Was your Social Security number leaked to the dark web? Here's what to do first (2024)

You've likely never heard ofNational Public Data, the company that makes its money by collecting and selling access to your personal data to credit card companies, employers, and private investigators. It now appears that thehacker group USDoD snatched about 2.9 billion of its records. Odds are that your records -- including, possibly, your Social Security number (SSN) -- are in those databases.

USDoD wanted to sell this data for the low price of $3.5 million. Ironically, before USDoD could profit from the theft, another threat actor, Fenice, swiped the data and released it on the dark web.

Also: The best VPN services: Expert tested and reviewed

How bad is it really? According to the security organization Vx-Underground, the stolen data includes

• First name
• Last name
• Address
• Address history (three decades' worth)
• Social Security number

Vx-Underground also found that "the database does not contain information from individuals who use data opt-out services." These are sites or services that allow you to say no to a company or group that wishes to keep your records.

That's good to know, but for many of you, it's probably a little late.

The leaked data, totaling 277GB, can be used for identity theft and fraud. Although the breach does not necessarily affect 2.7 billion unique individuals (due to multiple records per person), it still poses a significant risk. The information can be used to open fraudulent accounts, apply for loans, or even commit tax fraud.

What to do first

First, check to see whether your data is actually out there. The easiest place to start is with the Have I Been Pwned website. This should be your first resource to find out which breaches you and your data have been involved in and how extensively your data has been leaked. To use Have I Been Pwned, all you need to do is give the site your email address, and in less than a minute, you'll get the bad news.

That said, Have I Been Pwned won't tell you exactly what of your information has been leaked. It's a warning system, not a dark web data directory. So, even if, as is likely, your data is in there, it won't tell you if your SSN is in the data.

There's also no guarantee that your leaked data is actually correct. Take me, for example, I have an unusual last name and companies are always misspelling it. Troy Hunt, the person behind Have I Been Pwned, said in his report on the NPD breach that while his email was in there, "clearly, none of the other data is mine. Not my name, not my address, and the obfuscated numbers definitely aren't familiar to me."

Hunt also added, "There were no email addresses in the social security number files. If you find yourself in this data breach via HIBP, there's no evidence your SSN was leaked, and if you're in the same boat as me, the data next to your record may not even be correct." That doesn't mean a hacker couldn't draw a link from your email address to your SSN, but it does mean that someone can just look up email and find your SSN as easily as looking up your name and phone number in an old-fashioned telephone directory.

Also: Delete yourself from the internet with these online data removal services

Notice, I didn't say ifyour data has been leaked above. I can guarantee that your data has been leaked. With one data breach following hot on the heels of another for decades now, there's no question that some of your personal data is out there.

For example, I take security more seriously than many people do, and I'm better equipped than most of you to deal with security and privacy issues. Nevertheless, my data has been ripped off in no fewer than 34 data breaches, according to Have I Been Pwned.

Now, the vast majority of these breaches are relatively harmless. For example, my chess.com account's email address was revealed. I can live with that. But the USDoD data drop is another matter.

Next, you need to determine just how bad the news really is. Check your credit reports for any unauthorized activity (and do so regularly!). Report any suspicious transactions to the credit bureaus (Experian, Equifax, and TransUnion) and considerplacing a credit freezeto prevent new accounts from being opened in your name.

If you're concerned that your data's been being used against you, it's time to use an identity theft protection and credit monitoring service to protect yourself. ZDNET recommends Aura as the best overall such service.

Also: The best identity theft protection and credit monitoring services

It's not enough to have these services, though.

You should also stay vigilant against phishing attacks. Be cautious of emails, texts, or calls that attempt to solicit personal information. Scammers will use your leaked data to craft convincing phishing attacks. For example, I recently got an email purporting to be from my bank, which included my address, warning that my account had been hacked and that I needed to change my password from the included link Right Now.

Also:Stop paying for third-party antivirus software. Here's why

Anytime you get a message like that, whether it's warning you of something dreadful or promising you something that sounds too good to be true, don't trust it. Never click on links from such emails or text messages.

What to do if you've clicked on a phishing link

If you've clicked on a phishing link, don't panic. Do, however, take these steps immediately:

1. Disconnect from the internet and your local network immediately. This prevents any potential malware from spreading or communicating with malicious servers.

2. Back up important data to an external hard drive or a USB stick. This safeguards your information in case of data loss or corruption.

3. Run a thorough antivirus check. Don't have one on your device? Then, you should download an antivirus program to another computer, transfer its installation program to a USB stick, and install it on your affected machine.

4. Change passwords for all your online accounts, especially important ones such as banking and credit card accounts. Use strong, unique passwords for each account, and consider using a password manager.

5. Enable multi-factor authentication. Activate multi-factor authentication (MFA) on your accounts whenever possible. This adds an extra layer of security.

6. Watch your important online accounts. If you see any suspicious activity, contact the company as soon as possible.

Also: How to freeze your credit (and why you might want to)

What to do if your SSN is compromised

Let's suppose, however, you have reason to believe that your SSN has ended up in the hands of crooks. In this worst possible scenario, you should take the following steps:

1. File a report with the Federal Trade Commission (FTC) at IdentityTheft.gov. This website will guide you through the process and provide a personalized recovery plan.
2. File a police report with your local law enforcement agency. While they may not be able to investigate immediately, having a police report can serve as important documentation.
3. Check your credit reports for any unauthorized accounts or activity]. You can get free weekly credit reports from AnnualCreditReport.com.
4. Place a credit freeze on your credit reports with all three major credit bureaus (Equifax, Experian, and TransUnion). This prevents new accounts from being opened in your name. You can also place a fraud alert on your credit reports, which requires businesses to verify your identity before issuing credit in your name.
5. Review your Social Security Statement for any suspicious activity, such as unreported income.

Next, contact the Internal Revenue Service (IRS) to prevent potential tax-related fraud. Here's what to do:

1. Contact the IRS: You can reach the IRS Identity Protection Specialized Unit by calling 1-800-908-4490. This line is dedicated to assisting individuals who believe they are victims of identity theft involving their tax accounts.
2. Submit an Identity Theft Affidavit: Complete IRS Form 14039, the form used to report suspected identity theft to the IRS. You can submit it online via IdentityTheft.gov, which will forward it to the IRS, or you can download the form from the IRS website and mail it along with your tax return to the address specified on the form.
3. Respond to IRS Notices: If you receive a notice from the IRS indicating that your SSN has been used fraudulently, follow the instructions provided in the notice. Typically, such notices come by snail mail. You may then be required to submit a Form 14039 or other documentation to verify your identity and resolve the issue.

This can be a long, tedious process. But, if you don't check and -- if necessary -- protect your accounts, your identity can be stolen. Recovering from identity theft is much more painful than preventing it.

Afterward, stay vigilant and continue monitoring your accounts and credit reports regularly. If you notice any suspicious activity, report it immediately to the relevant authorities and financial institutions. This is not a threat you can deal with once and then ignore. It's one that will continue for the rest of your life.

Yes, I hate that too.