There are a lot of ways data breaches can occur; some are accidental, others are the work of “inside job” actors within the company. Some rely on social engineering, like getting you to download a virus to your computer or click a link to a malicious site. Still others are the work of highly-skilled cybercriminals who can infiltrate a network and steal important information.

What all of those have in common, though, is the need to report them to the government. Under certain legal guidelines, companies that experience a data breach can be required to file a notice with the Securities and Exchange Commission upon discovering the breach. If the breach affected the victims’ highly-sensitive personally identifiable information (like Social Security numbers), the company can also be responsible for providing extended protections like credit or identity monitoring.

Chegg, an online tutoring and textbook rental service, discovered a data breach last month, but their investigation showed it had actually begun in April of this year. The company doesn’t have reason to think any sensitive PII or credit card numbers were exposed, so victims should only have to fear for their login credentials.

Why? If you’ve reused your username and password on different accounts, a hacker who accesses one account now has instant access to all of those other accounts as well. So far, the company has stated that the passwords were hashed with encryption, but depending on the type of encryption used, they may still be easily viewable by anyone with the right tools.

Just to be safe, Chegg reset all of its users’ passwords in an effort to prevent any significant damage. As the hackers did manage to access customers’ shipping addresses and email addresses, users should be on the lookout for any upticks in spam email messages, scams or phishing attempts that appear to originate from Chegg or its partners, or other similar tactics.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

Today, Facebook announced a recently discovered security breach that relied on an open vulnerability in the platform’s coding. The “View As” feature, which lets users see their own profiles in the way that others see them—without all of the extra admin sidebar content that lets you control your wall—contained script that allowed hackers to use around 50 million accounts.

Facebook first closed the vulnerability and forced a re-login for the 50 million affected accounts. Then, they repeated the forced login for an additional 40 million accounts that didn’t seem to have been affected but that had used the View As feature.

From there, Facebook shut down the View As feature until they can secure it from further fraudulent use.

According to a report about the incident from Facebook, “Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Whether you hear anything official from the company or not, there are some actionable steps you should take. First, change your password—which you really should be doing routinely in order to maintain your privacy and security. Any apps that you’ve connected to Facebook (you’ll know you’ve done this if you are able to log into it with your Facebook account) need to be force closed and logged out; it’s a good idea to a) change your password on those if you have one, and b) revoke the permission for Facebook to connect with it by going into your Facebook settings and removing it. Go into your settings and find all of the current devices you are logged into ( see screenshot above) and click “Log out of all devices” to ensure that no one with bad intentions may still be logged in to your account.

Finally in this case, changing your password means that you are changing the tokens on your devices that allow you to stay logged in. By doing this, it should update the tokens that might have fallen into the hands of bad-actors that might want the valuable personal information that would be in your Facebook profile. Remember, periodic proactive checks to your privacy and security settings will help you stay one step ahead of the identity thieves.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

With all of the high-tech hacking, malware attacks that cripple entire networks, and new ways to steal or fabricate someone’s complete identity, it’s easy to forget that some of the things that used to be problems in the past are, still a problem.

On Aug. 16, a data breach was discovered that affected multiple Cheddar’s Scratch Kitchen restaurants in numerous states. Investigators believe the operative first launched the breach in early November of 2017 and continued through Jan. 2. More than 500,000 payment cards were compromised in the breach.

The company has sent out notification letters to the victims and offered identity monitoring for the affected customers. They also revamped the payment card system in April of this year, but still advise all of their customers to monitor their account information very closely for any signs of suspicious activity.

This incident clearly demonstrates that “old-fashioned” methods of stealing identifying and financial information are still out there, even if they’re sometimes overshadowed by larger events like the or the cyber attack that hit last year. Even old tactics like dumpster diving for your junk mail or health insurance statements can lead to identity theft crimes, even if they’re on a much smaller scale than a data breach like this one.

To help minimize the risks associated with this kind of incident, there are steps that consumers can take:

1. Enable alerts on your payment cards – If your financial institution offers it, you can set up text or email alerts that tell you any time your card number is used without the physical card being present. If your account info is stolen in a breach like this one, you’ll know if someone uses your card fraudulently. One person who contacted the Identity Theft Resource Center was on her child’s school trip when she received an alert; a quick call to her credit card company showed that someone had used her account number to buy several iPhones at a cellular store. The transaction was promptly canceled and a new card sent to the victim.

