A new lawsuit is claiming hackers have gained access to the personal information of “billions of individuals,” including their Social Security numbers, current and past addresses and the names of siblings and parents — personal data that could allow fraudsters to infiltrate financial accounts or take out loans in their names.

The allegation arose in a lawsuit filed earlier this month by Christopher Hofmann, a California resident who claims his identity theft protection service alerted him that his personal information had been leaked to the dark web by the “nationalpublicdata.com” breach. The lawsuit was earlier reported by Bloomberg Law.

The breach allegedly occurred around April 2024, with a hacker group called USDoD exfiltrating the unencrypted personal information of billions of individuals from a company called National Public Data (NPD), a background check company, according to the lawsuit. Earlier this month, a hacker leaked a version of the stolen NPD data for free on a hacking forum, tech site Bleeping Computer reported.

  • FiveMacs@lemmy.ca
    link
    fedilink
    arrow-up
    13
    ·
    3 months ago

    What’s to stop someone from in unfreezing your credit if they literally know everything about you and have all the info at their fingertips

    • Jimmyeatsausage@lemmy.world
      link
      fedilink
      arrow-up
      24
      ·
      3 months ago

      It’s like running away from a bear… you don’t have to outrun the bear, just the other people running from the bear. If someone wants your identity, they’re probably gonna get it if they’re determined enough. The way these hacks usually work, though, is you just buy a chunk of the data, maybe 10k records. Then, they use automated tools to try and open accounts under those ID records. If it fails, no biggie, they just move on to the next record.

    • Codex@lemmy.world
      link
      fedilink
      arrow-up
      17
      ·
      3 months ago

      There’s no such thing as perfect security of course, but in this case it’s because having my phone number and address isn’t the same as having my phone. So short of a SIM clone or something like that, the MFA on those accounts still adds one layer of protection. There’s also “security” questions and, protip, the answer to what high school I went to is not which high school I went to. It’s just another, different pass phrase.

      I’m just not worth the trouble to beat all the extra layers of security when there’s millions of people who’s money is far easier to get at.

      • foggy@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        3 months ago

        The pyramid of pain.

        Make it hair pullingly difficult to find the good stuff.

        You want my name? Fine.

        My number? Here’s my google voice digits.

        My email? I’ve got dozens.

        My home address? I’m gonna need something from you.

    • otp@sh.itjust.works
      link
      fedilink
      arrow-up
      8
      arrow-down
      2
      ·
      3 months ago

      They have to know to unfreeze. It’s an extra step, and unless you’re a particularly juicy target, it’s easier to move onto the next one.

      /guess

      • ramble81@lemm.ee
        link
        fedilink
        arrow-up
        7
        ·
        3 months ago

        Unfreeze also generally requires a PIN or tied to a login/accessible email. So not only would they need your info, they’d also need your credentials.

    • ShepherdPie@midwest.social
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      Does anybody know the process to unfreeze? I froze mine years and years ago but I don’t recall setting a pin or even remember what it was if I did. It’s going to be a huge PITA next time I need a loan for something. I’ve nearly almost signed up for a new credit card before remembering that I froze all my accounts and abandoning the process because if the aforementioned PITA.

      • GoofSchmoofer@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        They may have sent you an email with the PIN but if you weren’t paying close attention you could have missed it. If you save your emails it may be worth doing a search.

    • skuzz
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      All the more reason to do it yourself, they all mostly require accounts with 2FA now. Until you set that up, a bad actor could. Once set up, they would have to compromise your second factor as well.