from Hacker News

Ask HN: SSN breached, what should I do now?

by whyage on 4/12/22, 3:57 PM with 26 comments

• by aerostable_slug on 4/12/22, 6:15 PM

  Be sure you use a credit freeze, not lock. Freezes are stronger protection, are regulated by Federal law, and the credit bureaus don't like them because you and your data cannot be as easily monetized. I'd call the latter point a sign that the freeze is working.

  It's more of a pain to thaw your credit than unlock it, but how often are you shopping for a loan? The slight inconvenience is worth it.

  t. used to work in that foul industry

• by starwind on 4/12/22, 8:15 PM

  You're 85 percent of the way there with 2FA and a credit freezes and the monitoring.

  The SSA lets you set up an online account. It's a good idea to do this before some tries to do it in your name—that scenario is probably unlikely unless you're close to retirement. You definitely want to get an IRS pin so no one tries to file for a tax refund before you do.

  Talk to your doctor's office about adding a note to your and your family's medical records that they have to call you before faxing your records to someone claiming to be a doctor bearing an official looking form.

  You can add fraud alerts to the 3 credit bureaus so creditors are supposed to call you before they issue credit in your name. Useful if someone tries to unlock your credit with your PII.

  You should add a freeze/fraud alert to your NCTUE report. They deal with utilities and cell carriers pull from them. There was a scam going on with Verizon for while where people would sign up for a contract, get 4 "free" unlocked phones and disappear.

  If you want, you can also add fraud alerts and freezes to your Innovis (a smaller credit rating agency) report, and your Chex system (basically a credit report for banking) report, and freeze your LexisNexus (background stuff mostly for insurance) and Work Number (salary info) reports.

  Many states allow you to suppress your public voting records like your address and phone number. That's where a lot of those data brokers first get your address.

  Your phone carrier probably lets you set up a pin to prevent sim swapping. And you might be able to opt-out of them selling some info to advertisers.

  If you find out your identity was stolen, you can file a police report, send that to the creditor saying to close the account, and include that with a letter to the credit rating agency to get it removed from your record. At that point you can probably get a new drivers license number.

• by FWKevents on 4/12/22, 4:54 PM

  I concur with others that this is the "new normal." My husband is a cybersecurity professional. He says that in the past few years, hacking for personal information has gotten to be such a "normalized" business that hackers now purchase "off the shelf" hacking software that even comes with customer service support tickets! So it's opened up new opportunities for those with no programming experience. You can see how out of control this could get, and quickly.

  What steps do my husband and I take, considering the risks that our personal information is probably already "out there", maybe dozens of times? The same as you - freezing credit at all 3 bureaus, using 2FA, using unique, hard-to-guess passwords that are updated on the regular, and being careful about what you send through gmail. I use mega.co.nz to store all personal documents, since that cloud service has encryption. So far, so good. My identity has not been stolen nor my bank or credit hacked.

• by txsoftwaredev on 4/12/22, 5:15 PM

  At this point I assume anyone that wants my SSN, etc. has easy access to it. I did some work for a govt. agency and they ended up having a breach that included all my personal details including fingerprints. I use a credit monitoring service (paid for by them) and keep an eye on it.

• by linsomniac on 4/12/22, 4:06 PM

  You can submit a request to the credit bureaus (TransUnion, Equifax, Experian) to "lock your credit" which will prevent many types of new credit accounts being created. This is probably a good idea to do unless you are actively applying for credit anyway.

• by gdfgjhs on 4/13/22, 3:08 PM

  In addition to credit freeze, contact IRS and let them know that your social security number has been stolen. They will give you a pin that you will need to use when you file your taxes.

  It happened to me, someone filed taxes with my name. Took almost a year before IRS fixed this and then they locked my account. So now every year, I need to use the pin.

  Also file police report/FBI report, I think you can do all this online. When my identity was stolen they told me to do this although they knew no action will be taken. The reason is if someone use your identity to commit a serious crime, you will have an official police report to proof.

  In end, it really sucks. You will need to keep paying for credit/identity monitoring services forever and occasionally take actions against events like some random credit card account opening up in some random state.

• by linsomniac on 4/12/22, 4:04 PM

  Check https://haveibeenpwned.com/ and put in your e-mail address, it may provide more details about where the leak was originated. A coworker got a "Your credentials found in the Dark Web" and HIBP showed more details.

• by gvb on 4/12/22, 4:01 PM

  1) Is the alert for real? From an reputable source and not spoofed? Not phishing?

  2) Welcome to the New Normal[tm]. Do what you are currently doing (2FA everywhere) and watch your financial statements for unauthorized charges.

• by polski-g on 4/13/22, 12:26 PM

  AllState sells identity theft insurance, something to consider. They basically pay for a lawyer to clean up the mess it causes