For quite some time, Social Security numbers have been called the “Holy Grail” of personally identifiable information. With access to your SSN and a few other key data points, an identity thief could open new lines of credit and run up bills for large purchases for years to come. If you discovered the fraudulent card and canceled it, they could simply open up another one.

In any data breach, it was almost a relief to find out that the victims’ SSNs had not been compromised… but that may not be the case anymore.

As a newly announced data breach of T-Mobile’s network shows, our phone numbers can be a hot commodity for hackers. Hackers made off with the names, email address, some of the accounts’ passwords, account numbers and phone numbers for . The cellular provider discovered the incident on Aug. 20 and shut down the hackers’ access, then began the process of investigating and sending out notification letters to affected customers.

You might think a thief can’t really do much for this information, but that’s not true. With just the data compromised, identity thieves can port the affected customers’ phone numbers to a new SIM card, install it in a new handheld device and access any accounts that the user has connected through that phone number.

For example, a hacker can get into your email account, Amazon account, online banking or PayPal account and more by having the password reset link sent to the phone number associated with the accounts, even if two-factor authentication was in place. The thief can then access the victims’ text messaging, receive the one-time-use verification code and use it to change the victims’ passwords on any accounts where they’ve entered their phone number.

T-Mobile has already begun notifying the victims and offered them some key instructions, namely to change their passwords on their accounts. However, it’s also a good idea to change the passwords on any other sensitive accounts—not just the T-Mobile accounts—and to be on the lookout for any unusual activity. This might include notifications of logins from new devices, contacts from your account providers telling you of suspicious activity, any unusual deductions from your financial accounts and more.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Identity Theft Resource Center® Sees Major Consumer Impacts One Year After the Equifax Breach. Read the full report here.

For decades, consumers have been told to monitor their credit reports as a way to stay on top of their identities and to maintain general financial well-being.

The sources of those credit reports are three major reporting agencies: TransUnion, Experian, and Equifax. As the gatekeepers of all your sensitive information, they are charged with keeping up-to-date records on the financial activity associated with your unique identity.

Obviously, that can make them a major target for hackers, as Equifax has learned in recent weeks. A data breach of their servers was discovered on July 29, 2017, and the complete identities of more than 148 million US consumers were stolen. These identities include names, birthdates, Social Security numbers, and more.

In addition, Equifax has said that hundreds of thousands of credit card numbers were stolen, along with documents about credit disputes which contained sensitive personal identifiable information.

The Aftermath: Equifax One Year Later discovered that nearly 90 percent of respondents reported that they experienced adverse feelings or emotions – beyond the financial impacts.

The next step is for Equifax to notify the victims of the breach by mail. Presumably, since the stolen information contained everything that a thief needs to steal someone’s identity, Equifax will be offering credit monitoring service to the victims, however, that remains to be seen.

Should consumers receive a notification letter, it’s important that they take the following steps:

  1. Read the letter carefully and determine what information was compromised. If it’s just your credit card number, that might be easily fixed with a phone call to your financial institution. If it was more invasive information, then further action could be necessary.
  2. If you’re offered credit monitoring service as part of this or any data breach, do not disregard the letter. That offer indicates that your most sensitive information is believed to have been put at risk. Typically, offers of credit monitoring span one to two years and that can give you a lot of peace of mind following the breach.
  3. Save the notification letter in a safe place. It is not an official document for legal reasons, but it can help serve as proof that your identity was compromised in the event that someone ever uses your information fraudulently.

As a consumer, you’re entitled to one free credit report each year from each of those three credit agencies, so it’s important that you stay on top of your credit reports for the foreseeable future. If your complete identity was stolen, then there’s a very real chance that new accounts and lines of credit can be opened in your name at any time. Monitoring your credit is a good idea anyway, but is certainly necessary if your data has been stolen.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When new technology comes along, it might take a matter of years or only a matter of days for a highly-skilled hacker to figure out a way to break in. With any luck, the person who breaks into the system is what’s known as a “white hat hacker,” or someone whose expert-level skills are put to use helping stop criminal activity instead of benefitting from it.

