On Hacker News, someone shared a magnet link to the files. I checked them out and yeah, they contain millions of personal information records, including date of birth, social security number,...
Exemplary
On Hacker News, someone shared a magnet link to the files. I checked them out and yeah, they contain millions of personal information records, including date of birth, social security number, address, etc. I'm thankfully not in there, but my parents, all four of my grandparents (including the late ones), and tons of cousins and other family are. If you have the means, I recommend checking these files yourself to see if you or anyone you know is affected (and that's why I'm posting this).
Here is the base64 encoded magnet link for the .zip files that was shared on HN, as well as the (again, encoded) password to actually extract the .txt files once you download them:
I'm not sure if @Deimos would be cool with me sharing the straight magnet link and password here (please advise), but you can decode them trivially at https://www.base64decode.org/
For anyone who is interested in searching the files themselves, I put together a bash script to search for all the relevant names and social security numbers I was concerned about. The script compares each line in the breach files to all of the names and numbers defined in the script. If a given line in the breach files is a match, it copies that record out to a separate (and hopefully much smaller) file.
With that smaller file, you could then cat smaller_file.txt | fzf to fuzzy search for exact records of yourself or people you know. If, like me, you have some relatives with very common names, there are going to be a lot of false positives. What I ended up doing was searching for names, birthdates, and addresses until I found definite records for the people I was looking for. I then used fzf to search exclusively for the social security numbers associated with the definite records to find the rest of them ('867530900 for example, note the apostrophe to search for an exact match).
Anyways, here's the bash script:
#!/usr/bin/env bashdeclare -a items=("FIRST,LAST""LAST,FIRST""JOHN,DOE""DOE,JOHN""867530900""000000000")terms=""for item in"${items[@]}"doterms=${terms}$item"|"doneterms=${terms::-1}
mkdir -p results
touch results/ssn1_results.txt
touch results/ssn2_results.txt
rg -i "$terms" ssn1.txt > results/ssn1_results.txt
rg -i "$terms" ssn2.txt > results/ssn2_results.txt
cat results/*.txt > results_combined.txt
# In my searches there were no duplicate results but others reported getting them# awk '!seen[$0]++' results_combined.txt > results_deduped.txt
This script uses ripgrep, because it's faster than grep, but if you just want to use grep you can replace every instance of rg with grep -E. Also, the -i flag isn't necessary (and slows the script down slightly) and I probably should just remove it, but the output files were different without it. I just never checked what those differences were.
Finally, RIP Georgia voter registrations:
To submit a cancellation request, users just need a few identifying details: A first initial, last name, county, date of birth, and the driver’s license number or last four digits of the Social Security number for the voter whose registration they are seeking to cancel.
Honestly, I'm not sure. Historically, Have I Been Pwned has allowed people to see if they were impacted by a breach using their email address. However, this breach doesn't include email addresses,...
Exemplary
Honestly, I'm not sure. Historically, Have I Been Pwned has allowed people to see if they were impacted by a breach using their email address. However, this breach doesn't include email addresses, so I don't know if they (or someone else) are going to provide some way to search the data.
At this time, I would just assume that you are impacted and act accordingly (but I don't have any advice for what actions you should take).
That being said... if you want to go on an adventure...
The .zip files in the magnet link above are about 50GB. The .txt files they contain are about 300GB once you extract them. So to have all the files available at once, you would need 350GB of free storage at a minimum. If you were strategic about what order you downloaded and extracted the .zip files (and deleted them afterwards) you could get away with analyzing the files yourself with only 145GB of free space.
(Someone could actually, probably, write a powershell script that does the same thing as the script I posted, and just run that on Windows natively, but that someone is not me lmao)
If you're on macOS or Linux already, then the steps are actually simpler. You'll still need to copy those base64 codes in the comment above, and paste them into the text box at https://www.base64decode.org/
That should give you the "magnet link" and the password for the .zip files. After that, you'll need to download a torrent client (qBittorrent would qBe fine) and download the .zip files, from the magnet link, using the torrent client. As far as I know, most torrent clients have a little button with a chain or magnet icon somewhere for opening magnet links.
After that, you'll need to extract the .zip files. I'm going to trust that macOS makes this easy enough to do, and if you're on Linux that you already know how. If you actually embark on this journey, and you don't know how though, feel free to ask.
Once the .zip files are extracted, you're actually almost done. You'll need to install ripgrep and fzf onto your computer (or just use grep, which is most likely already installed, instead of ripgrep, but you'll still need fzf). Once those are installed, you can create a new script file.
I don't know how you create a new file on macOS, and on Linux you can almost certainly just use your file manager.
However, you will eventually need to drop into the terminal anyways, so now is as good a time as any. Open a terminal (and look up how for your OS if you don't know), and then you'll want to navigate to the folder where the .zip files were downloaded to or wherever you extracted the .txt files to if you put them somwhere different.
I can't tell you the exact command you'll need to enter to change to the correct directory (again, OS specific, depends on where you put the files, etc.) but I can tell you it will almost certainly involve typing cd in the terminal. You can search something like "macos terminal change directory" and that will probably pull up some helpful results. If you can't figure it out, feel free to ask here and don't feel bad. Paths are one of the most confusing things about using a terminal until you get used to things.
Anyways, once you have the terminal open and have changed to the correct directory/folder, you'll want to create the script file. This command would be something like touch script.sh and chmod +x script.sh (do you have to chmod stuff on macOS? I don't know 🤷 Try it and see what happens I guess).
And copy and paste the code for the script from my comment above into the file.
Notice this bit in the script:
declare -a items=("FIRST,LAST""LAST,FIRST""JOHN,DOE""DOE,JOHN""867530900""000000000")
You'll want to delete all of those placeholder lines, then type in any names or social security numbers you want the script to look for. Note the comma (and lack of space) separating the names and how each item is surrounded by quotes (and how the entire list of items is surrounded by an opening and closing parenthesis.
After that you'll want to run the script and, assuming nothing breaks, keep yourself busy for thirty minutes (or more) while the script does its thing. When it's done, you should have a file in the same folder as the script named results_combined.txt. What you'll want to do now, from a terminal, is run cat results_combined.txt | fzf. That should open fzf in the terminal window, and from there you can start typing and searching for stuff.
fzf is what's called a "fuzzy finder", so it'll show results for words that sort of match what you searched for, even if they aren't exact. If you want to search for exactly your name in the results, you would type 'YOUR 'NAME or 'YOUR,NAME. Note the apostrophes, those tell fzf to only show exact matches for the letters (but not spaces) following the apostrophe. Searching something like !NAME will exclude any results that contain "NAME".
If you want to search for your specific state, let's say North Carolina, you'll want to search something like 'YOUR 'NAME ',NC, and maybe add 'CITY in to be precise.
If nothing comes up, congratulations, your data hasn't been leaked! In this specific breach...
Also: the records I found for friends and family included addresses they lived at decades ago in some cases. So be sure to search for old states, cities, or even street names to be sure.
If you (or anyone else) have any questions, just ask them here. I or someone else can probably answer them.
Hey! Thank you for the information. Several news outlets are recommending https://npd.pentester.com/ I have never heard of the service and, thus, I am skeptical of it. Do you happen to be familiar...
