How my morning is going...

Your morning will be going worse if you click that link.

Haven’t clicked any link yet but it could be possible phishing. Maybe log into my legit discover account first.
- It is for sure phishing. Discover isn't going to send you an email like that. Even loading the graphics was a bad idea.
  
  Edit: apparently I stand corrected. I've gotten security alerts from my credit card companies before, but never with a link like that, and never saying something like "dark web." Sorry to hear it

I mean, let's be real -- 50% of the USA's SSN is on a dark web site due to the Equifax breach.

Freeze your credit, it's the only way to protect yourself. All of the ID protection services are just overpriced insurance and don't actually prevent ID theft.

Yes. Just FYI: All three have free "freeze" option, hidden somewhere (probably thanks to federal law). They also have very similar paid option, which they heavily advertise; That's not the one. They do all require free accounts, but probably worth it to be able to freeze/unfreeze instantly online.

I just received "dark web" alert about SSN, phone, name, and email... that I only used at AT&T many years ago. So AT&T has definitely leaked our data as well. Add 'em to the list...
Its probably closer to 80% or higher if you add in other breaches

Ah, the Shared Security Number...

Equifax leak. Half of Americans' SSNs are on the dark web.

Yep, I'm in the unlucky half. It's good practice anyway, but now I keep my credit frozen at all three credit bureaus unless I'm submitting an application. Doesn't stop all fraud, but stops most of the kind that can fuck up my credit.
- You may also want to freeze Lexis Nexis and Innovis as well - they buy and sell your data as well
That's only from one breach. I'd wager that at least 75% of our SSNs are out there since this is constantly happening.
I mean, it’s not like an SSN is secure at all. Add 1 to your SSN and that’s most likely a completely valid number for someone else
Those never actually surfaced anywhere. General thought is that was probably a nation state that has no desire to sell them.

The dark web site that has your SSN: first.100,000,000.digits.of.pi.txt - Torrent Download

https://libraryofbabel.info/
Technically, they're hosting a file that contains a link to one or more servers that might have a list of people who claim to have that content, and a series of hashes to verify that they're not bluffing.

I found that my ssn was leaked because I got multiple attempts to take put credit loans. Incidentally, my middle initial is not I, but l. Joke's on them. Every time I see the incorrect middle initial, it's an easy way to tell.

Needless to say, my stuff has been locked for years and only unlocked when I need to take out a loan or open a new account which is extremely rare.

Your info was probably already out there, somewhere. It's most likely in a massive list with thousands of others. It's still not great, but you're not being targeted. This is why it's important to freeze your credit with each bureau.

Just another reminder that using your SSN for ID verification purposes and acting like it's a secret code only you could ever know is a dumb fucking system. Even the "verify with your last 4 digits" is a dumb fucking system. If you have a date of birth and a decent idea of birthplace, you can take a pretty good guess about the first 5 digits because they're sequential from known blocks. It wasn't until about 20 years ago that the government randomized the first 5 to stop that.

Well get a lamp then, discover. Sheesh.

This amuses me that it's talking about a "Dark Web site" while itself is a dark website.

Spiderman pointing at Spiderman meme

By "found" they mean, "accidentally sold to".

Eh, it’s probably been on the dark web for a while now given how frequent and massive data leaks have become. Worry more about unauthorized use/access to your credit and/or identity.

Place freezes on your credit for Experian, TransUnion, and Equifax (it’s free)
Lock any credit cards you don’t use regularly
Pull your credit reports from each agency (you get one a year for free) and verify activity
Enable balance notifications for your credit cards and bank accounts (eg, high transaction amount = $0.00 will alert you to every purchase made)
Opt out of Data Brokers like LexusNexus
Don’t use the same password for multiple websites. If you don’t already, use a password manager like KeePass and let it generate new passwords for you

It’s all about the diligence these days. Your morning should be fine. The worst thing you can receive is a high transaction amount alert you didn’t authorize. But card companies and banks have gotten good about dealing with those when they happen.

The link you shared says only in specific circumstances can someone opt out of LexusNexus:

Opting out of LexisNexis can be more complex than removing your data from other people-search sites. To have your information taken down, you must meet specific criteria, and LexisNexis may request additional documentation:

Victim of identity theft: you need to provide a police report documenting the identity theft or similar documentation.

Law enforcement officers or public officials facing threats of severe bodily harm or death:** **you must submit a letter from their supervisor confirming the nature of their position and the threats.

At risk of physical harm but not in law enforcement: you'll need to submit a protective order from the court, a police report, or similar documentation.
- I believe that the wording is awkward in that you will need additional information if you’re one of the three listed criteria. If you’re just removing it from public view, you only need to provide your name, address, phone and social security number.

Not surprising. I am thinking about creating a foss self hosted scrapper that detects breaches

I probably won't though

I would be surprised if anyone's SSN isn't on a dark web site. Being combined with other personal data is a problem, although the biggest problem is that credit companies treat easily found information as secret and let criminals easily impersonate people by knowing those few easily shared pieces of information without some kind of real security or easy way for people to contest fraud.

But my nuclear attack sub should be hidden in the depths off the gulf of guinea. How did it end up on the dark net?

Someone published all the hull numbers on Wikipedia
- No, they posted it on the War thunder forms.

First time?

It's not great but it's not really world ending. About a year ago someone filed for unemployment in bot my wife's name and my name. Which came as a shock to my employer as I was was still happily at work. I work for a small mom-n-pop store, my wife works at a mega corporation. She caries insurance etc and one of her companies providers had a leak of ssn and other personal information. We both locked our credit and signed up for a protection pin for filing taxes. We reported to the local unemployment office that they were fraudulent claims. I look back and realized we probably should have locked our credit long ago and got tax pins as well, just for the security side of things.

The funny thing is my employer brought it to my attention. My wife's employer didn't even notice and was getting ready to pay the claim even tho she was still working there as the system is all automated in her company. Eventually it came out about the leak and they are providing 5 years of credit monitoring for free.

First time?

I get these notices like every other month, it's why I have credit monitoring.

Eh, pretty much all of my info has been part of one breach or another and nothing has happened. I keep locks with all the credit bureaus and monitor my report regularly, which I think everyone should do, but there's not much else you even can do about it unfortunately.