Hackers probably stole your Social Security number
27:40 Share

Recently, Vox's senior tech correspondent, Adam Clark Estes, got some bad news from his telephone. I got an alert from my bank, which is Chase, and the message said, your social security number has allegedly been compromised. Allegedly was a word that I really held on to, as hope that maybe it wasn't true, but then...

I found out there was a lawsuit about a huge data breach. It comes from what may be the worst data breach ever, one reportedly that's resulted in the theft of the social security numbers of every American. A couple weeks ago it was confirmed me and a few hundred million other Americans got their social security numbers stolen.

But Adam didn't just panic. He took action. He protected his information. And on Today Explained, he's going to teach you how to do the same. And he's going to argue, believe it or not, that this massive data breach is actually a good thing. Hey, everybody. I'm Ashley C. Ford, and I'm the host of Into the Mix, a Ben & Jerry's podcast about joy and justice produced with Vox Creative.

And in our new miniseries, we're talking about voter fraud.

For years now, former President Donald Trump has made it a key talking point despite there being no evidence of widespread fraud. But what impact do claims like these have on ordinary voters? People like Olivia Coley Pearson, a civil servant in Douglas, Georgia, who was arrested for voter fraud because she showed a first-time voter how the voting machines worked. Hear how she fought back on the latest episode of Into the Mix. Subscribe now, wherever you listen.

They're not writers, but they help their clients shape their businesses' financial stories. They're not an airline, but their network connects global businesses in nearly 180 local markets. They're not detectives, but they work across businesses to uncover new financial opportunities for their clients. They're not just any bank. They are Citi. Learn more at Citi.com slash WeAreCiti. That's C-I-T-I dot com slash WeAreCiti. ♪

Today, explain Sean Ramos for him. I've gotten spammy messages warning me that my information has been stolen. You've gotten them too. Adam Clark Estes recently got one that was real.

It's true. We're always getting notified that our data is out there, that we're using a compromised password. And there are so many of these alerts, we kind of stop paying attention to it. Data breaches happen all the time. I've been covering this space for over a decade, and I write about a big data breach maybe once a year. So my first thought was like, okay, this is another one of those. Every once in a while, they are a big deal. You might remember Equifax, the major credit bureau was...

compromised a few years ago and that led to everybody's information getting out there. Financial and cyber experts warn the Equifax hack has the potential to haunt Americans for decades. But most of the time it's kind of small time stuff. Your email might get leaked, some personal information, maybe your address.

And that might lead to spammers spamming you more because they have your info. Your passwords might get out. And that might mean that, you know, somebody in the Philippines has your Netflix login and is watching movies. That happened to me once. Really? It did, yeah. What did they watch? House Cards. It was. It's still a popular show.

Okay, but this wasn't an email or a notification about your Netflix password. This was about your social security number. How did your social security number and that of hundreds of millions of other people get compromised?

The short answer is we don't know and we might never know. But for the long answer, I want to zoom out a second and talk about the data brokerage industry. There's a whole industry that buys and sells your data. Sometimes this data that you voluntarily given up, sometimes it's data that's been stolen. You can kind of think of it as like a market where instead of produce, they're trading your information and sometimes social security number.

But in any case, there's lots of data about us floating around all the time. And pretty much anyone can get that data if they have money. Sometimes it's being sold out in the open in legit spaces. Sometimes it's in the dark web. And sometimes it's for nefarious purposes like spamming you or...

scamming you. And sometimes it's legitimate purposes. Like if you have a business and you want to sell people background checks, you would need data for that. So what happened in this case? Do we know? We don't know exactly what happened, but I can tell you what we do know. And this is based on what some security researchers have figured out and some details from that lawsuit. So the breach happened

due to a company called National Public Data getting hacked. And what we know about National Public Data, it's a small company that sells background checks, and it's run by a former sheriff's deputy, actor, and reality TV star named Salvatore Verini.