Hey! Thank you for the information. Several news outlets are recommending https://npd.pentester.com/ I have never heard of the service and, thus, I am skeptical of it. Do you happen to be familiar with the site? If not, could you please check if a couple of the records leaked match the information showed by that site to at least confirm its validity?
I’m not familiar with the site, but I entered a few known records and they all matched what I saw in the data. Keep in mind some of the records can be really old. If you lived in a different...
I’m not familiar with the site, but I entered a few known records and they all matched what I saw in the data.
Keep in mind some of the records can be really old. If you lived in a different state, even decades ago, you ought to search for yourself in that state too. Some of the records I found were at least 40 years old.
Thanks for that site link. I figured I'd try it since it doesn't really require me to put anything personal in there (although at this point, for most people even personal information isn't...
Thanks for that site link. I figured I'd try it since it doesn't really require me to put anything personal in there (although at this point, for most people even personal information isn't personal anymore). I checked myself and a few others I know, and I wasn't in there my some other family members were.
You should freeze your credit at all three major credit bureaus: Equifax, Experian, and Transunion. Nerd Wallet has a guide. The bureaus don't like to make it easy, and will try and get you to...
You should freeze your credit at all three major credit bureaus: Equifax, Experian, and Transunion. Nerd Wallet has a guide. The bureaus don't like to make it easy, and will try and get you to sign up for a paid membership, but keep declining and opting out of that stuff, as it isn't required. You will need (or should) make an account with each bureau and securely record your security questions and pin information so you can quickly add temporary "thaws" on your report for when you do need a "hard" credit check like to get approved for a loan or a credit card.
Solid work with the script and analysis. The article mentioned the breach may include Canadian and UK data as well. Did any of your results look to show results in that vein, Canadian or UK...
Solid work with the script and analysis. The article mentioned the breach may include Canadian and UK data as well. Did any of your results look to show results in that vein, Canadian or UK formatted "social security" numbers for example?
Short answer: I was able to find some addresses for Canada, but not for the United Kingdom. The records seem to be overwhelmingly American. I cannot rule out that there might be UK records in the...
Short answer: I was able to find some addresses for Canada, but not for the United Kingdom. The records seem to be overwhelmingly American. I cannot rule out that there might be UK records in the data, I just did not find any.
Long answer:
The two text files in this dump total up to 300GB of data with 2,695,681,513 individual lines of records.
I found the Canadian addresses by using head and tail to get the first and last 50 million records from each file (so 200 million total) and copied those over to a combined file. I then used fzf to search the combined file for Canadian province codes while filtering out the American state codes using this syntax:
That's not a perfect filter, because it doesn't exclude US non-state codes for places like Guam, but it removed most of the US results. There were about 2,200 results remaining after applying the filter.
Unfortunately (or I guess fortunately if you're Canadian) most of the remaining records seem to be for US addresses, they're just incomplete and don't include their state codes. So these would be records for people whose middle name is included as an abbreviation that happens to match a Canadian province code. Or, my personal favorites:MEAL,WHEELS,ON, and CORP,O,RATI,ON,
There definitely were some Canadian addresses in what remained, though I can't say how many or what percentage they made up. The data seems to be dominated by American addresses. Keep in mind, everything I just described was me checking 200 million records, or 7.42% of the total number of records. I would have checked more than 200 million records with fzf, but I quite literally do not have any more disk space to dedicate to swap haha
I could also modify the script I posted above to search for Canadian province codes and exclude American state codes, since the script, unlike fzf, is neither storage nor memory bound on my computer. Running the script takes a lot of time though, and I was using that time to search for cities across the United Kingdom at the same time I did all the Canadian filtering I just mentioned.
So I plugged a few of the most populous UK cities into the script, as well as the Welsh and English city and area names from a similar list (since the Welsh names are much more unique and less likely to result in false positives).
I then took the output of that search and applied my American state codes filter onto its contents using FZF. That left just over 1,600 records to search through. The vast majority of the remaining records seem to be American addresses, specifically random PO Boxes and a particular city in Wisconsin. Using this search methodology, I was not able to find any records that look to me like they belong to the UK. However, even though this time I searched the entirety of both files, just using the names of cities as a filter is not very thorough. So, I can't say for sure there are not any UK records in the dump, but I did not find any.
Thanks for putting in the effort. That's not the method I'd have thought to use but sounds like a good one. It's useful that Canada Post and USPS have agreed to not use the same two letters...
Have you tried throwing it in a database? It might take a bit of time to ingest the data, but SQLite with a handful of indexes should churn through searches like this without a problem. I’m at...
Have you tried throwing it in a database? It might take a bit of time to ingest the data, but SQLite with a handful of indexes should churn through searches like this without a problem. I’m at work right now, but I’ll be trying this when I get home.
Thanks for the links! I wanted to share that I've found several false negatives between the search at Pentester and the actual leaked data. I can't say for sure, but I think that the pentester...
Thanks for the links!
I wanted to share that I've found several false negatives between the search at Pentester and the actual leaked data. I can't say for sure, but I think that the pentester data might have been lightly deduped in a hurry, indexed wrong, or something. I've found it most reliable to search the raw data using current and former street addresses like "### North Street ST" as it would appear on your driver's license, bank, or credit reports. That seems to reliably catch cases where you have multiple people with the same name and address, etc. Not sure why social wouldn't disambiguate those cases in the pentester data, but I've had a few friends and family searches, get no hits, and then do a full search of the raw data and find records.
They're just text files, so not from that part, but they're in 7z compressed archives, so theoretically someone could have private knowledge of a vulnerability that would affect anyone who opens...
They're just text files, so not from that part, but they're in 7z compressed archives, so theoretically someone could have private knowledge of a vulnerability that would affect anyone who opens or extracts them. I'd say that's unlikely, but we had something similar in xz recently...
It's not unreasonable to think, especially because 7z also had some security issue 2 years back: https://nvd.nist.gov/vuln/detail/cve-2022-29072 I decompressed the 7z archives using a pure-rust...
I decompressed the 7z archives using a pure-rust lzma implementation just to see if it would do anything unusual and for what it's worth it didn't. I don't think it's a 7z 0-day.
I think WinRAR and XZ can beat it out in some use cases, but if your goal is compressing mindboggling amounts of text, it's hard to beat 7z. Especially if you're trying to be cross-platform...
I think WinRAR and XZ can beat it out in some use cases, but if your goal is compressing mindboggling amounts of text, it's hard to beat 7z. Especially if you're trying to be cross-platform because XZ is basically unheard of on Windows.
If anyone is trying to get their hands on the files and wants to know if they have the right stuff here are the sha256 checksums: 5d4ab848129e55042c5b6bd3f74a115b26472a184b0f4d0d4b0728e00e1d08ec...
If anyone is trying to get their hands on the files and wants to know if they have the right stuff here are the sha256 checksums:
I calculated these from the files I downloaded from the magnet link, and someone else who downloaded them from the original source (not the magnet link) also claims those hashes are correct.
I haven't had time to do a whole lot of data crunching yet as I'm having a wee bit of trouble working with 276 GB of data, but I count 272,541,507 distinct SSNs in 2,695,681,513 rows. That's 10% of rows with a unique SSN.
Curiously, that's quite different from Troy Hunt's estimate of 899M distinct SSNs.
I don't have the data myself and some of that seems beyond my capabilities to figure out without putting in a lot of effort, but I've often just assumed my SSN is already in all of this, even...
