I don't know how many times my social security number has been compromised, much less any other personally identifiable information (PII). Knock on wood, so far I have avoided identity theft, synthetic or otherwise. I have taken all of the recommended steps to protect myself—I get fraud alerts on my credit reports, I've implemented identity monitoring, and so forth. However, given that hackers frequently sell stolen data online, I fear my social security number lingers on the dark web in perpetuity, waiting to be compromised at any time. My curiosity being what it is, I set off on the interwebs to see what I could find.
An internet search string asking "How many times has my personal data been breached?" returned some interesting results. According to the website Have I Been Pwned?
, a searchable repository of data breaches, my personal email address has been breached at least a dozen times going back to 2008. Not all these instances were known to me—I do not recall having a MySpace page! I have also been notified of other breaches that were not listed here, including from financial services companies and medical providers, so the number is surely higher.
I was surprised to learn that my email address was discovered in multiple credential stuffing lists, including "Collection #1," a large collection of credential stuffing lists discovered in January 2019. According to Have I Been Pwned, 773 million unique email addresses and passwords were included. Credential stuffing is an automated cyberattack where criminals attempt to gain fraudulent access to user accounts through use of these types of collections of user names and passwords. On the bright side, if there is one, the website indicated that none of my information had been "pasted," meaning posted on public content-sharing websites frequented by hackers. For over a decade, I have used a password vault to generate and store all of my user profiles and account logins and currently have over 200 different records. I do not reuse passwords, especially for profiles that have payments instruments tied to them, and I believe this practice has provided some measure of protection from this type of activity.
The next stop on my journey was the credit bureau to see what else I could learn about the state of my PII. Experian offers consumers a free "Dark Web Internet Surveillance Report." Although five associated records were located, according to this source, my social security number is currently not on the dark web.
My identity protection monitoring service was the final stop to review my digital exposure report on information about me found on the internet. Relief! My exposure is consistent with the reports from the other sources.
I would rate myself as average in terms of my digital footprint and doubt my internet habits differ from most people's. I doubt my breach experience differs much, either, but from this journey, I've discovered that the safeguards I have in place to protect my personal information seem to be working. Have you taken an internet journey to discover where your personal information may reside? What steps have you taken to ensure your identity remains safe?
By Nancy Donahue, a project manager in the Retail Payments Risk Forum at the Atlanta Fed