Hey, what's up Sal? What's going on Big Mike? Nothing much man, what are you up to? Nothing, what are you doing? Hey man, I gotta tell you something. I got a video. I got 100% proof the Earth is flat. You gotta take a look at this. Sal! Sal! Mike is what they call a flat earther. And, well, they think that the Earth is actually flat. It doesn't seem like it's a very sophisticated operation. They happen to get a lot of data

and they weren't protecting it very well. We know now that the password to break into their database was actually hidden in plain text in another website that was also owned by Sal. So somebody broke in, stole all the data,

We first found out about this hack earlier this year when, on hacker forums, a known cybercriminal called USDOD started talking about a huge database of social security numbers. USDOD is a hilarious name for a hacker. USDOD claimed they stole 2.9 billion records of personal data and were trying to sell them for $3.5 million. But this hacker, they...

They couldn't sell it. And eventually somebody got a hold of it and just posted it in a forum. And it's been floating around. But earlier this month, that lawsuit I mentioned was filed. And then National Public Data, I think it was probably Sal himself, admitted they'd been hacked. In a statement on their website, NPD acknowledges the breach and says...

We cooperated with law enforcement and governmental investigators and have implemented additional security measures. This just sounds like, I don't know, like a Sopranos subplot. Some guy named Sal, I'm assuming he's in New Jersey somewhere, somehow compromises 270 million American social security numbers. You're supposed to push with best sticks. With best sticks is our pick of the week. This is like supposed to be your most profitable

prized personal information. How is this happening? I know you just told us, but how is it not more secure? Well, Sal's in Florida. First of all, you're right to be kind of upset or surprised by this. But first of all, social security numbers are not a super...

secure thing. It's literally nine digits. It's a number that you know and you're not supposed to tell other people about unless the right person asks you, and then you have to trust that they're not going to tell anybody else about it. You know, if you put it in a website, they put the little asterisk over it when you put in the number. That's how you know it's secure. I got a question for you real quick, Adam. What's your social security number? Uh,

I almost did it. I almost told you. This is the number that we use to prove our identity, and it's not a great system, but it's the system we've got.

And sometimes you type it into a legitimate bank website and they protect that data. And sometimes you type it into something that looks like your bank's website. But in fact, you clicked on a link in a text message or email and you got phished. And now your social security number is in the hands of hackers and probably being bought and sold on the dark web. And how big a deal is it if your social security number is being bought and sold by hackers on the dark web?

How big a deal is this hack? There are two questions there. One is how big of a deal is it if your social security number is out there? Two, how big of a deal is this hack? If your social security number is in the hands of a hacker, it can be a big deal. They can use that to steal your identity, and that can be a real pain. In terms of how big of a deal it is, it's huge. I mean, in terms of scale, we're talking about

Not just hundreds of millions of people, but nearly 3 billion records were in this database that was stolen. That doesn't mean 3 billion people were impacted. That would be almost half the world's population. But we do know that 272 million American social security numbers are in there, at least. But I asked this question to a lot of data security experts, and what they told me was really interesting. They said it's bad and it's big, but...

A lot of this info was already out there. They said a lot of these social security numbers actually belong to people that are deceased. Oh. One security researcher I talked to actually found himself in the breach and basically said that all of the information about him was either incorrect or outdated. Nevertheless, it's a lot of information. It's out there and it's not going anywhere.

The implication here is that this isn't the first time. It won't be the last time. Why does this keep happening, Adam? Data breaches keep happening for a lot of converging reasons. First of all, hackers are good at hacking. They keep getting better. As much as we try to protect our information in different ways, they figure it out and they hack. It's what they do. There's also a ton of data about us floating around online. And there aren't really rules for companies who...

are trading this data, there aren't rules for them to protect it. There aren't privacy rules for consumers. And the data industry is largely unregulated. Why is that? I mean, you know, as recently as a few minutes ago, I asked you for your social security number. And of course, it's a crazy thing to ask someone. And yet online, it's just like this free for all. Why aren't we doing a better job of protecting this information?