I don't have the data myself and some of that seems beyond my capabilities to figure out without putting in a lot of effort, but I've often just assumed my SSN is already in all of this, even though I checked that npd.pentester.com site and didn't see myself in there.
I think I'll find it a little more interesting if it turns out things like driver's license numbers and such are more private than SSNs, because I rarely have to give out my DLN, but frequently have to use my SSN.
The US population is ~333M and with 273M distinct SSNs in the dataset (some unknown number of which are for deceased individuals) there's decent odds that any given person isn't in there. There's...
The US population is ~333M and with 273M distinct SSNs in the dataset (some unknown number of which are for deceased individuals) there's decent odds that any given person isn't in there. There's also definitely some garbage data in the dataset, so there's some unknown percentage of those SSNs that are just wrong. But yeah, this breach is quite large.
In a twisted way I was actually hoping this breach would be larger, because we really need something to get companies to stop using SSN as an ID number when it was never built to be secure. CGP Grey has a video on this topic that while 7 years old is still accurate https://www.youtube.com/watch?v=Erp8IAUouus
Question for the crowd: what are the current best practices for people whose data has been breached? I was just notified that I was included in a major breach (not this one) that included...
Question for the crowd: what are the current best practices for people whose data has been breached?
I was just notified that I was included in a major breach (not this one) that included significant amounts of my personal information. I'm just going to go ahead and assume I'm included in this one as well.
What should I be doing, if anything? It's frustrating that my data gets leaked from companies I've never even heard of nor done any sort of direct business with, and the most I get from them is "oops!"
The author mentions a tweet in the writeup:
The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present.
My view of opt-out companies is that they're pretty scummy and that I'm basically increasing my attack surface by turning over personal information to yet ANOTHER company. Am I wrong? If they actually work then are they something I should look into paying for?
Also, while looking up info, I found this list of data breaches from the US Department of Health and Human Services. It looks like it's only healthcare related ones? Still, the amount of them is genuinely staggering. I had no idea it was this bad.
Freeze your credit if it isn't already. You'll need to go to each of the big three and request it. It is free. If needed, you can temporarily unfreeze it for a timed period. Going forward,...
Freeze your credit if it isn't already. You'll need to go to each of the big three and request it. It is free. If needed, you can temporarily unfreeze it for a timed period.
Going forward, consider how this info could be linked to security questions with respect to password resets and account access. Also be vigilant for scams that can leverage this info to try and make themselves seem more legitimate.
I'm sure there's more but that's what I've got off the top of my head.
Security questions are accessory passwords which the managing entity has encouraged you to make insecure. Treat them as passwords: generate long, random values and store them in a password...
consider how this info could be linked to security questions
Security questions are accessory passwords which the managing entity has encouraged you to make insecure. Treat them as passwords: generate long, random values and store them in a password manager. (In particular, the value you enter for a security question should absolutely never be an answer to that question.)
Yes, my mother's maiden name is "99BppyiprbOXfk1Yoyhcnamjh0LDirw6", thank you very much for asking.
I've stopped doing this because on two occasions I've had phone support staff say something to the effect of "it looks like there's something wrong with your security questions so I'll skip them...
I've stopped doing this because on two occasions I've had phone support staff say something to the effect of "it looks like there's something wrong with your security questions so I'll skip them for this call". One of them even asked if I wanted to "fix" it right then.
So now what I do is generate fake and obscure but plausible answers to these questions. First pets name? Bojangleboy. Favorite teacher? Mrs. Tornicholson. Etc.
I mean if the support staff can change it right then and there, while it might be more secure to make more plausible sounding answers, it still seems like it's incredibly susceptible to social...
I mean if the support staff can change it right then and there, while it might be more secure to make more plausible sounding answers, it still seems like it's incredibly susceptible to social engineering. The plausible answers just might make it so that it's a little harder to social engineer a support staff, but that's just downright horrible training and security in place for those companies. If that's how they operate, then I don't know if there's anything you could do that would change a relatively skilled person in social engineering from duping them into giving them access to your account.
I guess if they're not offering to 'fix' it right then and there without doing anything more to verify your identity and they're just using it as an extra check to know you're the account holder, that in itself isn't the worst in the world and it does highlight that using randomized passwords of characters, symbols etc. is a little problematic but at that point just using randomly generated sequences of words that can be pronounced would alleviate that, even if they don't look like plausible or real answers. It would at least allow you to answer a question verbally more easily than the random characters and symbols. It would still require the staff to have proper training and not have the ability to just change answers without actually having followed proper procedures.
Perhaps a better approach would be to use a non-sensical but readable answer? Something like "Where was your father born? Betelgeuse" OR "What was your elementary school mascot? The Aasgard...
I've stopped doing this because on two occasions I've had phone support staff say
Perhaps a better approach would be to use a non-sensical but readable answer? Something like "Where was your father born? Betelgeuse" OR "What was your elementary school mascot? The Aasgard Aardvarks".
"Real" answers, that someone can read and pronounce, but that no one would guess as a factual answer.
I personally have frozen my credit reports so they can't be used maliciously, and I've also looked at the final dates for voter registration should I be unregistered from the voting pool.
I personally have frozen my credit reports so they can't be used maliciously, and I've also looked at the final dates for voter registration should I be unregistered from the voting pool.
Update, for anyone curious: Using the Pentester site, I learned that I'm also included in this breach. It only had two of my previous addresses -- everywhere else I lived was missing. It,...
Update, for anyone curious:
Using the Pentester site, I learned that I'm also included in this breach. It only had two of my previous addresses -- everywhere else I lived was missing. It, surprisingly, did not have my husband's information at all.
I made accounts in order to freeze my credit at Equifax, Experian, and TransUnion. After being burned before, I now use 1Password and Fastmail to generate masked email addresses for new accounts that forward to my main email address.
I'm thinking that Equifax and TransUnion didn't like this. Both of them let me go through the sign-up process but then told me that I needed to call customer support. Equifax didn't say why, but TransUnion told me that I'd failed the identity verification.
Experian let me sign up fully. They have an easy to use but hard to find credit freeze toggle on the site. Everything else on the site is an upsell to try to get you to sign up for a subscription service for credit monitoring/identity protection, and I had to browse around a bit before I actually found the freeze option buried in text under some other option they were trying to sell me.
I've currently been on hold with Equifax for 45 minutes. No telling when I'll actually get to speak to someone. I'm thinking their "currently experiencing unexpectedly high call volume" disclaimer might actually be true, as even their website is non-responsive. They might be getting slammed in the wake of this breach. I'm at the sunk-cost part of being on hold where I've been on this long enough that I don't want to walk away, but I don't want to waste my time by waiting even longer -- potentially over an hour.
The worst part is that once I do finally get through, I get to call TransUnion and do the same thing all over again.
I appreciate the tip from @Carrow and @whbboyd about security question answers. I had my password generator create random strings for me, so the high school I went to/the first street I lived on is something like "CULVERT runny smiles ARCHIPELAGO."
Additional update: TransUnion's phone support opens an hour earlier than Equifax's. So I called TransUnion first, right when they opened. They gave me the obligatory "unexpectedly high call...
Additional update:
TransUnion's phone support opens an hour earlier than Equifax's.
