• MIDItheKID@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    3 months ago

    Is there a simple way to find out if your Information was in this leak, and what information it is? I use haveibeenpwned for leaks linked to my email address, but from I read in this article, it’s not linked to my email address.

    So how do I found out if my data was leaked without paying for a credit monitoring service?

  • A_A@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    2
    ·
    3 months ago

    the U.S. and other countries “around the world”

    meaning, for those of us living on other planets, we are completely safe … such a relief ! /s

    • IllNess@infosec.pub
      link
      fedilink
      English
      arrow-up
      3
      ·
      3 months ago

      It’s best to say around the world just so who ever is reading it doesn’t think it region specific.

      For example, they could say “the U.S. and other countries in the western hemisphere.”

      • A_A@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        3 months ago

        How do you like : “worldwide (including self centered U.S.A.)” 🤣 ?

        • IllNess@infosec.pub
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 months ago

          The other way works better since National Public Data is based in Florida and because of the name of the company. If it said “International” instead of “National” the readers would assume it is international data.

          Based on the location, name of the company, and the breach mentioning social security numbers, stating the US first is the most logical.

  • ClanOfTheOcho@lemmy.world
    link
    fedilink
    English
    arrow-up
    38
    arrow-down
    14
    ·
    3 months ago

    It sounds like a bad breach, and I’m not arguing against that. I just want to point out my doubts that there were ever 2.9 billion Americans since the founding of the nation, let alone since social security numbers became a thing. Maybe if I bothered to read the article, it would make more sense.

    • my_hat_stinks@programming.dev
      link
      fedilink
      English
      arrow-up
      31
      ·
      3 months ago

      Okay, but I’m not sure how revelant that is. The article doesn’t say only Americans were affected, it says the exact opposite.

      […] this data likely comes from both the U.S. and other countries around the world.

      • ClanOfTheOcho@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        10
        ·
        3 months ago

        Like I said, I didn’t read the article, but only Americans would have social security numbers.

        • my_hat_stinks@programming.dev
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          3 months ago

          Social security numbers being involved in a breach does not mean that the breach only affects Americans. Some records might not have an equivalent ID number associated with them at all, and some records could have similar ID numbers from other countries. They also list current address as part of the data leaked but the fact many people don’t have a current address didn’t seem to cause you any confusion. The original source lists “information about relatives”, if that was in this title would you have assumed only people with living relatives were included?

          “I didn’t read the article” is a poor excuse when you’re commenting on the believability of the article. What happened here is you saw an article, immediately assumed it was about the US, realised that doesn’t make any sense, then dismissed the article without even bothering to check because the title doesn’t fit the US exclusively. It’s crazy to me that you wouldn’t even consider the fact it’s not an exclusively US-based leak.

          • ClanOfTheOcho@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            6
            ·
            3 months ago

            I mentioned the not reading the article so people would not waste their time citing facts from the article that may explain the headline that suggested billions social security numbers were leaked. I made no assumptions about missing addresses, as the headline didn’t mention anything about missing addresses. I even mentioned that the event the article discussed was probably pretty bad – definitely not a negative against the article’s believability. I’m only guilty of judging a book by its cover, and in an existence of limited time, nobody has time to do any more than that except for limited exceptions. I did not choose to make this article an exception. The headline was mathematically deceptive, and my comment was about that. Nothing more.

            If you see an article highlighting a breach of social security numbers and don’t assume it’s about the U.S., that’s crazy to me.

    • Captain Aggravated@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      10
      ·
      3 months ago

      There’s something like 330 million Americans currently alive, give or take. Social Security began in 1935, so that’s 89 years ago. For the sake of making the math easy for a dumb Lemmy comment, let’s figure the population at the time was two thirds of what it is today at 220 million, and we can figure that within the margin of error virtually all of them are dead. Yes there are some Americans between the ages of 90 and 111 but they likely didn’t have social security numbers as children; the practice of assigning a SSN at birth happened later when they tied it to a tax credit for having kids; at first you got a SSN when you got your first job so anyone who was under the age of 15 or so in 1935 wouldn’t have been given one.

      So let’s figure 220 million Americans who have since died, and 330 Americans who are still alive, have held social security numbers. That’s 550 million SSNs total. Rough back of the napkin math.

      • mctoasterson@reddthat.com
        link
        fedilink
        English
        arrow-up
        6
        ·
        3 months ago

        The SSN itself is limited to under 1 billion possible permutations anyway because the format is 9 total digits. (3 digits hyphen 2 digits hyphen 4 digits.)

        And if I recall they also have something weird with the state you were born roughly corresponding to which 3 digit prefix you’re issued. Obviously that isn’t purely true either because that would only give you about 1 million unique numbers per prefix.

        Either way they’ve gotta be close to the theoretical maximum of the format without recycling numbers.

    • jabathekek@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      3 months ago

      Lol, yeah “National Public Data” has records of over 3 billion people going back 30 years and these people live all over the world, so it seems.

  • Spotlight7573@lemmy.world
    link
    fedilink
    English
    arrow-up
    108
    ·
    3 months ago

    With a breach of this size, I think we’re officially at the point where the data about enough people is out there and knowledge based questions for security should be considered unsafe. We need to come up with different authentication methods.

        • Nurgus@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          3 months ago

          Indian accent: Hello, this is Microsoft support. Your private key is being hacked and you need to give it to us immediately for safe keeping.

          WCGW?

      • ag10n@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        3
        ·
        edit-2
        3 months ago

        Tying a password to a browser or device isn’t going to make it any easier. Use a password manager and set unique string passwords for everything. If the app supports it, use FIDO physical keys instead of Passkeys

        • QuarterSwede@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          3 months ago

          … passkeys basically do all this without you having to know how. Your device /is/ the physical key and /you/ are the secondary auth. It honestly doesn’t get any easier for the user.

