you is out there and it's only a matter of time.
I think that worldview is a little bit paranoid, but I think that he has a point.
Think about it this way. In your home, you have things that are valuable to you. And if other people got those things, it would be upsetting. But we have security measures in place place you have a lock in your front door but
if someone breaks that lock and comes into your house you can call the police and they will will
come in and help you because those systems are in place well the internet doesn't quite work like
that you have a lot of valuable information that's out there and people are stealing it and buying
and selling it all the time and there's not really an internet police that's coming after them. Of course, there are like cybercrime divisions of the actual police.
But the scale of this problem is so big. It's literally every person in the United States and
every person in the world that's online could be a victim of cybercrime. And if there were the right
amount of protections and regulations in place, we wouldn't have data breaches where hundreds of millions of American Social Security numbers are compromised.
Adam Clark Estes, you know where to find him because I said it several times.
I also said Miles Bryan produced the show today.
But I didn't say that Matthew Collette edited our program today and that Laura Bullard
fact-checked it and that Patrick Boyd and André Christen's daughter mixed it, but I did say this
is Today Explained.ご視聴ありがとうございました