So I called TransUnion first, right when they opened. They gave me the obligatory "unexpectedly high call volume" disclaimer that I assume is just an automatic part of any call service script now, but they also gave me the option to receive a callback instead of waiting on hold, which is a great convenience. I was entering my callback number when I was put through to an agent. He confirmed some information with me and then unlocked my account. Took less than five minutes.
I then called Equifax right when they opened. Same "high call volume" disclaimer, which, again, is hard to believe when your phone lines have been open for all of a minute. Their hold has no quality of life features: no offer for a callback, no notification of your place in line -- you simply listen to the same music loop and have an automated voice tell you that all their agents are busy at the moment. I spent an hour on hold yesterday before hanging up, but thankfully(?) this morning the hold was only ten minutes(!).
The Equifax rep didn't actually confirm any information with me (although the automated system before had asked me for a lot of my identifying information) -- he simply asked me if I used a VPN with the account. I normally do use a VPN, but I had turned it off before signing up yesterday because I figured it would probably flag me as fraudulent. I told him I didn't, and he said okay and then asked me to login, which I was able to do.
For both TransUnion and Equifax it seems like there was some automated block on my account that a human had to clear. I assume it's because I used an email address separate from my regular one, and their automated "is this person who they say they are?" check failed. I could be wrong though -- that's just supposition on my part. I also forgot to turn off uBlock Origin so maybe the lack of trackers pinged for them. Or it could be because I was signing on on Linux. Or it could be I was just unlucky? Or maybe it's because I was included in the recent breach so they had additional safeguards on people signing up with that information? I don't know.
Freezing credit:
With regards to freezing, both TransUnion and Equifax have simple dashboards that make finding the freeze option very easy. I can second @ebonGavia's experience with Experian though. They are quite scummy, with lots of dark patterns to try to get you to sign up for monetized services with them.
Here's how I currently can find the freeze option on Experian (there might be a better way but this is the best I can figure out at the moment, which says something about how bad it is):
Log in
Skip the upsell by clicking No, keep my current membership
Click Protection in the header
Click Experian credit file in the blue banner at the top of the page
A sidebar pops up with information about Experian CreditLock
Ignore all of that and look at the small text at the bottom that says Experian CreditLock is a separate service from security freeze.
Click the "security freeze" link, which takes you to the actual toggle.
The direct URL for that is this, which at present does take me directly to the freeze page after I log in. However, they also have this freeze page that does NOT take you to the freeze after you log in and instead dumps you on your dashboard.
On the other hand, one point in favor of Experian is that they were the only site of the three that seems to have 2FA (but only through SMS). I could not find that option for Equifax or TransUnion.
Conclusion:
As annoying as this whole process was, I'm glad I went through it and would recommend other people do it even if your data hasn't yet been breached.
In theory, if your signups don't get flagged like mine did, signing up and freezing your credit with the three main bureaus should only take five to ten minutes tops, with everything done online and no phone calls needed.
I saw a comment elsewhere that said something like "yes, it's a bit of a pain but it's WAY less of a pain than having to deal with everything that happens after someone does steal your identity" which helped me put things in perspective.
Additionally, the information I needed to make my accounts was, well, exactly the same information that was leaked: name, social, phone number, current zip code, numbers on my current address. The furthest confirmation any of them went was TransUnion, which asked me to confirm a previous address, but that information was, of course, also included in the leak, so someone easily could have passed that. In theory, someone could have made all these accounts in my name using now publicly available information, and I would be effectively helpless.
As such, I feel like a big part of this wasn't just freezing my credit but actually claiming those accounts in the first place. I do hate having to do that with companies that take and make money off of my data for free (especially one with a significant breach history). I also hate that all of them that have a vested financial interest in selling me "security" for my own data that I didn't choose for them to have in the first place. Still, I'm glad I control the accounts rather than finding out someone else was doing it in my name. It does feel a bit like I'm shaking hands with a demon so I don't have to do it with the actual devil though.
I went to this link many years ago https://www.usa.gov/credit-freeze Obviously it still exists and it is mostly the same as I remember, links to credit freeze for each credit bureau, except back...
Obviously it still exists and it is mostly the same as I remember, links to credit freeze for each credit bureau, except back then they were direct links to the page and you didn't even have to make an account for them. They gave randomized numbers as your a pin code of sorts, or you could choose a pin code. It used to be that easy. I just checked each link now, Experian seems to be the worst as it takes you to what appears like a blog post. As you mentioned, you had a more direct link which works when logged in, but seemingly not otherwise, which tells me it's not just a government website where they don't update the links but rather Experian is just shady like that.
There was a story that came out a few years ago where all these credit bureaus seemingly changed their process to making accounts and some, or one of them at least, had left a backdoor in where someone like me who had previously frozen credit with just a pin could have had someone else bypass this by making an account. So I ended up going to each website and making an account.
I just double checked mine, and Transunion seems to do 2fa through email, because when I went to login they sent me an email with a 20 minute time sensitive 6 digit code.
My own experience is that Equifax is absolutely slammed, but TransUnion and Experian's websites let me get through setting up an account and freezing my credit easily this morning. I'll be trying...
My own experience is that Equifax is absolutely slammed, but TransUnion and Experian's websites let me get through setting up an account and freezing my credit easily this morning. I'll be trying Equifax's website again later, when it's hopefully eased up a bit.
I gave up on Equifax after an hour on hold. I then got hung up on in the middle of TransUnion's automated identity verification. I'm giving up on them for today and will call tomorrow when their...
I gave up on Equifax after an hour on hold. I then got hung up on in the middle of TransUnion's automated identity verification. I'm giving up on them for today and will call tomorrow when their support lines open.
Transunion's password reset system is down right now, which is fucking me up. Experian and Equifax I got in very quick to freeze. EDIT: It's back up, was easy after that.
Transunion's password reset system is down right now, which is fucking me up. Experian and Equifax I got in very quick to freeze.
One thing to keep in mind with the HHS list of breaches is the specific definition of breach. Because of the definition and rules around HIPAA it can be surprisingly easy to trigger a breach...
One thing to keep in mind with the HHS list of breaches is the specific definition of breach. Because of the definition and rules around HIPAA it can be surprisingly easy to trigger a breach through inadvertent disclosure that is unlikely to result in information being used maliciously. E.g., if a researcher at a covered entity sends an encrypted file of research data to a collaborator at a non-covered entity that inadvertently includes an identifier that should have been stripped out, it could qualify as a breach. In that case, the recipient would likely have a data use agreement in place, and would securely destroy the data they should not have received. It get's even more fraught when you have integrated EMR's with multiple data sources, where sometimes you pull data on a human subject, and it pulls from all sources instead of just the source you wanted, triggering a disclosure.
So not every breach means the data was publicly disclosed or taken by malicious parties, just that it was inadvertent.
With regard to the opt-out services, I use Incogni and Onerep, despite some of the criticisms they face. I find that Incogni targets behind-the-scenes brokers, such as employment data brokers, and Onerep targets more public people finder sites. I find that they work, though their necessity is annoying.
I know that every opt-out service comes packaged with discourse on whether it’s actually productive, but there’s a pretty substantive case to be wary of Onerep specifically, since its CEO is also...
In terms of alternatives, the particularly privacy minded/paranoid tend to favor a DIY approach, which has the additional benefit of being free, though it is a MASSIVE time sink.
