3 Billion Social Security Numbers Leaked On The Dark Web

00:00

I've covered a lot of data breaches on

00:02

this channel and usually the number of

00:04

personal records that get released in

00:06

any odd data leak are in the thousands

00:09

or sometimes in the millions but today

00:11

when I was browsing my friendly

00:13

neighborhood dark web hacker Forum I

00:16

stumbled upon a post titled national

00:18

public data full DB 2024 which

00:23

supposedly has the personal data of

00:26

almost 3 billion people in it that's

00:29

right folks folks this text Data weighs

00:32

in at

00:33

277 GB uncompressed that takes up about

00:37

as much space as Call of Duty Black Ops

00:40

6 4K texture packs and all and it has

00:43

data points in it like first name last

00:47

name date of birth address phone number

00:50

and social security number now at first

00:54

the hackers that stole this database

00:56

were trying to sell it for $3.5 million

01:00

but then they decided H you know what

01:02

I'm feeling generous today I'm going to

01:04

just give it away for free to all of my

01:08

hacker Forum buddies so I can earn

01:10

myself a lot of reputation and as far as

01:13

the leak itself goes it's pretty much

01:15

structured like a phone book but with

01:18

social security numbers included as well

01:21

and that SSN data point is especially

01:24

disturbing because I don't know about

01:26

other countries but here in the United

01:29

States Social Security numbers are used

01:32

when you apply for a loan when you open

01:34

a bank account credit card account

01:36

credit reports and pretty much any other

01:39

financial transaction involves your

01:42

social security number and the last four

01:44

digits of a person's social security

01:46

number are often used for security

01:49

verifications whenever you call up your

01:51

internet provider to interact with your

01:54

account or your utility provider or your

01:57

cellular company so the data in this

01:59

leag could be used by somebody to shut

02:02

off your power or open up new utility

02:05

accounts in your name at different

02:06

houses that they're squatting in or

02:08

trying to rent out to people like hey

02:10

you want to stay in this abandoned house

02:12

and get some free Power sure just come

02:14

in here and I don't know give me a 100

02:16

bucks a month or they could call your

02:18

cellular provider and use your social

02:20

security number to pull off a Sim

02:23

swapping attack so this is where an

02:25

attacker basically takes control of your

02:27

phone number by getting the carrier to

02:30

program their sim card with it they

02:32

would just call your carrier pretend to

02:34

be you or someone authorized on your

02:36

account and say that they lost their

02:38

phone and now they've got a new one and

02:39

they need the phone number back and then

02:42

after they do that the attacker is able

02:44

to get all of your calls and all of your

02:47

text messages on their phone and that

02:51

includes temporary codes that Google or

02:54

Facebook sends you for changing your

02:57

password and two-factor Authentication

03:00

which means that those accounts could be

03:03

compromised too who would have thought

03:05

that a nine-digit number assigned to you

03:08

at Birth could cause so much Havoc if it

03:10

fell into the wrong hands and speaking

03:13

of wrong hands you're probably wondering

03:16

who this data was stolen from because

03:19

most people don't just have 300 gabyt of

03:23

social security numbers and names and

03:26

addresses and stuff laying around so the

03:29

data in question was stolen from

03:32

national public data which provides an

03:35

API service for background check

03:38

services and they got the data through

03:41

web scraping across public and

03:44

non-public sources without anyone's

03:48

consent and from purchasing the data

03:51

from data Brokers again without the

03:54

consent of the person who the data

03:57

pertains to national public data then

04:00

combines these different sources and

04:02

packages it together in a format that

04:05

XML apis can read easily and then the

04:09

different background check services

04:10

online create a front end for their

04:13

customers to do these background checks

04:15

and these different kinds of lookups

04:17

often in a not so convenient way that

04:20

takes artificially long to load the data

04:22

only to ask you to pay a fee at the very

04:25

end when you thought it was free so I

04:28

guess one upside to this data breach is

04:31

that now I can do background checks

04:33

locally with grep instead of having to

04:35

go through that nonsense anymore now I

04:39

haven't been able to look through this

04:41

data too extensively since it's

04:44

basically a compressed CoD game worth of

04:46

information that takes a long time to

04:48

download since it's probably hosted on a

04:50

remote server in Vietnam somewhere and

04:52

it has to pass through the onion Network

04:55

to get to its destination but based on

04:57

the limited amount of grepping that I've

04:59

been able to do on the two SS sn. txt

05:03

files I can confirm that this breach

05:07

doesn't actually affect 3 billion people

05:10

and I can actually demonstrate why

05:12

that's the case and hopefully I can do

05:14

so without doxing anyone so here in

05:18

Libre office I've copied over a sample

