this post was submitted on 07 Aug 2024
516 points (98.5% liked)

Technology

59673 readers
4464 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 183 points 3 months ago (2 children)

A complaint submitted to the US District Court for the Southern District of Florida claims the exposed personal data belongs to a public records data provider named National Public Data, which specializes in background checks and fraud prevention.

What's with these companies nobody has heard of causing massive fuck ups?

[–] db2 93 points 3 months ago (1 children)

It's capitalism. Do you hate America or something?

[–] Telodzrum 72 points 3 months ago (1 children)

Because companies you've never heard of are the ones doing the infrastructure and data warehousing for the public-facing companies you have heard of.

[–] [email protected] 30 points 3 months ago

Seems like a good way to have an infosec weak spot...oh...

[–] [email protected] 176 points 3 months ago (3 children)

The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years, Social Security Numbers, and more, was stolen from National Public Data by a cybercriminal group that goes by the name USDoD. The complaint goes on to explain that the hackers then tried to sell this huge collection of personal data on the dark web to the tune of $3.5 million. It's worth noting that due to the sheer number of people affected, this data likely comes from both the U.S. and other countries around the world.

What makes the way National Public Data did this more concerning is that the firm scraped personally identifiable information (PII) of billions of people from non-public sources. As a result, many of the people who are now involved in the class action lawsuit did not provide their data to the company willingly.

What exactly makes this company so different from the hacking group that breached them? Why should they be treated differently?

[–] [email protected] 30 points 3 months ago (2 children)

I feel like that might be bad phrasing on the part of the article. They mainly aggregate public records, like legal document style public records, and they also scrapped data from not-(public record) data, which isn't the same as (not-public) record data.

I feel like I would want more details to be sure though, but scrapping usually refers to "generally available" data.

load more comments (2 replies)
[–] jaybone 17 points 3 months ago

Same with the big three credit reporting bureaus Equifax and whoever the fuck. Did anyone ever give them permission to horde all of their personal info? I don’t think so.

load more comments (1 replies)
[–] Fredselfish 121 points 3 months ago (5 children)

Oh well I feel at this point every man woman and child already had this done to them in United States and our government not doing shit about it.

[–] thesohoriots 82 points 3 months ago (5 children)

Stack on another “Free monitoring, 2 years”

[–] Lifecoach5000 26 points 3 months ago (2 children)

Just got this bullshit offer from Ticketmaster for one of their breaches and they are only offering 1 year free credit monitoring.

[–] [email protected] 38 points 3 months ago (5 children)

I read "free credit monitoring" as allowing your name to get on another list to be sold.

load more comments (5 replies)
load more comments (1 replies)
load more comments (4 replies)
[–] [email protected] 11 points 3 months ago

This one is way more than just the US.

load more comments (3 replies)
[–] Spotlight7573 108 points 3 months ago (8 children)

With a breach of this size, I think we're officially at the point where the data about enough people is out there and knowledge based questions for security should be considered unsafe. We need to come up with different authentication methods.

[–] [email protected] 35 points 3 months ago (2 children)

Private keys for everyone.

load more comments (2 replies)
[–] [email protected] 29 points 3 months ago (1 children)

We have different authentication methods. The hard bit is persuading people to use them.

load more comments (1 replies)
[–] QuarterSwede 10 points 3 months ago (2 children)

Passkeys. They’re amazing.

[–] ag10n 10 points 3 months ago* (last edited 3 months ago) (9 children)

Tying a password to a browser or device isn’t going to make it any easier. Use a password manager and set unique string passwords for everything. If the app supports it, use FIDO physical keys instead of Passkeys

load more comments (9 replies)
load more comments (1 replies)
load more comments (5 replies)
[–] Treczoks 59 points 3 months ago (1 children)

And again they will fail to punish the company responsible for protecting this data for their criminal neglience.