I remember when the news came out about the founder of One rep possibly running people search sites. I would suggest people read the CEOs response to form their own take on the situation....
I remember when the news came out about the founder of One rep possibly running people search sites. I would suggest people read the CEOs response to form their own take on the situation.
Personally, I just don't want to spend the time manually opt-ing out of hundreds of portals. I've manually done it, and it isn't always as simple as that guide makes out. Many of the worst offenders at sharing your data make it difficult to opt out, or have broken or semi broken processes. The only information you need to provide the opt out services are permutations on your name, emails, and state (I think). It's less information than a paid Spotify account.
For what it's worth, searches on my name no longer shows any results other than my LinkedIn and I'm not getting could called at home or work from possible vendors, head hunters, etc, that I had been. And some of the removed profiles had comprehensive data on home and work contact information that wasn't publicly listed, but was being sold to marketers.
You can search the NPD leak for your info at Pentester. If you're in there, and you're concerned, freeze your credit. Edit: I see someone else already linked to Pentester but was wondering if...
You can search the NPD leak for your info at Pentester.
If you're in there, and you're concerned, freeze your credit.
Edit: I see someone else already linked to Pentester but was wondering if they're legit... yep, solid reputation afaik. Also they don't ask for anything too sensitive in order to do the search.
Thank you so much for sharing this. I was able to search through all of it, and only found ONE person who was breached. So I feel better, but I might still freeze my credit to be safe.
Thank you so much for sharing this. I was able to search through all of it, and only found ONE person who was breached. So I feel better, but I might still freeze my credit to be safe.
Reminder: be sure to check for the proper/full name! Someone I know goes by a nickname that's really close to their proper name (to the point people think it IS their name), so I searched that...
Reminder: be sure to check for the proper/full name! Someone I know goes by a nickname that's really close to their proper name (to the point people think it IS their name), so I searched that first out of habit before realizing and checking again. (Think: Matt and Matthew, John and Jonathon, Julie and Julia, etc.) This should be obvious, but when you're used to the short form it can throw you off.
On Hacker News, someone shared a magnet link to the files. I checked them out and yeah, they contain millions of personal information records, including date of birth, social security number, address, etc. I'm thankfully not in there, but my parents, all four of my grandparents (including the late ones), and tons of cousins and other family are. If you have the means, I recommend checking these files yourself to see if you or anyone you know is affected (and that's why I'm posting this).
Here is the base64 encoded magnet link for the
.zipfiles that was shared on HN, as well as the (again, encoded) password to actually extract the.txtfiles once you download them:bWFnbmV0Oj94dD11cm46YnRpaDozY2FhNzFmM2VjOGNiY2NjNmZjYTRmZWI3MTg1ZGEyYmFiMTQ5YmE3JmRuPU5QRCZ0cj11ZHA6Ly90cmFja2VyLm9wZW5iaXR0b3JyZW50LmNvbTo4MCZ0cj11ZHA6Ly90cmFja2VyLm9wZW50cmFja3Iub3JnOjEzMzcvYW5ub3VuY2U=aHR0cHM6Ly91c2RvZC5pby8=I'm not sure if @Deimos would be cool with me sharing the straight magnet link and password here (please advise), but you can decode them trivially at https://www.base64decode.org/
For anyone who is interested in searching the files themselves, I put together a bash script to search for all the relevant names and social security numbers I was concerned about. The script compares each line in the breach files to all of the names and numbers defined in the script. If a given line in the breach files is a match, it copies that record out to a separate (and hopefully much smaller) file.
With that smaller file, you could then
cat smaller_file.txt | fzfto fuzzy search for exact records of yourself or people you know. If, like me, you have some relatives with very common names, there are going to be a lot of false positives. What I ended up doing was searching for names, birthdates, and addresses until I found definite records for the people I was looking for. I then usedfzfto search exclusively for the social security numbers associated with the definite records to find the rest of them ('867530900for example, note the apostrophe to search for an exact match).Anyways, here's the bash script:
This script uses ripgrep, because it's faster than grep, but if you just want to use grep you can replace every instance of
rgwithgrep -E. Also, the-iflag isn't necessary (and slows the script down slightly) and I probably should just remove it, but the output files were different without it. I just never checked what those differences were.Finally, RIP Georgia voter registrations:
https://www.usatoday.com/story/news/politics/elections/2024/08/01/georgia-voter-cancelation-portal-launches/74616004007/
Other links:
https://news.ycombinator.com/item?id=41248104
https://news.ycombinator.com/item?id=41184420
https://www.tomsguide.com/computing/online-security/29-billion-hit-in-one-of-largest-data-breaches-ever-full-names-addresses-and-ssns-exposed
What should someone do if they want to search this data but they have no idea what you are saying? Asking for myself.
Honestly, I'm not sure. Historically, Have I Been Pwned has allowed people to see if they were impacted by a breach using their email address. However, this breach doesn't include email addresses, so I don't know if they (or someone else) are going to provide some way to search the data.
At this time, I would just assume that you are impacted and act accordingly (but I don't have any advice for what actions you should take).
That being said... if you want to go on an adventure...
The
.zipfiles in the magnet link above are about 50GB. The.txtfiles they contain are about 300GB once you extract them. So to have all the files available at once, you would need 350GB of free storage at a minimum. If you were strategic about what order you downloaded and extracted the.zipfiles (and deleted them afterwards) you could get away with analyzing the files yourself with only 145GB of free space.If you're on Windows, you would need to set up the Windows Subsystem for Linux to get started.
(Someone could actually, probably, write a powershell script that does the same thing as the script I posted, and just run that on Windows natively, but that someone is not me lmao)
If you're on macOS or Linux already, then the steps are actually simpler. You'll still need to copy those base64 codes in the comment above, and paste them into the text box at https://www.base64decode.org/
That should give you the "magnet link" and the password for the
.zipfiles. After that, you'll need to download a torrent client (qBittorrent would qBe fine) and download the.zipfiles, from the magnet link, using the torrent client. As far as I know, most torrent clients have a little button with a chain or magnet icon somewhere for opening magnet links.After that, you'll need to extract the
.zipfiles. I'm going to trust that macOS makes this easy enough to do, and if you're on Linux that you already know how. If you actually embark on this journey, and you don't know how though, feel free to ask.Once the
.zipfiles are extracted, you're actually almost done. You'll need to install ripgrep and fzf onto your computer (or just use grep, which is most likely already installed, instead of ripgrep, but you'll still need fzf). Once those are installed, you can create a new script file.I don't know how you create a new file on macOS, and on Linux you can almost certainly just use your file manager.
However, you will eventually need to drop into the terminal anyways, so now is as good a time as any. Open a terminal (and look up how for your OS if you don't know), and then you'll want to navigate to the folder where the
.zipfiles were downloaded to or wherever you extracted the.txtfiles to if you put them somwhere different.I can't tell you the exact command you'll need to enter to change to the correct directory (again, OS specific, depends on where you put the files, etc.) but I can tell you it will almost certainly involve typing
cdin the terminal. You can search something like "macos terminal change directory" and that will probably pull up some helpful results. If you can't figure it out, feel free to ask here and don't feel bad. Paths are one of the most confusing things about using a terminal until you get used to things.Anyways, once you have the terminal open and have changed to the correct directory/folder, you'll want to create the script file. This command would be something like
touch script.shandchmod +x script.sh(do you have tochmodstuff on macOS? I don't know 🤷 Try it and see what happens I guess).Then, you'll just want to open... the script file... in a text editor...