When security analyst Ryan Stevenson breached Comcast’s Xfinity website portal, it seemed like a frighteningly easy task. It simply required him to match up readily available IP addresses—basically, your computer’s code name onto the internet—with the in-home authentication feature that lets users pay their bills on the telecom provider’s website without having to go through the sign-in process. Another vulnerability allowed Stevenson to match users to their Social Security numbers by inputting part of their home mailing addresses—something that the first vulnerability exposed—and guessing the last four digits of their SSN.

Guessing the last four digits of someone’s SSN might not sound that easy, but it only takes seconds for a computer to do it with the right software. The flaw in the website allowed the computer to make an unlimited number of guesses for a corresponding mailing address, so it took very little time for the code to reveal complete Social Security numbers.

This vulnerability is believed to have affected around 26 million Comcast customers.

Comcast issued a patch a few hours after the report of the flaws. The company responded to requests from news outlets with an official statement to the effect that they have no reason to believe anyone other than Stevenson accessed this information. They also don’t believe that the vulnerabilities are related to anyone with malicious intent. Just to be safe, though, the company is continuing an investigation into how the flaws originated and how they might possibly have been used.

In the meantime, Xfinity customers would do well to monitor their accounts closely. This could potentially affect other accounts, not just their telecom service accounts, as Social Security numbers, names and mailing addresses were visible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Highly-sophisticated cyberattacks conducted with the help of someone “on the inside” might make for great Hollywood movies, but the reality for most businesses is far more mundane. As the recent data breach of UnityPoint Health proves, the planning might have been sophisticated, but the mechanism was as boring as an email sent to an employee of the company.

The only skillset the hackers needed in this breach was the ability to do some online sleuthing, figure out which executive to mimic, then contact someone within the company while posing as that executive. Unfortunately, “boss phishing,” as this is known, is so easy a middle schooler could do it. It simply means making a fake email account—either masquerading as a company email or even a free throw away account—and contacting someone, asking for login credentials or other data.

In this case, someone at UnityPoint fell for it. A phishing email asking for login credentials was received and responded to, simply because it looked like an email from a boss. From there, the scammer was able to log into the system and access emails, some patient records and more.

UnityPoint investigated the breach and has sent out notification letters to the affected patients, offering a year of credit monitoring for those whose Social Security numbers or drivers licenses were accessed. They’ve also included instructions to all of the affected individuals on how to request a copy of their credit reports and how to place freezes on their credit.

More importantly, the health system is conducting widespread employee training on how to spot a phishing email, how to respond, and how to develop the foolproof, unyielding habit of never giving out sensitive information without confirming the request first.

For the rest of us, the last part is absolutely vital. It doesn’t matter if it’s in the workplace or the living room, all tech users have to learn how to avoid phishing attempts. It does not matter what the mechanism is, such as email or social media message, and it doesn’t matter what the request is. Some messages will claim there’s a problem with your account or payment method on file, while others may accuse you of a crime like failing to pay your taxes or not showing up for jury duty. Whatever the reason, you’ve got to ignore the message and handle it yourself.

Rather than hitting reply or clicking the enclosed link (there’s almost always a link to click!), get out of the message and head directly to your account for whatever company or organization claims supposedly sent the message. Look into your account status there, and if you’re still unsure, contact the company directly through their verified contact method. If you receive any requests for information like bank account numbers, credit card numbers, passwords, or other sensitive data, it’s most likely a scam.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Reddit is a popular-but-controversial website dedicated to forum threads and messaging groups. Think of it as a giant bulletin board at the end of your driveway where anyone can post a new discussion topic, others can respond, but only a handful of people whom you’ve chosen are allowed to come up to the door and talk to you. Unfortunately, the highly anonymous nature of Reddit has allowed it to become a breeding ground for discussions that range from “how to bathe a poodle” to “where to buy illegal items” and other dangerous content.

Reddit has now disclosed that it suffered a data breach in June, and that login credentials were stolen for everyone who signed up for an account before May 2007. A separate compromise at the same time also accessed all of the daily digest emails, which presents a different kind of privacy problem.

The website is one of the largest in the world, so a hacker who pulled off this feat already gets to brag a little among his cybercriminal contacts. However, what sets this one even further apart is that the hacker was able to bypass two-factor authentication to gain access to employee credentials.

Two-factor authentication is an additional layer of security that denies you access to an account until you have two methods of logging in. It might be sending a one-time use PIN number to your phone, for example, which you need in order to log in alongside your username and password. It may also be answering security questions or providing other details to verify your identity.