2. Monitor your accounts closely – By taking even a quick peek at your account statements on a regular basis (something you can even set up to do online or on your mobile device), you can stay on top of any unusual activity.

3. Place a credit freeze – This event only compromised the customers’ payment card numbers, but in this climate of record-setting data breaches, some consumers are opting for preventive credit freezes. New legislation goes into effect next month that will remove the fee associated with freezing and unfreezing your credit, which helps prevent new accounts from being opened with your identifying information. If more sensitive information is stolen in other data breaches, you’ll be better prepared to fend off identity theft and fraud.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

For quite some time, Social Security numbers have been called the “Holy Grail” of personally identifiable information. With access to your SSN and a few other key data points, an identity thief could open new lines of credit and run up bills for large purchases for years to come. If you discovered the fraudulent card and canceled it, they could simply open up another one.

In any data breach, it was almost a relief to find out that the victims’ SSNs had not been compromised… but that may not be the case anymore.

As a newly announced data breach of T-Mobile’s network shows, our phone numbers can be a hot commodity for hackers. Hackers made off with the names, email address, some of the accounts’ passwords, account numbers and phone numbers for . The cellular provider discovered the incident on Aug. 20 and shut down the hackers’ access, then began the process of investigating and sending out notification letters to affected customers.

You might think a thief can’t really do much for this information, but that’s not true. With just the data compromised, identity thieves can port the affected customers’ phone numbers to a new SIM card, install it in a new handheld device and access any accounts that the user has connected through that phone number.

For example, a hacker can get into your email account, Amazon account, online banking or PayPal account and more by having the password reset link sent to the phone number associated with the accounts, even if two-factor authentication was in place. The thief can then access the victims’ text messaging, receive the one-time-use verification code and use it to change the victims’ passwords on any accounts where they’ve entered their phone number.

T-Mobile has already begun notifying the victims and offered them some key instructions, namely to change their passwords on their accounts. However, it’s also a good idea to change the passwords on any other sensitive accounts—not just the T-Mobile accounts—and to be on the lookout for any unusual activity. This might include notifications of logins from new devices, contacts from your account providers telling you of suspicious activity, any unusual deductions from your financial accounts and more.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Identity Theft Resource Center® Sees Major Consumer Impacts One Year After the Equifax Breach. Read the full report here.

For decades, consumers have been told to monitor their credit reports as a way to stay on top of their identities and to maintain general financial well-being.

The sources of those credit reports are three major reporting agencies: TransUnion, Experian, and Equifax. As the gatekeepers of all your sensitive information, they are charged with keeping up-to-date records on the financial activity associated with your unique identity.

Obviously, that can make them a major target for hackers, as Equifax has learned in recent weeks. A data breach of their servers was discovered on July 29, 2017, and the complete identities of more than 148 million US consumers were stolen. These identities include names, birthdates, Social Security numbers, and more.

In addition, Equifax has said that hundreds of thousands of credit card numbers were stolen, along with documents about credit disputes which contained sensitive personal identifiable information.

The Aftermath: Equifax One Year Later discovered that nearly 90 percent of respondents reported that they experienced adverse feelings or emotions – beyond the financial impacts.

The next step is for Equifax to notify the victims of the breach by mail. Presumably, since the stolen information contained everything that a thief needs to steal someone’s identity, Equifax will be offering credit monitoring service to the victims, however, that remains to be seen.

Should consumers receive a notification letter, it’s important that they take the following steps:

  1. Read the letter carefully and determine what information was compromised. If it’s just your credit card number, that might be easily fixed with a phone call to your financial institution. If it was more invasive information, then further action could be necessary.
  2. If you’re offered credit monitoring service as part of this or any data breach, do not disregard the letter. That offer indicates that your most sensitive information is believed to have been put at risk. Typically, offers of credit monitoring span one to two years and that can give you a lot of peace of mind following the breach.
  3. Save the notification letter in a safe place. It is not an official document for legal reasons, but it can help serve as proof that your identity was compromised in the event that someone ever uses your information fraudulently.

