Inside the "3 billion people" national public data breach

Original Article ↗ Hacker News Discussion ↗

What the breach contains and how “real” it is

  • Leaked data appears to come from a US data broker branded as “National Public Data.”
  • Core dump: two huge ssn.txt files (~300 GB uncompressed, ~2.7B lines) with US-only records; fields include name, DOB, address history, county, state, ZIP, sometimes phone and aliases, and SSN as last field.
  • No email addresses in the SSN files; separate bundled “breach” packages on forums mix this with other datasets that do have emails, causing confusion (e.g., non‑US people getting HIBP notices).
  • Users checking themselves and family report: often correct names, addresses, SSNs; sometimes DOBs or addresses are partial or wrong; occasionally the SSN matches but everything else is nonsense.
  • Consensus: not a “full” leak of all broker data, but a large, real, and now-irreversible public exposure.

Impact of exposed SSNs and “identity theft”

  • SSN is widely used in the US as both identifier and de‑facto password. With DOB and address, attackers can: open credit lines, take loans, impersonate for password resets, commit tax-refund fraud, etc.
  • Some argue SSN “security” has been dead for years; real problem is institutions still treating SSNs (and past addresses, mother’s maiden name) as authenticators.
  • Several commenters frame “identity theft” as rebranded bank/creditor fraud, shifting blame and cleanup costs from companies to individuals.

Data brokers, privacy, and opt‑out services

  • Strong hostility toward data brokers: seen as aggregating and monetizing sensitive data without meaningful consent, enabling discrimination, stalking, and exploitative profiling.
  • Suggestions that adding fake/noisy data is dangerous: even fictitious profiles can skew aggregate stats used for pricing, insurance, and policy decisions.
  • Multiple opt‑out tools mentioned (commercial and nonprofit). Experiences:
    • They can reduce “people search” visibility somewhat.
    • Effect often decays; data reappears via new feeds and broker‑to‑broker sharing.
    • Some removal services are owned or influenced by the same brokers.
    • Consumer Reports testing found modest effectiveness at best; no solution is close to 100%.
  • Technical debate over how brokers could honor permanent opt‑outs (hashes, Bloom filters, shared services) vs claims it’s “impossible” and that brokers have no incentive to try.

Regulation, liability, and legal angles

  • Many call for GDPR‑style federal privacy law or stronger CCPA‑like protections: explicit consent, clear limits on use, and real penalties.
  • Popular proposal: make aggregators and relying businesses strictly liable for misuse and breaches—e.g., large per‑person statutory damages paid directly to affected individuals.
  • Others suggest:
    • Outright banning or tightly constraining data brokers.
    • Prohibiting SSN use outside Social Security.
    • Making SSN legally invalid as authentication; any fraud relying on it is prima facie the company’s problem.
    • Taxing data storage/centers to disincentivize hoarding.
  • Counterpoint: in the US, broad bans on collecting and sharing factual information collide with First Amendment protections; advocates suggest focusing on liability instead.
  • Some debate whether HIPAA/GDPR‑style regimes do more good than harm; others say industry “HIPAA/GDPR is too hard” complaints are mostly foot‑dragging until real enforcement appears.

Technical notes on accessing/inspecting the leak

  • Dataset is distributed via public torrent; contents are unencrypted text once extracted.
  • Users describe using command‑line tools (grep/equivalents) to search for SSNs or names; searches over 100–200GB text can take minutes but are feasible.
  • Separate web tools (e.g., npd.pentester.com) allow quick checks against the SSN files without downloading them, though legality/ethics of using the raw torrent is debated.

Debates around HIBP and breach‑notification services

  • Some appreciate HIBP as a trusted, audited service with rate‑limited APIs and offline password‑hash datasets; others distrust any intermediary collecting emails/IPs “in the name of helping.”
  • Critics see monetization (paid APIs, partnerships) as profiting from breaches; defenders argue the scale and ongoing work need funding and are better than opaque corporate handling.
  • Important nuance: HIBP only shows email presence in a breach package; given this NPD bundle stitches multiple sources, being “pwned” here does not necessarily mean your SSN is correct or present.

Identifiers, national ID, and future fixes

  • Several suggest moving away from SSNs toward stronger, cryptographic identity systems:
    • Government‑backed PKI on smartcards or NFC IDs (as used in parts of Europe).
    • Wider use of login.gov or similar federated identity, possibly open to private sector.
  • Others warn that universal, easily checked IDs can also supercharge surveillance and oppression; debate centers on whether better IDs reduce harm or mainly make bulk tracking easier.
  • Examples from Australia and Europe: bans on repurposing government ID numbers, digital‑ID initiatives with chips and signatures, and mixed public acceptance.

Practical defenses individuals discuss

  • Recommended actions:
    • Freeze credit at the major bureaus; consider IRS IP PIN for tax filings.
    • Avoid giving SSN when not strictly required; refuse optional SSN fields.
    • Use unique email aliases and, where possible, fake names/virtual cards for low‑trust vendors to limit linkage.
    • Periodically search for and manually request removal from people‑search sites; use opt‑out tools to automate some of this.
  • Many feel resigned: between this and earlier mega‑breaches, they assume their SSN and core PII are effectively public; focus shifts from secrecy to limiting institutional misuse.