Given the highly controversial nature of some content on Reddit, the company’s employees were required to use two-factor authentication in the form of an SMS message, or a text message as it’s more commonly known.

Somehow, the hackers intercepted those text messages and were able to log in under the employees’ stolen credentials.

First, the dire warning to the tech community: don’t be fooled into thinking that two-factor authentication will absolutely keep someone out. Yes, it’s been a great shield so far, but this demonstrates that it can be cracked. Previous data breaches that have leaked cell phone numbers may be to blame, as a hacker can port that number to an additional handset and intercept SMS messages.

Next, for Reddit users: the anonymity that you’ve enjoyed so far may be at risk. The hackers accessed the daily digest subscribers’ emails, so if you’ve subscribed to any Reddit subgroups that are topic-specific—especially ones that could have personal consequences if other people found out—there’s a chance your email address could be shared. If your email address has also been used to log into Reddit and post inflammatory, sensitive or otherwise extremely private content on Reddit, it is possible for the hackers to connect those dots and make that information public.

Reddit will undergo a forced password reset for accessed accounts, but it’s a good idea to log in and change it even if you don’t receive notification from Reddit. Also, if you’ve reused a password from Reddit on another account, you should change that one as well.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When news breaks of a data breach, consumers might envision a network of Dark Web hackers infiltrating a major target and stealing their files. However, a large number of data breaches are the work of a company’s employees. Sometimes, those employees have set out to steal information from the business, while other inside job data breaches are purely accidental.

That appears to be the case in yet another data breach that can be traced back to an unsecured Amazon S3 web hosting server. Many breaches have already occurred as a result of user error in password protecting these hosted file storage databases, but this time, the compromised information was voter registration records.

A data breach involving voter records might automatically make the public assume the worst in today’s political climate, so it’s important to point out that the compromised information includes a lot of data that is already publicly available to researchers, journalists and other interested parties.

In this event, an unsecured server allowed anyone who “stumbled” on it online to see information that includes full names, phone numbers, complete mailing addresses, political affiliations, birth dates and genders, demographic information that has been gathered and more. The database included records for more than 26,000 voters, according to a report by Bob Diachenko, head of communications for cybersecurity firm Kromtech Alliance Corp.

Diachenko found the information online after conducting a sweep for unsecured S3 web servers. The information belonged to a political robocalling company named Robocent, who sells individual voter records to anyone who wants them for three-cents apiece. The only thing Diachenko had to do to find this exposed database was search for the keyword “voter” in his hunt for unsecured servers.

Unfortunately, another service had already found the information. According to a report on this incident by Cyberscoop, “By the time it was identified by Kromtech, the server had already been indexed by GrayhatWarfare, another website that scans the internet for open S3 buckets.”

When Diachenko reached out to Robocent to report the compromised data, the response was less than satisfactory: “We’re a small shop (I’m the only developer) so keeping track of everything can be tough.” The information is now secured, but there is no way of knowing who else has already seen it.

Looking back at the information that was exposed, it might seem like fairly harmless, common knowledge-type data. After all, names and addresses need more protection. However, this type of database exposure is a gold mine for identity thieves who commit synthetic identity fraud; that type of fraud occurs when the criminal pairs existing identifying information with a made up or unissued Social Security number, essentially creating a fake person who has the victim’s name, address, and other data points.

Since members of the public have very little recourse when it comes to knowing if someone compromises their information, it’s more important than ever to monitor your account statements and credit reports, secure all of your accounts with strong, unique passwords and stay on top of anything suspicious that happens with your identifying information.

ith harsh comments, pleas for help, and any other statement to get the money out of you. Don’t fall for it, and don’t let love turn into heartache and loss by giving in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Identity theft and fraud can occur in many different ways, so it’s not something that any one person can fully prevent. However, there are a lot of things consumers can do to minimize their risk, starting with what might be the easiest step of all: password security.

The word “security” rarely means “easy,” but when it comes to implementing a strong, unique password, it absolutely is simple if you follow key guidelines. Strong passwords are those that contain a long string of characters, ones that include uppercase letters, lowercase letters, numbers, and symbols. It’s also important that the strong password does not contain a variation of your name, the website or company name, or easily guessed words or slogans.

