Comment by datadrivenangel

9 months ago

"there were no email addresses in the social security number files. If you find yourself in this data breach via HIBP, there's no evidence your SSN was leaked, and if you're in the same boat as me, the data next to your record may not even be correct. "

Seems like Troy is skeptical about this being a real full breach?

25 comments

datadrivenangel

fullspectrumdev 9 months ago

A lot of these data brokers hold wildly inaccurate information.

LeifCarrotson 9 months ago
You too can be a data broker!
for (i = 0; i < 900000000; i++) insert(first: random_firstname(), last: random_lastname(), ssn: i);
Does anyone really really care if the name is accurate if the SSN is present? More than half of the SSNs in the above dataset are valid.
- ryanisnan 9 months ago
  
  You probably are posting this as a joke, but without a clear technical solution to this problem, flooding the industry with bullshit data seems like a great avenue.
  
  15 replies →
- calvinmorrison 9 months ago
  
  In fact there are far fewer valid Socials. They follow a system where guessing a number of digits is fairly determined based on year and state of birth
  
  2 replies →
LorenPechtel 9 months ago

Yes, but they can also be pretty accurate.
While I have never dealt with one of the paid services someone ran one on me as an example of what is out there (nothing malicious about it) and just about everything on it was accurate or close to it. Only one thing on it wasn't at least pretty close to the truth--it had me living in a state I've never set foot in. And quite a few other people seemed to have the same address at one point or another.

michaelt 9 months ago

I'm in the UK so I have no Social Security Number, and I still got the HIBP e-mail.

When I looked into it, it turns out the "original" breach is comprised of files named ssn.txt and ssn2.txt which only contains Americans details, and doesn't contain any e-mail addresses.

It seems what happened is there was one leak of US SSNs which the leakers attributed to NPD, then some people bundled that leak up with a bunch of other data (including e-mail addresses and details of non-americans) and who knows if the latter data actually came from NPD?

Dalewyn 9 months ago

>the data next to your record may not even be correct. "

American Express by way of Experian alerted me to my SSN having been leaked precisely by this incident.

The number was seemingly correct, but everything else associated with it such as name and address were nonsense.

So assuming we're talking about the same thing... can confirm?

throwup238 9 months ago

I don't think it's a "full" breach because I assume that would include many tera/petabytes of original source documents rather than just a CSV of PII, but it's definitely a real breach.

I looked up several family members and although most of the phone numbers and addresses were out of date, they were accurate as were the listed social security numbers. However, it didn't include any of the more recent immigrants in the family or myself, possibly because I take opsec seriously.

Funny enough it looks like it has data for Tom Brady, former FBI director James Comey, Barack Obama, and Donald Trump (just some of the names that popped into my mind to look up).