And copy and paste the code for the script from my comment above into the file.
Notice this bit in the script:
You'll want to delete all of those placeholder lines, then type in any names or social security numbers you want the script to look for. Note the comma (and lack of space) separating the names and how each item is surrounded by quotes (and how the entire list of items is surrounded by an opening and closing parenthesis.
After that you'll want to run the script and, assuming nothing breaks, keep yourself busy for thirty minutes (or more) while the script does its thing. When it's done, you should have a file in the same folder as the script named
results_combined.txt. What you'll want to do now, from a terminal, is runcat results_combined.txt | fzf. That should open fzf in the terminal window, and from there you can start typing and searching for stuff.fzf is what's called a "fuzzy finder", so it'll show results for words that sort of match what you searched for, even if they aren't exact. If you want to search for exactly your name in the results, you would type
'YOUR 'NAMEor'YOUR,NAME. Note the apostrophes, those tell fzf to only show exact matches for the letters (but not spaces) following the apostrophe. Searching something like!NAMEwill exclude any results that contain "NAME".If you want to search for your specific state, let's say North Carolina, you'll want to search something like
'YOUR 'NAME ',NC,and maybe add'CITYin to be precise.If nothing comes up, congratulations, your data hasn't been leaked! In this specific breach...
Also: the records I found for friends and family included addresses they lived at decades ago in some cases. So be sure to search for old states, cities, or even street names to be sure.
If you (or anyone else) have any questions, just ask them here. I or someone else can probably answer them.
Hey! Thank you for the information. Several news outlets are recommending https://npd.pentester.com/ I have never heard of the service and, thus, I am skeptical of it. Do you happen to be familiar with the site? If not, could you please check if a couple of the records leaked match the information showed by that site to at least confirm its validity?
I’m not familiar with the site, but I entered a few known records and they all matched what I saw in the data.
Keep in mind some of the records can be really old. If you lived in a different state, even decades ago, you ought to search for yourself in that state too. Some of the records I found were at least 40 years old.
Thanks for that site link. I figured I'd try it since it doesn't really require me to put anything personal in there (although at this point, for most people even personal information isn't personal anymore). I checked myself and a few others I know, and I wasn't in there my some other family members were.
Seconding for the data illiterate!
You should freeze your credit at all three major credit bureaus: Equifax, Experian, and Transunion. Nerd Wallet has a guide. The bureaus don't like to make it easy, and will try and get you to sign up for a paid membership, but keep declining and opting out of that stuff, as it isn't required. You will need (or should) make an account with each bureau and securely record your security questions and pin information so you can quickly add temporary "thaws" on your report for when you do need a "hard" credit check like to get approved for a loan or a credit card.
https://npd.pentester.com/search will let you do a search, no account or download shenanigans required.
Solid work with the script and analysis. The article mentioned the breach may include Canadian and UK data as well. Did any of your results look to show results in that vein, Canadian or UK formatted "social security" numbers for example?
Short answer: I was able to find some addresses for Canada, but not for the United Kingdom. The records seem to be overwhelmingly American. I cannot rule out that there might be UK records in the data, I just did not find any.
Long answer:
The two text files in this dump total up to 300GB of data with 2,695,681,513 individual lines of records.
I found the Canadian addresses by using
headandtailto get the first and last 50 million records from each file (so 200 million total) and copied those over to a combined file. I then usedfzfto search the combined file for Canadian province codes while filtering out the American state codes using this syntax:That's not a perfect filter, because it doesn't exclude US non-state codes for places like Guam, but it removed most of the US results. There were about 2,200 results remaining after applying the filter.
Unfortunately (or I guess fortunately if you're Canadian) most of the remaining records seem to be for US addresses, they're just incomplete and don't include their state codes. So these would be records for people whose middle name is included as an abbreviation that happens to match a Canadian province code. Or, my personal favorites:
MEAL,WHEELS,ON,andCORP,O,RATI,ON,There definitely were some Canadian addresses in what remained, though I can't say how many or what percentage they made up. The data seems to be dominated by American addresses. Keep in mind, everything I just described was me checking 200 million records, or 7.42% of the total number of records. I would have checked more than 200 million records with
fzf, but I quite literally do not have any more disk space to dedicate to swap hahaI could also modify the script I posted above to search for Canadian province codes and exclude American state codes, since the script, unlike
fzf, is neither storage nor memory bound on my computer. Running the script takes a lot of time though, and I was using that time to search for cities across the United Kingdom at the same time I did all the Canadian filtering I just mentioned.So I plugged a few of the most populous UK cities into the script, as well as the Welsh and English city and area names from a similar list (since the Welsh names are much more unique and less likely to result in false positives).
I then took the output of that search and applied my American state codes filter onto its contents using FZF. That left just over 1,600 records to search through. The vast majority of the remaining records seem to be American addresses, specifically random PO Boxes and a particular city in Wisconsin. Using this search methodology, I was not able to find any records that look to me like they belong to the UK. However, even though this time I searched the entirety of both files, just using the names of cities as a filter is not very thorough. So, I can't say for sure there are not any UK records in the dump, but I did not find any.
Thanks for putting in the effort. That's not the method I'd have thought to use but sounds like a good one. It's useful that Canada Post and USPS have agreed to not use the same two letters (wikipedia info on the changes over time to make sure they don't overlap).
Have you tried throwing it in a database? It might take a bit of time to ingest the data, but SQLite with a handful of indexes should churn through searches like this without a problem. I’m at work right now, but I’ll be trying this when I get home.
Thanks for the links!
I wanted to share that I've found several false negatives between the search at Pentester and the actual leaked data. I can't say for sure, but I think that the pentester data might have been lightly deduped in a hurry, indexed wrong, or something. I've found it most reliable to search the raw data using current and former street addresses like "### North Street ST" as it would appear on your driver's license, bank, or credit reports. That seems to reliably catch cases where you have multiple people with the same name and address, etc. Not sure why social wouldn't disambiguate those cases in the pentester data, but I've had a few friends and family searches, get no hits, and then do a full search of the raw data and find records.
Was thinking of looking at the same files, any concern that the files could be a honeypot or similar?
They're just text files, so not from that part, but they're in 7z compressed archives, so theoretically someone could have private knowledge of a vulnerability that would affect anyone who opens or extracts them. I'd say that's unlikely, but we had something similar in xz recently...
It's not unreasonable to think, especially because 7z also had some security issue 2 years back: https://nvd.nist.gov/vuln/detail/cve-2022-29072
I decompressed the 7z archives using a pure-rust lzma implementation just to see if it would do anything unusual and for what it's worth it didn't. I don't think it's a 7z 0-day.
I think WinRAR and XZ can beat it out in some use cases, but if your goal is compressing mindboggling amounts of text, it's hard to beat 7z. Especially if you're trying to be cross-platform because XZ is basically unheard of on Windows.
If anyone is trying to get their hands on the files and wants to know if they have the right stuff here are the sha256 checksums:
I calculated these from the files I downloaded from the magnet link, and someone else who downloaded them from the original source (not the magnet link) also claims those hashes are correct.