The internet has historically been lightly regulated or completely unregulated in some spaces. The thinking here is that we have this powerful new communications technology, so if we regulate it, we might limit its potential, namely its business potential. Written before Facebook or Google were invented, Section 230 says in just 26 words...

that internet platforms are not liable for what their users post. But in the past couple of decades, there's been an increasingly loud chorus of people that say we need better data privacy laws. You might remember around 2010, Mark Zuckerberg started talking about how it was the

the end of privacy online, how it was no longer a social norm. People have really gotten comfortable not only sharing more information and different kinds, but more openly with more people. And that social norm is just something that's evolved over time. He got roasted for that at the time, but in some ways he was right. We've been losing privacy online as

We've been using the internet more and more because there's been nothing to keep companies from gathering data about us and using that in various ways or selling it. There have been a lot of attempts at a comprehensive consumer privacy legislation. We've identified some basic principles to both protect personal privacy and ensure that industry can keep innovating.

Some states like California have their own laws. Europe has historically been better at protecting its citizens' privacy. But in the US, these bills come up and they never seem to make it to law. So right now we don't actually have a national right to data privacy.

Okay, so in the meantime, your information may be out there and it may stay out there or it may one day soon get out there. It all sounds kind of rough for our information. But you wrote an article for our homepage, Vox.com, called The Massive Social Security Number Breach is Actually a Good Thing, which is a very provocative headline.

How is this a good thing and for whom? Well, the fact that I got an alert from my bank and ignored it, but then went back and said, oh, no, I've got to do something about this is good. If only because I'm not the only person who had that reaction. I've been hearing from my friends. I think that I've been hacked. What do I do? And there is something to do. And I think a lot of people are going to do it. OK, what what you have to do with Adam when we're back on Today Explained.

Creativity is one of the core traits that makes us human. It allows us to tell stories, to create, and to solve problems in new and exciting ways. So why does it feel so threatened? With new technological advances that can create art in milliseconds, where does that leave us? In this special three-part series, we wanted to ask, how can we save and celebrate creativity? To

Tune into Saving Creativity, a special series from The Gray Area sponsored by Canva. You can find it on The Gray Area feed wherever you get your podcasts. What does impactful marketing look like in today's day and age? And if you're a marketing professional, what decisions can you make today that will have a lasting impact for your business tomorrow? We've got answers to all of the above and more on the Prop G podcast. Right now, we're running a two-part special series all about the future of marketing. It's

It's time to cut through the noise and make a real impact. So tune into the future of marketing, a special series from the PropG podcast sponsored by Canva. You can find it on the PropG feed wherever you get your podcasts.

Canva presents a work love story like no other. Meet Productivity. She's all business. The Canva doc is done. Creativity is more of a free thinker. Whiteboard brainstorm. They're worlds apart, but sometimes opposites attract. Thanks to Canva.

The data is in the deck. And now it's an animated graph. Canva, where productivity meets creativity. Now showing on computer screens everywhere. Love your work at Canva.com.

Today Explained is back with Adam Clark, S-Test from Vox.com. And Adam, you wrote this thing that said that this whole social security number breach was actually a good thing. You had friends texting you, calling you, asking what to do. And you actually had an answer for them. What is it? Freeze your credit files. What killed the dinosaurs? The Ice Age!

There are three major credit bureaus, Equifax, Experian, and TransUnion. You can go to their websites and you can freeze your credit files, and that is going to stop other people from opening accounts in your name. What does that even mean? I mean, I've heard that before. I've certainly never done it. But what exactly does that entail, freezing your credit files? Does that mean if I want to, like, I don't know, apply for a car loan, I can't do it anymore? So basically...