05:21

of the data leak and I've organized it

05:24

into labeled columns so we've got ID

05:27

first name last name middle name Etc

05:30

these are all of the same columns that

05:32

came from the database leak it's just

05:35

comma separated values you know there's

05:37

a nicer way to display all the

05:39

information um now the reason why the

05:44

data in these cells looks like a bunch

05:46

of random letters and numbers instead of

05:49

a legible name is because I hashed all

05:53

of the personally identifying

05:56

information here to protect this

05:58

person's privacy see um the only one

06:01

that's not hashed is this ID column here

06:04

which is just the line number from the

06:07

data set so this isn't really considered

06:10

pii uh so you can see here that this is

06:15

eight different

06:17

records and if we start looking through

06:20

each of the columns here for first name

06:23

all of these hashes are the same um and

06:26

if you're not familiar with hashing

06:29

algorith

06:30

they basically take input of a string

06:34

and they crunch it down into something

06:35

that can't be reversed so there's no way

06:37

to actually get the person's first name

06:40

from what you're seeing here that's why

06:42

it's safe to show it um but also any two

06:46

strings that are the same if you feed

06:49

them into a hashing algorithm the hash

06:51

is going to be the same and if those

06:54

strings deviate just a little bit and a

06:56

string can be an entire novel mind you

06:58

so like if you literally just change one

07:00

letter in a novel and then you pass that

07:03

into a hashing algorithm you're going to

07:05

get two completely different hashes from

07:07

that so the fact that these are the same

07:11

proves that the input strings I fed were

07:13

the same as well uh so we have the same

07:15

thing going on with last name okay all

07:17

of this is the same middle name or

07:20

really just middle initial um or

07:23

sometimes it's a middle name you know

07:24

it's if if you actually look through the

07:26

raw data um it's mostly middle initials

07:29

and sometimes middle names but anyway

07:31

that's all the same dates of birth are

07:33

the same now with addresses there's a

07:35

little bit of differences here but I've

07:37

actually highlighted in different colors

07:39

the ones that match so these two

07:41

addresses are the same um I think yeah

07:45

the green ones match this orange one is

07:48

unique and then these purple ones match

07:52

up as well uh so there's only four

07:54

unique addresses here out of um eight

07:58

records all the cities uh County names

08:03

State and zip codes are all the

08:06

same so you know maybe this guy owns

08:09

multiple condos in one building or maybe

08:11

he moved around town a few times I'm not

08:14

exactly sure uh what's up with that

08:16

there and if there were any doubts that

08:20

this is all the same

08:23

person in the SSN

08:25

column these are all the same too so

08:27

it's all the same social security number

08:30

it's all the same person repeated eight

08:33

times in the database leak and there's

08:35

several different examples of this um if

08:38

you actually look at the raw database

08:40

leak of the same person being repeated

08:43

or being repeated at different addresses

08:46

um I've seen a few PO Box entries for

08:49

people and another positive observation

08:54

is that I wasn't able to find records

08:57

for several people who authoriz me to

09:00

look them up in this database leak

09:02

including myself and I think the Common

09:06

Thread here with people I wasn't able to

09:08

find where these people either used data

09:11

optout services or they just have a very

09:15

very minimal online footprint to begin

09:17

with they don't really have any uh

09:19

subscription services that they pay for

09:22

they don't have any social media um or

09:25

you know anything like that I guess

09:26

they're kind of off- grid you could say

09:29

so if I had to guess the actual number

09:31

of people in this leak is probably an

09:35

order of magnitude or possibly a little

09:37

less than what some media Outlets are

09:40

saying with 2.9 billion uh but still you

09:44

know that's over 200 million people's

09:47

Social Security numbers leaked which is

09:50

most of America so yeah keep an eye out

09:53

for identity theft uh people opening up

09:56

new credit cards or new utilities new

09:59

lines with the cell phone company and

10:01

stuff like that under your name and keep

10:04

an eye out for the outcome of this class

10:09

action lawsuit that's been filed against

10:12

national public data because of their

10:14

failure to secure this massive Trove of

10:17

data that they had and also the fact

10:19

that they scraped this data in some

10:22

really shady ways without anyone's

10:24

consent in the first place hopefully

10:27

their punishment is severe enough to to

10:29

compel all these companies that have

10:32

poor security practices and data

10:34

hoarding fetishes to stop it and get

10:37

some help if you enjoyed this video

10:40

please like and share it to hack the

10:41

algorithm and check out my online store

10:43

base. when where you can get awesome

10:45

merch like the tie-dye Tor te or the

10:48

come and finded hoodie 10% discount for

10:50

using Monero XMR at checkout have a

10:53

great rest of your day