I haven't had time to do a whole lot of data crunching yet as I'm having a wee bit of trouble working with 276 GB of data, but I count 272,541,507 distinct SSNs in 2,695,681,513 rows. That's 10% of rows with a unique SSN.
Curiously, that's quite different from Troy Hunt's estimate of 899M distinct SSNs.
I don't have the data myself and some of that seems beyond my capabilities to figure out without putting in a lot of effort, but I've often just assumed my SSN is already in all of this, even though I checked that npd.pentester.com site and didn't see myself in there.
I think I'll find it a little more interesting if it turns out things like driver's license numbers and such are more private than SSNs, because I rarely have to give out my DLN, but frequently have to use my SSN.
The US population is ~333M and with 273M distinct SSNs in the dataset (some unknown number of which are for deceased individuals) there's decent odds that any given person isn't in there. There's also definitely some garbage data in the dataset, so there's some unknown percentage of those SSNs that are just wrong. But yeah, this breach is quite large.
In a twisted way I was actually hoping this breach would be larger, because we really need something to get companies to stop using SSN as an ID number when it was never built to be secure. CGP Grey has a video on this topic that while 7 years old is still accurate https://www.youtube.com/watch?v=Erp8IAUouus
Question for the crowd: what are the current best practices for people whose data has been breached?
I was just notified that I was included in a major breach (not this one) that included significant amounts of my personal information. I'm just going to go ahead and assume I'm included in this one as well.
What should I be doing, if anything? It's frustrating that my data gets leaked from companies I've never even heard of nor done any sort of direct business with, and the most I get from them is "oops!"
The author mentions a tweet in the writeup:
My view of opt-out companies is that they're pretty scummy and that I'm basically increasing my attack surface by turning over personal information to yet ANOTHER company. Am I wrong? If they actually work then are they something I should look into paying for?
Also, while looking up info, I found this list of data breaches from the US Department of Health and Human Services. It looks like it's only healthcare related ones? Still, the amount of them is genuinely staggering. I had no idea it was this bad.
Freeze your credit if it isn't already. You'll need to go to each of the big three and request it. It is free. If needed, you can temporarily unfreeze it for a timed period.
Going forward, consider how this info could be linked to security questions with respect to password resets and account access. Also be vigilant for scams that can leverage this info to try and make themselves seem more legitimate.
I'm sure there's more but that's what I've got off the top of my head.
Security questions are accessory passwords which the managing entity has encouraged you to make insecure. Treat them as passwords: generate long, random values and store them in a password manager. (In particular, the value you enter for a security question should absolutely never be an answer to that question.)
Yes, my mother's maiden name is "99BppyiprbOXfk1Yoyhcnamjh0LDirw6", thank you very much for asking.
I've stopped doing this because on two occasions I've had phone support staff say something to the effect of "it looks like there's something wrong with your security questions so I'll skip them for this call". One of them even asked if I wanted to "fix" it right then.
So now what I do is generate fake and obscure but plausible answers to these questions. First pets name? Bojangleboy. Favorite teacher? Mrs. Tornicholson. Etc.
I mean if the support staff can change it right then and there, while it might be more secure to make more plausible sounding answers, it still seems like it's incredibly susceptible to social engineering. The plausible answers just might make it so that it's a little harder to social engineer a support staff, but that's just downright horrible training and security in place for those companies. If that's how they operate, then I don't know if there's anything you could do that would change a relatively skilled person in social engineering from duping them into giving them access to your account.
I guess if they're not offering to 'fix' it right then and there without doing anything more to verify your identity and they're just using it as an extra check to know you're the account holder, that in itself isn't the worst in the world and it does highlight that using randomized passwords of characters, symbols etc. is a little problematic but at that point just using randomly generated sequences of words that can be pronounced would alleviate that, even if they don't look like plausible or real answers. It would at least allow you to answer a question verbally more easily than the random characters and symbols. It would still require the staff to have proper training and not have the ability to just change answers without actually having followed proper procedures.
Perhaps a better approach would be to use a non-sensical but readable answer? Something like "Where was your father born? Betelgeuse" OR "What was your elementary school mascot? The Aasgard Aardvarks".
"Real" answers, that someone can read and pronounce, but that no one would guess as a factual answer.
Do you use unique answers for each different service? If not, isn't this basically the same risk if your data gets leaked somewhere?
Yeah a new one is made up on the spot every time and saved back into my password manager for that particular service.
I have been grabbing a phrase from a pdf on my computer or wikipedia page for my answers to security questions. It all goes into my keepass file.
I personally have frozen my credit reports so they can't be used maliciously, and I've also looked at the final dates for voter registration should I be unregistered from the voting pool.
Update, for anyone curious:
Using the Pentester site, I learned that I'm also included in this breach. It only had two of my previous addresses -- everywhere else I lived was missing. It, surprisingly, did not have my husband's information at all.
I made accounts in order to freeze my credit at Equifax, Experian, and TransUnion. After being burned before, I now use 1Password and Fastmail to generate masked email addresses for new accounts that forward to my main email address.
I'm thinking that Equifax and TransUnion didn't like this. Both of them let me go through the sign-up process but then told me that I needed to call customer support. Equifax didn't say why, but TransUnion told me that I'd failed the identity verification.
Experian let me sign up fully. They have an easy to use but hard to find credit freeze toggle on the site. Everything else on the site is an upsell to try to get you to sign up for a subscription service for credit monitoring/identity protection, and I had to browse around a bit before I actually found the freeze option buried in text under some other option they were trying to sell me.
I've currently been on hold with Equifax for 45 minutes. No telling when I'll actually get to speak to someone. I'm thinking their "currently experiencing unexpectedly high call volume" disclaimer might actually be true, as even their website is non-responsive. They might be getting slammed in the wake of this breach. I'm at the sunk-cost part of being on hold where I've been on this long enough that I don't want to walk away, but I don't want to waste my time by waiting even longer -- potentially over an hour.
The worst part is that once I do finally get through, I get to call TransUnion and do the same thing all over again.
I appreciate the tip from @Carrow and @whbboyd about security question answers. I had my password generator create random strings for me, so the high school I went to/the first street I lived on is something like "CULVERT runny smiles ARCHIPELAGO."
Additional update:
TransUnion's phone support opens an hour earlier than Equifax's.
So I called TransUnion first, right when they opened. They gave me the obligatory "unexpectedly high call volume" disclaimer that I assume is just an automatic part of any call service script now, but they also gave me the option to receive a callback instead of waiting on hold, which is a great convenience. I was entering my callback number when I was put through to an agent. He confirmed some information with me and then unlocked my account. Took less than five minutes.
I then called Equifax right when they opened. Same "high call volume" disclaimer, which, again, is hard to believe when your phone lines have been open for all of a minute. Their hold has no quality of life features: no offer for a callback, no notification of your place in line -- you simply listen to the same music loop and have an automated voice tell you that all their agents are busy at the moment. I spent an hour on hold yesterday before hanging up, but thankfully(?) this morning the hold was only ten minutes(!).
The Equifax rep didn't actually confirm any information with me (although the automated system before had asked me for a lot of my identifying information) -- he simply asked me if I used a VPN with the account. I normally do use a VPN, but I had turned it off before signing up yesterday because I figured it would probably flag me as fraudulent. I told him I didn't, and he said okay and then asked me to login, which I was able to do.