[–] Thebeardedsinglemalt 17 points 3 months ago (1 children)

Because that might damage shareholder value

[–] Treczoks 16 points 3 months ago

It really should. The shareholders did profit from not investing in security until the incident. Let them suffer.

[–] aesthelete 55 points 3 months ago* (last edited 3 months ago) (1 children)

Any company accumulating, aggregating, and centralizing every piece of private and public information under the sun about people is a ticking time bomb (and that is a lot of companies these days).

We need harsher penalties for these assholes, and a privacy amendment so that we actually have some rights when dealing with them.

load more comments (1 replies)
[–] [email protected] 44 points 3 months ago (1 children)

Go ahead, steal my identity. See if you have any better luck with it.

I keep all my credit reports frozen. These days, everyone should.

[–] [email protected] 14 points 3 months ago (1 children)

Keep in mind there are 4 providers now, not 3!

[–] [email protected] 12 points 3 months ago* (last edited 3 months ago) (4 children)

Oh? Who’s the new one?

ETA: I got woosh’d, didn’t I? I just came off night shift and it’s not even 8AM. That’s my story and I’m sticking to it.

[–] werefreeatlast 16 points 3 months ago (1 children)

I am. Your login is locked unfortunately. Send me your username and password if you want to unlock it. It's fairly common. You'll get your credit score as well.

[–] [email protected] 12 points 3 months ago

Such a helpful employee!

User: DaftPensioner Pass: GoRockettes1964!

[–] [email protected] 9 points 3 months ago (3 children)

There are actually more than 3 providers and you should put a freeze on everything you can. You only need unfrozen credit for applying for new lines of credit (loans, credit cards, etc), and unfreezing is a quick process (15 minutes or so).

Here’s a pretty comprehensive guide for protecting yourself: https://old.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/

It’s better to take these steps before you get your identity stolen rather than after. These steps can prevent your leaked information from being used against you.

load more comments (3 replies)
load more comments (2 replies)
[–] CallateCoyote 43 points 3 months ago (1 children)

Dang, that’s quite a few people. Maybe we can stop linking our identity to a simple number in the US sometime? That would be swell.

[–] Alexstarfire 13 points 3 months ago
[–] solrize 39 points 3 months ago (5 children)

There are only 1 billion SSNs possible with 9 digits, and at most around 350M living people who have them (the US population). This breach is international but SSN is a US thing.

load more comments (5 replies)
[–] _sideffect 39 points 3 months ago

"Please enter your full name, address and SSN to check if you were exposed!"

[–] [email protected] 37 points 3 months ago (3 children)

How did this company leak 2.9 billion people's info, including SSNs, when the population of the US is only ~350M?

Is "National Public Data" collecting info on everyone internationally? So many questions...

[–] [email protected] 14 points 3 months ago

I just assume ssn is for a us audience and its worlwide with equivalent numbers but who knows. I mean there are only 8 bil on the planet so thats like everyone except maybe china, india, and africa

load more comments (2 replies)
[–] [email protected] 30 points 3 months ago (5 children)

Alrighty, brainstorming time people. If you could write some practical laws, what protections do we need to stop these from happening.

I'm thinking 3 categories: Reporting, oversight, and accountability.

Reporting: all entities holding personally identifiable information (PII) must reach out once every 12 months. This hopefully unveils seedy brokers relying on obscurity. Maybe a policy to postpone notification up to 5 years (something like that) may be available as opt-in.

Oversight: targets of PII have oversight of what is collected/used. Sensitive information may be purged permanently upon request.

Accountability: set minimum fines for types of data stored. This monetary risk can then be calculated and factored into business operations. Unnecessary data would be a liability and worth purging.