As a consumer, you’re entitled to one free credit report each year from each of those three credit agencies, so it’s important that you stay on top of your credit reports for the foreseeable future. If your complete identity was stolen, then there’s a very real chance that new accounts and lines of credit can be opened in your name at any time. Monitoring your credit is a good idea anyway, but is certainly necessary if your data has been stolen.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When new technology comes along, it might take a matter of years or only a matter of days for a highly-skilled hacker to figure out a way to break in. With any luck, the person who breaks into the system is what’s known as a “white hat hacker,” or someone whose expert-level skills are put to use helping stop criminal activity instead of benefitting from it.

When security analyst Ryan Stevenson breached Comcast’s Xfinity website portal, it seemed like a frighteningly easy task. It simply required him to match up readily available IP addresses—basically, your computer’s code name onto the internet—with the in-home authentication feature that lets users pay their bills on the telecom provider’s website without having to go through the sign-in process. Another vulnerability allowed Stevenson to match users to their Social Security numbers by inputting part of their home mailing addresses—something that the first vulnerability exposed—and guessing the last four digits of their SSN.

Guessing the last four digits of someone’s SSN might not sound that easy, but it only takes seconds for a computer to do it with the right software. The flaw in the website allowed the computer to make an unlimited number of guesses for a corresponding mailing address, so it took very little time for the code to reveal complete Social Security numbers.

This vulnerability is believed to have affected around 26 million Comcast customers.

Comcast issued a patch a few hours after the report of the flaws. The company responded to requests from news outlets with an official statement to the effect that they have no reason to believe anyone other than Stevenson accessed this information. They also don’t believe that the vulnerabilities are related to anyone with malicious intent. Just to be safe, though, the company is continuing an investigation into how the flaws originated and how they might possibly have been used.

In the meantime, Xfinity customers would do well to monitor their accounts closely. This could potentially affect other accounts, not just their telecom service accounts, as Social Security numbers, names and mailing addresses were visible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Highly-sophisticated cyberattacks conducted with the help of someone “on the inside” might make for great Hollywood movies, but the reality for most businesses is far more mundane. As the recent data breach of UnityPoint Health proves, the planning might have been sophisticated, but the mechanism was as boring as an email sent to an employee of the company.

The only skillset the hackers needed in this breach was the ability to do some online sleuthing, figure out which executive to mimic, then contact someone within the company while posing as that executive. Unfortunately, “boss phishing,” as this is known, is so easy a middle schooler could do it. It simply means making a fake email account—either masquerading as a company email or even a free throw away account—and contacting someone, asking for login credentials or other data.

In this case, someone at UnityPoint fell for it. A phishing email asking for login credentials was received and responded to, simply because it looked like an email from a boss. From there, the scammer was able to log into the system and access emails, some patient records and more.

UnityPoint investigated the breach and has sent out notification letters to the affected patients, offering a year of credit monitoring for those whose Social Security numbers or drivers licenses were accessed. They’ve also included instructions to all of the affected individuals on how to request a copy of their credit reports and how to place freezes on their credit.

More importantly, the health system is conducting widespread employee training on how to spot a phishing email, how to respond, and how to develop the foolproof, unyielding habit of never giving out sensitive information without confirming the request first.

For the rest of us, the last part is absolutely vital. It doesn’t matter if it’s in the workplace or the living room, all tech users have to learn how to avoid phishing attempts. It does not matter what the mechanism is, such as email or social media message, and it doesn’t matter what the request is. Some messages will claim there’s a problem with your account or payment method on file, while others may accuse you of a crime like failing to pay your taxes or not showing up for jury duty. Whatever the reason, you’ve got to ignore the message and handle it yourself.

Rather than hitting reply or clicking the enclosed link (there’s almost always a link to click!), get out of the message and head directly to your account for whatever company or organization claims supposedly sent the message. Look into your account status there, and if you’re still unsure, contact the company directly through their verified contact method. If you receive any requests for information like bank account numbers, credit card numbers, passwords, or other sensitive data, it’s most likely a scam.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Reddit is a popular-but-controversial website dedicated to forum threads and messaging groups. Think of it as a giant bulletin board at the end of your driveway where anyone can post a new discussion topic, others can respond, but only a handful of people whom you’ve chosen are allowed to come up to the door and talk to you. Unfortunately, the highly anonymous nature of Reddit has allowed it to become a breeding ground for discussions that range from “how to bathe a poodle” to “where to buy illegal items” and other dangerous content.

