Has your social security number been stolen on the darknet? Use this tool to find out

This article was first published on August 14, 2014. It was updated on August 18, 2014 to include information about Pentester's new tool.

You've probably never heard of National Public Data, the company that makes its money collecting your personal information and selling it to credit card companies, employers, and private investigators. It now looks like the U.S. Department of Defense hacker group stole about 2.9 billion of that data. Chances are, your data – possibly including your Social Security number (SSN) – is in those databases.

Also: 7 password rules that should apply in 2024, according to security experts

The U.S. Department of Defense wanted to sell this data for the low price of $3.5 million. Ironically, another threat actor, Fenice, stole the data and published it on the dark web before the U.S. Department of Defense could profit from the theft.

How bad is it really? According to the security organization Vx-Underground, the stolen data includes

• First name
• Last name
• address
• Address history (three decades)
• Social Security Number

Vx-Underground also noted that “the database does not contain information from individuals who use data opt-out services.” These are websites or services that allow you to opt out of a company or group wanting to keep your data.

That's good to know, but for many of you it's probably a bit late.

Also: The best VPN services: tested and rated by experts

The total 277 GB of data that was leaked can be used for identity theft and fraud. Although the data theft does not necessarily affect 2.9 billion unique individuals (since there are multiple records per person), it still poses a significant risk. The information can be used to open fraudulent accounts, apply for loans, or even commit tax fraud.

How to find out if your SSN has been shared

There is a website that can tell you if your SSN was leaked by the security company Pentester. You have to enter your first and last name, year of birth, and the states you lived in. If your SSN is there, the website will present you with a table that shows your address in the record and the last two digits of your SSN.

If you cannot find your records associated with your current state or name, try searching for previous states and/or other last names.

I tested this tool and found a list of legitimate records.

Also: Delete yourself from the Internet with these online data removal services

Richard Glaser, co-founder of Pentester, said, “Names, addresses, and phone numbers can change, but your social security number cannot.” Financial institutions use SSNs to verify your identity and comply with regulations when you apply for loans, credit cards, or investments. If you are a U.S. citizen, it is the key to your identity, which is why it is important that you determine whether or not your SSN is known.

How to monitor your credit reports

If your SSN has been leaked, check your credit reports (Experian, Equifax, and TransUnion) for unauthorized activity (and do so regularly in the future!). Report suspicious transactions to the credit bureaus through their websites, and freeze your credit to prevent new accounts from being opened in your name.

You can freeze your credit through credit companies Equifax Credit Freeze, Experian Credit Freeze, and TransUnion Credit Freeze. Some financial companies like Credit Karma can also help you freeze your credit.

Also: How to block your loans – and how you can protect yourself after data theft

If you're concerned that your information is being used against you, it's time to use an identity theft protection and credit monitoring service to protect yourself. ZDNET recommends aura as the overall best service of its kind.

However, using these services is not enough.

Beware of phishing attempts

You should also be wary of phishing attacks. Be cautious of emails, text messages or calls that attempt to steal personal information. Scammers will use your leaked data to launch convincing phishing attacks. For example, I recently received an email claiming to be from my bank that included my address, warning that my account had been hacked and that I needed to use the link included to change my password. At the moment.

Also: Stop paying for third-party antivirus software. Here's why

Do not trust such messages, whether they warn you about something terrible or promise you something that sounds too good to be true. Never click on links in such emails or text messages.

What to do if you clicked on a phishing link?

If you have clicked on a phishing link, do not panic, but follow these steps immediately:

1. Immediately disconnect from the Internet and your local network. This will prevent potential malware from spreading or communicating with malicious servers.

2. Back up important data on an external hard drive or USB stick. This way, your information is protected in case of data loss or damage.

3. Run a thorough antivirus scan. If you don't have one on your device, consider downloading an antivirus program to another computer, transferring the installer to a USB stick, and installing it on your affected computer.

4. Change the passwords for all your online accounts, especially important accounts like bank and credit card accounts. Use strong, unique passwords for each account and consider using a password manager.

5. Enable multi-factor authentication. Enable multi-factor authentication (MFA) on your accounts whenever possible. This adds an additional layer of security.

6. Keep an eye on your important online accounts and if you notice any suspicious activity, contact the company as soon as possible.

What to do if your SSN has been compromised?

If someone uses your SSN illegally or without your consent, you should take the following steps:

1. File a report with the Federal Trade Commission (FTC) at IdentityTheft.gov. This website will walk you through the process and provide a personalized recovery plan.
2. File a report with your local police department. Although they may not be able to investigate immediately, a police report can serve as important documentation.
3. Monitor your credit reports for unauthorized accounts or activity. Get free weekly credit reports from AnnualCreditReport.com.
4. As I mentioned earlier, you should put a hold on your credit reports with all three major credit bureaus – Equifax, Experian and TransUnion. This will prevent new accounts from being opened in your name. You can also place a fraud alert on your credit reports, which will require companies to verify your identity before issuing credit in your name.
5. Check your Social Security statement for suspicious activity, such as unreported income.

Next, contact the Internal Revenue Service (IRS) to prevent possible tax fraud. Here's how to do it:

1. Contact the IRS: You can reach the IRS Identity Protection Specialized Unit at 1-800-908-4490. This number is designed to assist individuals who believe they have been victims of identity theft related to their tax accounts.
2. File an identity theft affidavit: Fill out IRS Form 14039, the form used to report suspected identity theft to the IRS. You can file it online through IdentityTheft.gov, which forwards it to the IRS, or you can download the form from the IRS website and mail it along with your tax return to the address listed on the form.
3. Respond to IRS notices: If you receive a notice from the IRS indicating that your SSN has been used fraudulently, follow the instructions in the notice. Typically, such notices are sent by mail. You may then need to submit a Form 14039 or other documentation to verify your identity and resolve the problem.

This can be a long, tedious process. But if you don't check your accounts and protect them when necessary, your identity can be stolen. Recovering from identity theft is much more painful than preventing it.

Also: Have you received a fake McAfee invoice? Here's how the scam works and 2 things you should never do

After that, stay vigilant and continue to regularly monitor your accounts and credit reports. If you notice any suspicious activity, report it immediately to the appropriate authorities and financial institutions. This is not a threat you can deal with once and then ignore. It is a threat that will be with you for the rest of your life.

Yes, I hate that too.