For both TransUnion and Equifax it seems like there was some automated block on my account that a human had to clear. I assume it's because I used an email address separate from my regular one, and their automated "is this person who they say they are?" check failed. I could be wrong though -- that's just supposition on my part. I also forgot to turn off uBlock Origin so maybe the lack of trackers pinged for them. Or it could be because I was signing on on Linux. Or it could be I was just unlucky? Or maybe it's because I was included in the recent breach so they had additional safeguards on people signing up with that information? I don't know.
Freezing credit:
With regards to freezing, both TransUnion and Equifax have simple dashboards that make finding the freeze option very easy. I can second @ebonGavia's experience with Experian though. They are quite scummy, with lots of dark patterns to try to get you to sign up for monetized services with them.
Here's how I currently can find the freeze option on Experian (there might be a better way but this is the best I can figure out at the moment, which says something about how bad it is):
No, keep my current membershipProtectionin the headerExperian credit filein the blue banner at the top of the pageExperian CreditLock is a separate service from security freeze.The direct URL for that is this, which at present does take me directly to the freeze page after I log in. However, they also have this freeze page that does NOT take you to the freeze after you log in and instead dumps you on your dashboard.
On the other hand, one point in favor of Experian is that they were the only site of the three that seems to have 2FA (but only through SMS). I could not find that option for Equifax or TransUnion.
Conclusion:
As annoying as this whole process was, I'm glad I went through it and would recommend other people do it even if your data hasn't yet been breached.
In theory, if your signups don't get flagged like mine did, signing up and freezing your credit with the three main bureaus should only take five to ten minutes tops, with everything done online and no phone calls needed.
I saw a comment elsewhere that said something like "yes, it's a bit of a pain but it's WAY less of a pain than having to deal with everything that happens after someone does steal your identity" which helped me put things in perspective.
Additionally, the information I needed to make my accounts was, well, exactly the same information that was leaked: name, social, phone number, current zip code, numbers on my current address. The furthest confirmation any of them went was TransUnion, which asked me to confirm a previous address, but that information was, of course, also included in the leak, so someone easily could have passed that. In theory, someone could have made all these accounts in my name using now publicly available information, and I would be effectively helpless.
As such, I feel like a big part of this wasn't just freezing my credit but actually claiming those accounts in the first place. I do hate having to do that with companies that take and make money off of my data for free (especially one with a significant breach history). I also hate that all of them that have a vested financial interest in selling me "security" for my own data that I didn't choose for them to have in the first place. Still, I'm glad I control the accounts rather than finding out someone else was doing it in my name. It does feel a bit like I'm shaking hands with a demon so I don't have to do it with the actual devil though.
I went to this link many years ago
https://www.usa.gov/credit-freeze
Obviously it still exists and it is mostly the same as I remember, links to credit freeze for each credit bureau, except back then they were direct links to the page and you didn't even have to make an account for them. They gave randomized numbers as your a pin code of sorts, or you could choose a pin code. It used to be that easy. I just checked each link now, Experian seems to be the worst as it takes you to what appears like a blog post. As you mentioned, you had a more direct link which works when logged in, but seemingly not otherwise, which tells me it's not just a government website where they don't update the links but rather Experian is just shady like that.
There was a story that came out a few years ago where all these credit bureaus seemingly changed their process to making accounts and some, or one of them at least, had left a backdoor in where someone like me who had previously frozen credit with just a pin could have had someone else bypass this by making an account. So I ended up going to each website and making an account.
I just double checked mine, and Transunion seems to do 2fa through email, because when I went to login they sent me an email with a 20 minute time sensitive 6 digit code.
But yeah, Equifax has no 2fa as you mentioned.
Experian's website is so fucking scammy and shitty. It's unbelievable.
My own experience is that Equifax is absolutely slammed, but TransUnion and Experian's websites let me get through setting up an account and freezing my credit easily this morning. I'll be trying Equifax's website again later, when it's hopefully eased up a bit.
I gave up on Equifax after an hour on hold. I then got hung up on in the middle of TransUnion's automated identity verification. I'm giving up on them for today and will call tomorrow when their support lines open.
Transunion's password reset system is down right now, which is fucking me up. Experian and Equifax I got in very quick to freeze.
EDIT: It's back up, was easy after that.
One thing to keep in mind with the HHS list of breaches is the specific definition of breach. Because of the definition and rules around HIPAA it can be surprisingly easy to trigger a breach through inadvertent disclosure that is unlikely to result in information being used maliciously. E.g., if a researcher at a covered entity sends an encrypted file of research data to a collaborator at a non-covered entity that inadvertently includes an identifier that should have been stripped out, it could qualify as a breach. In that case, the recipient would likely have a data use agreement in place, and would securely destroy the data they should not have received. It get's even more fraught when you have integrated EMR's with multiple data sources, where sometimes you pull data on a human subject, and it pulls from all sources instead of just the source you wanted, triggering a disclosure.
So not every breach means the data was publicly disclosed or taken by malicious parties, just that it was inadvertent.
With regard to the opt-out services, I use Incogni and Onerep, despite some of the criticisms they face. I find that Incogni targets behind-the-scenes brokers, such as employment data brokers, and Onerep targets more public people finder sites. I find that they work, though their necessity is annoying.
I know that every opt-out service comes packaged with discourse on whether it’s actually productive, but there’s a pretty substantive case to be wary of Onerep specifically, since its CEO is also the founder of several people search companies which expose personal information.
In terms of alternatives, the particularly privacy minded/paranoid tend to favor a DIY approach, which has the additional benefit of being free, though it is a MASSIVE time sink.
The “gold standard” for this approach is the Extreme Privacy opt-out workbook
though I’ve also seen shorter lists for the less paranoid such as here:
https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List?tab=readme-ov-file
Which also has a Consumer Reports on opt out services report on other opt out services if you didn’t want to go through that list yourself.
I remember when the news came out about the founder of One rep possibly running people search sites. I would suggest people read the CEOs response to form their own take on the situation.
Personally, I just don't want to spend the time manually opt-ing out of hundreds of portals. I've manually done it, and it isn't always as simple as that guide makes out. Many of the worst offenders at sharing your data make it difficult to opt out, or have broken or semi broken processes. The only information you need to provide the opt out services are permutations on your name, emails, and state (I think). It's less information than a paid Spotify account.
For what it's worth, searches on my name no longer shows any results other than my LinkedIn and I'm not getting could called at home or work from possible vendors, head hunters, etc, that I had been. And some of the removed profiles had comprehensive data on home and work contact information that wasn't publicly listed, but was being sold to marketers.
So for me they are worth it.
You can search the NPD leak for your info at Pentester.
If you're in there, and you're concerned, freeze your credit.
Edit: I see someone else already linked to Pentester but was wondering if they're legit... yep, solid reputation afaik. Also they don't ask for anything too sensitive in order to do the search.
Thank you so much for sharing this. I was able to search through all of it, and only found ONE person who was breached. So I feel better, but I might still freeze my credit to be safe.
Reminder: be sure to check for the proper/full name! Someone I know goes by a nickname that's really close to their proper name (to the point people think it IS their name), so I searched that first out of habit before realizing and checking again. (Think: Matt and Matthew, John and Jonathon, Julie and Julia, etc.) This should be obvious, but when you're used to the short form it can throw you off.
Funny, Pentester doesn't let you search APO.