Reddit has now disclosed that it suffered a data breach in June, and that login credentials were stolen for everyone who signed up for an account before May 2007. A separate compromise at the same time also accessed all of the daily digest emails, which presents a different kind of privacy problem.

The website is one of the largest in the world, so a hacker who pulled off this feat already gets to brag a little among his cybercriminal contacts. However, what sets this one even further apart is that the hacker was able to bypass two-factor authentication to gain access to employee credentials.

Two-factor authentication is an additional layer of security that denies you access to an account until you have two methods of logging in. It might be sending a one-time use PIN number to your phone, for example, which you need in order to log in alongside your username and password. It may also be answering security questions or providing other details to verify your identity.

Given the highly controversial nature of some content on Reddit, the company’s employees were required to use two-factor authentication in the form of an SMS message, or a text message as it’s more commonly known.

Somehow, the hackers intercepted those text messages and were able to log in under the employees’ stolen credentials.

First, the dire warning to the tech community: don’t be fooled into thinking that two-factor authentication will absolutely keep someone out. Yes, it’s been a great shield so far, but this demonstrates that it can be cracked. Previous data breaches that have leaked cell phone numbers may be to blame, as a hacker can port that number to an additional handset and intercept SMS messages.

Next, for Reddit users: the anonymity that you’ve enjoyed so far may be at risk. The hackers accessed the daily digest subscribers’ emails, so if you’ve subscribed to any Reddit subgroups that are topic-specific—especially ones that could have personal consequences if other people found out—there’s a chance your email address could be shared. If your email address has also been used to log into Reddit and post inflammatory, sensitive or otherwise extremely private content on Reddit, it is possible for the hackers to connect those dots and make that information public.

Reddit will undergo a forced password reset for accessed accounts, but it’s a good idea to log in and change it even if you don’t receive notification from Reddit. Also, if you’ve reused a password from Reddit on another account, you should change that one as well.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When news breaks of a data breach, consumers might envision a network of Dark Web hackers infiltrating a major target and stealing their files. However, a large number of data breaches are the work of a company’s employees. Sometimes, those employees have set out to steal information from the business, while other inside job data breaches are purely accidental.

That appears to be the case in yet another data breach that can be traced back to an unsecured Amazon S3 web hosting server. Many breaches have already occurred as a result of user error in password protecting these hosted file storage databases, but this time, the compromised information was voter registration records.

A data breach involving voter records might automatically make the public assume the worst in today’s political climate, so it’s important to point out that the compromised information includes a lot of data that is already publicly available to researchers, journalists and other interested parties.

In this event, an unsecured server allowed anyone who “stumbled” on it online to see information that includes full names, phone numbers, complete mailing addresses, political affiliations, birth dates and genders, demographic information that has been gathered and more. The database included records for more than 26,000 voters, according to a report by Bob Diachenko, head of communications for cybersecurity firm Kromtech Alliance Corp.

Diachenko found the information online after conducting a sweep for unsecured S3 web servers. The information belonged to a political robocalling company named Robocent, who sells individual voter records to anyone who wants them for three-cents apiece. The only thing Diachenko had to do to find this exposed database was search for the keyword “voter” in his hunt for unsecured servers.

Unfortunately, another service had already found the information. According to a report on this incident by Cyberscoop, “By the time it was identified by Kromtech, the server had already been indexed by GrayhatWarfare, another website that scans the internet for open S3 buckets.”

When Diachenko reached out to Robocent to report the compromised data, the response was less than satisfactory: “We’re a small shop (I’m the only developer) so keeping track of everything can be tough.” The information is now secured, but there is no way of knowing who else has already seen it.

Looking back at the information that was exposed, it might seem like fairly harmless, common knowledge-type data. After all, names and addresses need more protection. However, this type of database exposure is a gold mine for identity thieves who commit synthetic identity fraud; that type of fraud occurs when the criminal pairs existing identifying information with a made up or unissued Social Security number, essentially creating a fake person who has the victim’s name, address, and other data points.

Since members of the public have very little recourse when it comes to knowing if someone compromises their information, it’s more important than ever to monitor your account statements and credit reports, secure all of your accounts with strong, unique passwords and stay on top of anything suspicious that happens with your identifying information.

ith harsh comments, pleas for help, and any other statement to get the money out of you. Don’t fall for it, and don’t let love turn into heartache and loss by giving in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.