Was every social security number hacked and shared? Lawsuit raises concerns

A class action lawsuit made the unproven claim that the social security numbers of all US citizens were leaked in a data theft this year.

However, a preliminary analysis of the leak by experts suggests that, in addition to some legitimate information, there may also be incomplete and false data, leaving the extent of the leak and the authenticity of the claim unclear.

Security analysts who spoke to NBC News also said that while the Social Security number leak is still concerning, there is no reason to panic as many people's numbers have been leaked in previous hacking attacks.

The alleged breach was first reported in April after a hacker calling himself USDoD announced on a web forum that he had accessed a database containing information on every person in the United States, the United Kingdom and Canada. News of the claim was published in several cybersecurity publications but did not receive widespread coverage at the time.

After a class action lawsuit was filed on August 1, claims that the data breach may have exposed large amounts of Social Security numbers began to spread across mainstream and social media.

The lawsuit was against a data broker called National Public Data, part of a shady group of companies that secretly and quietly collect, buy, trade and sell people's personal data, usually without their knowledge. The information is often sold to marketers or used for background checks.

The lawsuit accuses the company of acquiring the defendants' personal data without their knowledge or permission – a common practice among data brokers – and failing to protect it from hackers. National Public Data did not respond to a request for comment.

It is not confirmed that every American's Social Security number was leaked. The complaint states that the plaintiff received an alert from an identity theft protection company in July that his Social Security number had been leaked due to a national public data breach.

NBC News has not seen the leaked data, and the hacker's original post offering it for sale appears to have been deleted. However, it's common for criminal hackers to exaggerate or even invent their exploits, especially when they're trying to sell something.

Researchers who have previously downloaded the data are skeptical. News site TechCrunch downloaded and examined parts of the leak in June and found that while some of the data appears to be real, much of it is also false. People and data fields are missing, and some information about people is incorrect.

Troy Hunt, Microsoft's regional director for Australia and the operator of Have I Been Pwned, a massive public database that allows people to check whether their identities have been compromised in various security breaches, also received a large sample of the data. In a blog post on Wednesday, he described a tangled mess, some of which appeared to be inaccurate and a significant portion of which was missing. The data did include his email address, but it was linked to the wrong name, and it gave two birth dates that were far from his actual one. Such inaccuracies about people make it harder to use accurate information for nefarious purposes.

Although the extent and condition of the leaked data is unclear, news of the lawsuit has sparked significant interest in the Social Security number claim.

Experts warn against approaching the news with a certain degree of realism.

“We've all probably been affected by a data breach and received a notification,” says Amy Nofziger, director of victim services at AARP, an organization that advocates for seniors. “My first piece of advice is don't panic, because most likely your information was already out there.”

Nofziger said that given the frequency of data theft, Americans should assume their information is already in the hands of criminals and develop good habits that can help quickly detect criminal activity.

Anyone who is worried about becoming a victim of identity theft can quickly find out by checking their credit report. There are three credit bureaus for Americans: Equifax, Experian and TransUnion.

“If it's clean and you recognize everything on it, turn on a fraud alert. That's always my first recommendation because it's faster, easier and easier,” Nofziger said.

According to Equifax, a fraud alert is “a note on your credit report that alerts creditors that you are or may be a victim of fraud, including identity theft. A fraud alert can make it harder for someone to open unauthorized accounts in your name. It encourages or requires lenders and creditors to take additional steps to verify your identity, such as contacting you by phone before opening a new credit account in your name or making changes to existing accounts.”

It's easy to call any of those three and get a free fraud alert, and each of them shares the alert with the other two, Nofziger said.

A second, safer step takes a little more time: Call each of the three bureaus individually and freeze your credit score with each one. It's generally safer to freeze your credit score by default and then only temporarily “unfreeze” it when you take out new credit, she said, though it's not everyone's first choice.

“Not everyone wants to put a freeze on it because some people use their credit frequently and take out new credit, and they don't like the hassle involved,” Nofziger said. “For me, it's worth it to make sure your credit report is safe.”

The third step is to ensure that each bank account has the strongest account security available. This means that each account must have a unique and long password and that two-factor authentication is enabled on the account.