What those three major credit bureaus do is they track everything about your financial life, who you have accounts with, how much you owe to whomever. They're the ones that issue credit reports. And if you want to get a car loan,

The bank or whoever you're getting that loan from will want to see your credit report to prove that you are who you are and you're a good person to give a loan to. But when you freeze your credit files with those bureaus, they basically won't let anybody else get access to that report. So that means you can't get a new car loan.

It also means the hacker can't come and steal your identity. It does not mean that it will be that way forever. You can unfreeze those files, but if you don't need a car loan, you can go ahead and freeze the file and protect yourself. But what if you do need a car loan?

You can unfreeze your credit file. So depending on the credit bureau that you're freezing and unfreezing with, and you should do all three, it can take 24 hours or up to 72 hours to unfreeze the file. But it's very easy, like the flip of a switch, to unfreeze it once it's frozen. Okay, fair enough. Is this something that you did when you found out that your social security number had been compromised earlier this month?

I did. I froze my credit files with all three of the major bureaus, and I was worried that that was going to be hard and time consuming. It really wasn't. It used to be, and you might think that it is hard. I froze my credit files a few years ago and then got really tripped up trying to unfreeze them because they gave me like a pin that I had to write down and quickly lost.

And I eventually got them unfrozen. But these days, you just basically set up an account with the credit bureau, log in, freeze it, unfreeze it. You're done. It's really easy. How long did it take? How easy was it? It took me less than 10 minutes with all three bureaus. And some of them I had to set up new accounts. So if you already have accounts, it's a couple minutes. Okay. Okay.

Does it cost money? It is free. It's free! It's free by law. It's free. They also have to give you a credit report once a week if you ask for it. But after that 2017 Equifax breach, some laws changed and now it's free and easy. Huh.

So there are laws to protect your social security number, but there are laws that demand that this process of freezing your credit is free. It's progress. Okay. Well, you know, I know this isn't your job to, like, help your colleagues protect their social security numbers, but can I ask, since we're talking about this, that you just tell me how to do it and I'll do it right now while we're in this interview? Because my social security number must just be out there, unfrozen, just

just baking in the hot sun. Hey, freeze. The heat is on. Yeah, let's do TransUnion. And instead of asking you to Google it, which is like what you tell a friend, let's just go to TransUnion.com and then I'll walk through it with you. Oh, I already Googled it, but I'm still there. We ended up in the same place. Okay. I'm at TransUnion.com. There's a nice lady smiling at me. She looks very happy. Her credit's probably safe. At the very top, Adam, I don't know if you're aware, it says impacted by a recent data breach. This is our what to do after a data breach. What do I do?

Click on member login. Member login. Got it. Very clear. Okay, login. Do I have a login? I would, if you're not sure, go ahead and click create account.

First name, John. Middle name, secret. Last name, Romsfrum. Address. Have you lived here for more than six months? Indeed I have. Email. Noelle at king.com. Mobile number, easy peasy. Date of birth, March. Oh, and they want a... Adam, they want the last four of my socials. Should I trust them with it? I think you can trust them with it. I would say double check the website if it's the website you want to be on. If you are, it's transunion.com. Okay, please send me helpful tips and news about my service including stuff offered at TransUnion Trust Farm. Hell no. Okay.

Uh, create a password. Miles, Brian, one, two, three. Oh, they do not like the strength of that password. Wow, they really want a serious password. 12 to 64 characters. 64 characters? Yes, 64 characters. Sounds like an Ocean's Eleven movie, you know what I mean? That's awful. That is awful. Um, okay, I don't know, man. This is like a much more, I mean, uh... We can jump to the part of the episode where I talk about password managers. Isn't that placing a lot of trust in these services? Gotta trust somebody. Ugh. Ugh.

I'm not so sure. Oh, credit freeze. There's a little snowflake. Yes, that's me. A little snowflake. Your report does not have a credit freeze in place. It says it's available. And then there's a huge button that says add freeze. That's the button to click. Doing it.

