A new lawsuit is claiming hackers have gained access to the personal information of “billions of individuals,” including their Social Security numbers, current and past addresses and the names of siblings and parents — personal data that could allow fraudsters to infiltrate financial accounts or take out loans in their names.
The allegation arose in a lawsuit filed earlier this month by Christopher Hofmann, a California resident who claims his identity theft protection service alerted him that his personal information had been leaked to the dark web by the “nationalpublicdata.com” breach. The lawsuit was earlier reported by Bloomberg Law.
The breach allegedly occurred around April 2024, with a hacker group called USDoD exfiltrating the unencrypted personal information of billions of individuals from a company called National Public Data (NPD), a background check company, according to the lawsuit. Earlier this month, a hacker leaked a version of the stolen NPD data for free on a hacking forum, tech site Bleeping Computer reported.
What’s to stop someone from in unfreezing your credit if they literally know everything about you and have all the info at their fingertips
It’s like running away from a bear… you don’t have to outrun the bear, just the other people running from the bear. If someone wants your identity, they’re probably gonna get it if they’re determined enough. The way these hacks usually work, though, is you just buy a chunk of the data, maybe 10k records. Then, they use automated tools to try and open accounts under those ID records. If it fails, no biggie, they just move on to the next record.
There’s no such thing as perfect security of course, but in this case it’s because having my phone number and address isn’t the same as having my phone. So short of a SIM clone or something like that, the MFA on those accounts still adds one layer of protection. There’s also “security” questions and, protip, the answer to what high school I went to is not which high school I went to. It’s just another, different pass phrase.
I’m just not worth the trouble to beat all the extra layers of security when there’s millions of people who’s money is far easier to get at.
The pyramid of pain.
Make it hair pullingly difficult to find the good stuff.
You want my name? Fine.
My number? Here’s my google voice digits.
My email? I’ve got dozens.
My home address? I’m gonna need something from you.
The above leaked current and previous addresses tho
They have to know to unfreeze. It’s an extra step, and unless you’re a particularly juicy target, it’s easier to move onto the next one.
/guess
Unfreeze also generally requires a PIN or tied to a login/accessible email. So not only would they need your info, they’d also need your credentials.
Defense in depth. More layers = more hurdles = deterrence.
All the more reason to do it yourself, they all mostly require accounts with 2FA now. Until you set that up, a bad actor could. Once set up, they would have to compromise your second factor as well.