Making a strong password might be the easy part, especially since many platforms now require you to use a certain number of characters, or remind you to include a number or symbol. The real problem for consumers is in reusing those passwords, in other words, not making them unique.

If you make a really great, strong password then reuse it on other websites, you may be no better off than if you’d used “password” as your password (like so many people actually do). A recent data breach incident involving Adidas US’s website serves as proof of that.

“According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords,” the company said in its announcement. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Once a hacker gains access to a trove of account information for millions of consumers—as may have occurred in this incident, which is still under investigation—any username and password combinations that were stolen can be used on other sites. The hacker gets your username (which is quite often your email address) and password from the Adidas breach then tries it on Amazon, iTunes, PayPal, Yahoo and Gmail, and popular banking websites. If you’ve reused your password, they just got in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Researchers with mobile security firm Appthority have disturbing news for iOS and Android mobile users: a vulnerability on the developers’ end exposed sensitive data collected via more than 1,000 common enterprise device apps. This exposed information, which included personal identifiable information, plain text passwords, and more, was compromised due to what experts are calling the Firebase vulnerability.

Similar to other previously discovered app vulnerabilities, this one occurred in relation to how the app “speaks” to the Google Firebase cloud database. Specifically, when authentication wasn’t required, any attacker could access information through the unsecured Firebase. Developers needed to initiate an additional step to require that authentication, but for too many apps, that step wasn’t put in place.

As a result, this vulnerability leaked around 100 million records from unsecured Firebase databases.

Appthority’s team isolated 28,502 mobile apps—more than 27,000 on the Android platform and another 1200-plus on iOS—that connected to a Firebase database. More than 3,000 were vulnerable because of this lack of authentication. Unfortunately, these numbers meant one out of every ten Firebase databases was left unsecured.

There is a wide variety of app categories involved in this finding, especially business-oriented apps like productivity tools, financial and business apps, and even dating app. The business users of these impacted apps include companies in banking, telecom, ride hailing, travel, and schools scattered through the US, Europe, South America, and Asia.

So what was exposed? Researchers found millions of plain text usernames and passwords, private health records, stored GPS coordinates to past locations, online payment and cryptocurrency activity records, and access to millions of users’ social media platforms.

It’s important for business device users to understand that this kind of vulnerability not only exists, but may even become more widespread based on the increasing numbers of Firebase users since it was launched. It’s worth noting that any vulnerability that exposes sensitive data from an enterprise account can mean the risk of violating regulatory compliance, regardless of how the information was leaked or who was responsible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When the public hears about the latest data breach, they might envision a network of hackers working in the dark web. The reality, though, is sometimes a lot more mundane. Accidental data breaches can happen when information is allowed to fall into the wrong hands for any number of reasons, but the concerns that can arise can be just as serious.

In the past, accidental data breaches have occurred due to issues like losing an unencrypted laptop or flash drive. Other incidents were the result of unsecured servers whose information was unintentionally posted online. In some cases, though, the breach occurred through intentionally sharing information, only it was with the wrong recipient.

That’s the case for Chicago Public Schools (CPS) in a recent data breach that compromised students’ and families’ personal data. Families in the school system were sent an email providing them with a necessary enrollment form. The link included in the email was inadvertently attached to a spreadsheet containing information for nearly 4,000 students and parents in the district. The link was active for several hours before someone noticed the error and removed the information from the link. In this specific data breach, students’ names, phone numbers, email addresses, and student ID numbers were exposed.

Experts looking into the CPS breach point to a far bigger concern than just sending out a link rather than attaching the document that was supposed to go to the parents: why is there a speadsheet of student information stored online that is accessible by anyone who finds it? The spreadsheet was not password protected, and hours after CPS officials informed parents of the error—they requested the families delete the email rather than take down the link—the spreadsheet, however, was still readily accessible. Concerned officials see that as a lack of training and awareness of how to secure students’ personal data.

Unfortunately, this incident is the third such accidental data breach in the CPS school district since 2016. In 2016, an employee sent out sensitive information to unauthorized parties, providing them with access to students’ information.  In 2017, unsecured web documents were posted on the CPS website exposing medical conditions, students’ names, identification numbers and other information.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.