Okay, it says, once your credit freeze is in place, you may leave the freeze in place to ensure your credit report is not accessible for new credit applications. You may also choose to remove the credit report. Okay, I'm going to continue. Thank you for your request. A freeze is now in place. Oh my God, I got so excited. I'm not going to drink my water. A freeze is now in place on your TransUnion credit report. It will stay in place until you request its removal. You have now prevented others from viewing your TransUnion credit report. Help prevent identity thieves from getting credit in your name. Did we do it? We did it. It wasn't that easy. You know, it wasn't hard.

It wasn't hard. Was it annoying? Mildly, but what? You're saying that, you know, there's a payoff. Yeah, well, do you know what's more annoying than doing that? I can guess. It's getting your identity stolen. But wait, I have to do this three times now? Like, I've done it once, I have to do it two more times with what? Experian and Equifax? Yes. How much do you want to sit here while I do those two? I don't mind. Okay.

That's sweet of you. I bet our producer does mind. He just wrote to me, I mind. Okay. What if you have kids? Do kids even have credit? Is this just like a 18 plus thing?

Kids have identities, which is the big thing here. When your child is born in the United States, they're given a social security card and number on it, and they have an identity. If you have a young child, they probably don't have a credit file yet, but you can actually contact the credit bureaus, get them to create a file, and then freeze it for you to protect their identities. And experts tell me you should do this.

So if you've got like four kids, you do have like an afternoon's worth of work ahead of you here. Maybe not an afternoon. It's a little bit different than freezing your own credit file. There's a form involved that you actually have to mail in. But it's worth doing because actually...

Child identity theft is rising more quickly than adult identity theft. And you might not even know your child's identity has been stolen until they're 16 or 18 and get their driver's license or apply for a student loan. And if they find out at that point in time, their identity has been stolen and they have

multiple credit cards that are maxed out and a mortgage on four houses in Florida, probably, it's going to be a huge headache. So it's worth taking the small step now to avoid that headache in the future. To get back to the title of your recently published piece at Vox, the massive social security number breach is actually a good thing. Is it a good thing because it will

Encourage people to do what I just did to freeze their credit. Is that the argument you're making? The argument I'm making is that it's a good thing because we're talking about this right now. It's a good thing that my friends were asking me about how to freeze their credit files. And it's a good thing that a lot more people are going to do it. It is the first line of defense between you and identity thieves. And like one security expert told me,

If you haven't had your identity stolen yet, it's not because you're special. It's just because they haven't gotten to you yet. The information about you is out there and it's only a matter of time. I think that worldview is a little bit paranoid, but I think that he has a point. Think about it this way. In your home, you have things that are valuable to you. And if other people got those things, it would be upsetting. But we have...

security measures in place, you have a lock on your front door, but if someone breaks that lock and comes into your house, you can call the police and they will come and help you because those systems are in place. Well, the internet doesn't quite work like that. You have a lot of valuable information that's out there and people are stealing it and buying and selling it all the time and there's not really an internet police that's coming after them. Of course, there are cybercrime divisions of the actual police,

But the scale of this problem is so big, it's literally every person in the United States and every person in the world that's online could be a victim of cybercrime. And if there were the right amount of protections and regulations in place, we wouldn't have data breaches where hundreds of millions of American social security numbers are compromised.

Adam Clark Estes, you know where to find him because I said it several times. I also said Miles Bryan produced the show today, but I didn't say that Matthew Collette edited our program today and that Laura Bullard fact-checked it and that Patrick Boyd and Andra Kristen's daughter mixed it, but I did say this is Today Explained.

Canva presents the killer of productivity. It was an ordinary work day until... Oh no, this meeting. It could have been an email. Run. Canva had a creative solve. Get email. I'll just put the info the team needs in a Canva doc. And I'll make it visual with images, charts, and graphics. Bring productivity killers to justice with creativity. Love your work at Canva.com.