[–] RegalPotoo 22 points 3 months ago* (last edited 3 months ago) (1 children)

Ok, bit of an outlandish idea, but how about something like:

  • Decree that information about a person is the property of that person, and therefore cannot be possessed without compensation. Think of it like intellectual property, but for your personal information
  • Set a standard royalty - say $0.05/year - that must be paid to the owner of that information for as long as that information is held. This forms an incentive to not hold information you don't need, and gives visibility to all the places that are now forced to contact you every year to pay you the royalty
  • Places where you have an explicit contractual relationship with (utilities, banks, ...) could have a clause to set the royalty at $0.00, but this can't be extended to third parties - strong incentive not to transfer information to third parties
  • Unauthorised transfer or loss of information could be considered IP theft, and result in significant civil penalties
load more comments (1 replies)
[–] BrianTheeBiscuiteer 16 points 3 months ago (3 children)

PII data at rest (i.e. in a database) must be encrypted.

load more comments (3 replies)
[–] [email protected] 10 points 3 months ago (3 children)

How about a government-sponsored, non-profit authentication service? That is, it should be impossible to get a loan, open a line of credit, or anything else in somebody's name, without the lending institution verifying that it's actually on behalf of the named individual. Eliminate the security-through-obscurity technique of using bits of easily-leaked personal information as a poor substitute for actual authentication.

I mean, (as a comparative example) I have to go through an OAuth2 consent dialog to connect a third-party app to my email account, yet somebody can saddle me with huge debts based on knowing a 9-digit number that just about everybody knows? It's the system that's broken, tightening up the laws on PII is just a band-aid.

load more comments (3 replies)
load more comments (2 replies)
[–] [email protected] 29 points 3 months ago (2 children)

I like how my social security card explicitly says not to be for identification and tax purposes only. But I need for absolutely fucking everything and to identify I'm a citizen. Can hardly sign up for a new email without a SSN. (Exaggerating of course about the email)

load more comments (2 replies)
[–] ClanOfTheOcho 24 points 3 months ago (3 children)

It sounds like a bad breach, and I'm not arguing against that. I just want to point out my doubts that there were ever 2.9 billion Americans since the founding of the nation, let alone since social security numbers became a thing. Maybe if I bothered to read the article, it would make more sense.

[–] [email protected] 31 points 3 months ago (3 children)

Okay, but I'm not sure how revelant that is. The article doesn't say only Americans were affected, it says the exact opposite.

[...] this data likely comes from both the U.S. and other countries around the world.

load more comments (3 replies)
[–] [email protected] 10 points 3 months ago (2 children)

There's something like 330 million Americans currently alive, give or take. Social Security began in 1935, so that's 89 years ago. For the sake of making the math easy for a dumb Lemmy comment, let's figure the population at the time was two thirds of what it is today at 220 million, and we can figure that within the margin of error virtually all of them are dead. Yes there are some Americans between the ages of 90 and 111 but they likely didn't have social security numbers as children; the practice of assigning a SSN at birth happened later when they tied it to a tax credit for having kids; at first you got a SSN when you got your first job so anyone who was under the age of 15 or so in 1935 wouldn't have been given one.

So let's figure 220 million Americans who have since died, and 330 Americans who are still alive, have held social security numbers. That's 550 million SSNs total. Rough back of the napkin math.

[–] Alexstarfire 11 points 3 months ago (1 children)

Why guess at the 1935 pop instead of just looking it up?

It was about 127 million.

load more comments (1 replies)
load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 23 points 3 months ago (2 children)

Identity theft monitoring services always scare me. It seems like you are dumping a huge amount of information into a single system and just hoping the vendor is secure. I have access to one but refuse to put much information in. Is this mindset incorrect?

load more comments (2 replies)
[–] NutWrench 16 points 3 months ago (2 children)

Who TF is "National Public Data?"

load more comments (2 replies)
[–] [email protected] 14 points 3 months ago (11 children)

I tried freezing my credit but I think transunion and equifax wouldn't let me create an account for some reason. Asking me to call them. Anybody else running into the same issue?

load more comments (11 replies)
[–] [email protected] 11 points 3 months ago* (last edited 3 months ago)

Good god. Thats like, every person that has ever used a computer probably. Fuck.

load more comments
view more: next ›