          • ag10n@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            What options are there for migrating passkeys to a new device? Easy to lock you into that iPhone and you must use their migration tool when you upgrade. Or I just carry it on my keychain, no vendor lock in.

            • QuarterSwede@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              3 months ago

              3rd party password managers are already adding passkey support. Passkeys isn’t an Apple only security technology. FIDO has its place but passkeys is the future for most people like it or not.

              • ag10n@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                3 months ago

                Do I need a subscription service for this passkey supported password manager? Or I can just buy a hardware key that can be used on my phone or any device, password manager supported or not. Seems like the freedom and portability of a physical key, like a key to your home or car makes a ton of sense.

                Passkeys are based on and supported by the FIDO alliance.

                https://fidoalliance.org/passkeys/

                • QuarterSwede@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  3 months ago

                  You don’t need a subscription as you well know since you know what they’re based on. And I meant FIDO physical keys as you were alluding to. Why would I ever want another device to use with a device that already has biometric auth? That last a barrier of entry that’s too high for most people.

        • 1984@lemmy.today
          link
          fedilink
          English
          arrow-up
          8
          ·
          3 months ago

          Even better would be to use certificates instead of passwords. What if every website gave you a certificate signed by them, and you store that in your password manager automatically.

          Maybe that’s what passkeys are… Haven’t read up on them at all.

          • Passerby6497@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            I really wish SQRL had taken off. It’s a lot like pass keys, but it used a central certificate to mint per-site certificates (along with per user per site certs if memory serves) and had proper methods of rolling it in and rotating the keys assigned to your account.

          • Spotlight7573@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            ·
            3 months ago

            Basically with passkeys you have a public/private key pair that is generated for each account/each site and stored somewhere on your end somehow (on a hardware device, in a password manager, etc). When setting it up with the site you give your public key to the site so that they can recognize you in the future. When you want to prove that it’s you, the website sends you a unique challenge message and asks you to sign it (a unique message to prevent replay attacks). There’s some extra stuff in the spec regarding how the keys are stored or how the user is verified on the client side (such as having both access to the key and some kind of presence test or knowledge/biometric factor) but for the most part it’s like certificates but easier.

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      29
      ·
      3 months ago

      We have different authentication methods. The hard bit is persuading people to use them.

      • Spotlight7573@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        Before people can be persuaded to use them, we have to persuade or force the companies and sites to support them.

    • Uli@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      2
      ·
      3 months ago

      Pirate keys for sure. Not using one is just asking for a stranger to grab your booty.

  • Fredselfish@lemmy.world
    link
    fedilink
    English
    arrow-up
    123
    arrow-down
    2
    ·
    3 months ago

    Oh well I feel at this point every man woman and child already had this done to them in United States and our government not doing shit about it.

  • AWittyUsername@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    3 months ago

    Is this why I got the latest scam email saying I need to pay $4k in bitcoin else a video of me wanking would be leaked.

  • solrize@lemmy.world
    link
    fedilink
    English
    arrow-up
    40
    arrow-down
    1
    ·
    3 months ago

    There are only 1 billion SSNs possible with 9 digits, and at most around 350M living people who have them (the US population). This breach is international but SSN is a US thing.

    • catloaf@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      Do TINs overlap with SSNs? Because businesses and non-citizen taxpayers have TINs instead of SSNs, but they’re used just the same.

      • solrize@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        This I don’t know. I remember reading that around 70%(?) of SSNs have been allocated, and there are enough left for a few decades. No idea whether corporation TINs come from that. I believe non-citizen taxpayers get similar SSNs to citizens. IDK if they pay into social security and collect benefits the same way.

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      3 months ago

      And not all 9-digit numbers are used, so there are fewer than a billion. It sucks when organizations store them because the search space is so small it’s relatively easy to unhash them in a stolen database.

      • prime_number_314159@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        3 months ago

        A lot of businesses use the last 4 digits separately for some purposes, which means that even if it’s salted, you are only getting 110,000 total options, which is trivial to run through.

    • JohnEdwa@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      edit-2
      3 months ago

      9 digit social security number specifically might be, but a unique number tied to you that is often used as identification when it really shouldn’t isn’t, it’s a shitshow that has been implemented in many countries around the world.
      The Finnish version was called an SSN originally for example, though now its a “henkilötunnus”, personal identity code.

      https://en.wikipedia.org/wiki/National_identification_number

  • Treczoks@lemmy.world
    link
    fedilink
    English
    arrow-up
    59
    ·
    3 months ago

    And again they will fail to punish the company responsible for protecting this data for their criminal neglience.

  • CallateCoyote@lemmy.world
    link
    fedilink
    English
    arrow-up
    42
    ·
    3 months ago

    Dang, that’s quite a few people. Maybe we can stop linking our identity to a simple number in the US sometime? That would be swell.

  • xthexder@l.sw0.com
    link
    fedilink
    English
    arrow-up
    38
    arrow-down
    1
    ·
    3 months ago

    How did this company leak 2.9 billion people’s info, including SSNs, when the population of the US is only ~350M?

    Is “National Public Data” collecting info on everyone internationally? So many questions…

    • HubertManne@moist.catsweat.com
      link
      fedilink
      arrow-up
      14
      ·
      3 months ago

      I just assume ssn is for a us audience and its worlwide with equivalent numbers but who knows. I mean there are only 8 bil on the planet so thats like everyone except maybe china, india, and africa

    • CluelessLemmyng@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      3 months ago

      When applying to a US government position with a certain security clearance, they will do background checks of you, your family and extended family, if need be.

      And I’m sure that can be the case for any employer who needs background checks. That being said, I also suspect some of these people in the database are dead.