What to do if my Social Security number is found on the dark web?
Reviewed by Mike Marcacci, Sr. VP of Engineering at OmniWatch
Having your Social Security number (SSN) stolen can be a frightening and overwhelming experience. Your Social Security number is one of your most valuable pieces of personal information because it can be used by identity thieves to open up other accounts in your name, steal money, and acquire credit cards.
It’s important to understand the risks associated with having your stolen SSN exposed on the dark web, as well as what steps you should take if it does happen. Below, we'll cover:
- How to recognize if your SSN has been compromised
- What to do to protect yourself from additional damage
- Tips for help preventing identity theft in the future.
Knowing these things can help you feel more secure and confident that you have taken all necessary precautions against having your personal information stolen again.
What is the Dark Web?
The dark web is a part of the internet that can only be accessed using special internet browsers, such as The Onion Router (TOR). It is an anonymous network where users can communicate and access websites without fear of being tracked or identified. Many people use the dark web to buy and sell illegal goods, as well as engage in other criminal activities.
However, it also has legitimate uses such as allowing whistleblowers to communicate securely with journalists or activists to share information without fear of government surveillance. Also, some individuals may use the dark web for more mundane tasks like browsing online forums or playing video games. Regardless of its purpose, it remains largely unregulated and often serves as a hub for illegal activities.
How did my Social Security Number end up on the Dark Web?
There are several ways a stolen Social Security number (SSN) can end up on the dark web. One way is through an online data breach, where hackers gain access to a company’s database and steal personal information like SSNs as well as other sensitive data. Another way for an SSN to be exposed is if someone with malicious intent deliberately posts it on the dark web or even the surface web. This is referred to as DOXing and is something anyone can become a victim of. The information exposed in DOXing, or publicly posting someone’s private information without their consent or knowledge, is not limited to stolen Social Security numbers. It all depends on the information another individual can obtain about the victim.
In some cases, an SSN can be exposed due to human error or negligence. For example, if an employee accidentally uploads a file containing sensitive information to a shared server that is not properly secured.
What can People do with my Social Security Number?
Once a hacker has obtained access to your Social Security number, they can use it in a variety of ways. They can open new accounts in your name to run up large amounts of debt and apply for credit cards or loans. They may commit social security fraud and file taxes using your SSN to gain fraudulent tax refunds. They could also use your stolen SSN to apply for government benefits or services. They can also sell your SSN on the dark web as a form of currency. Once an online thief establishes a foothold with your identity, it makes it easier to compromise downstream individuals’ information as well. This means they may target your children, family, or friends.
Enter your email address and get results in seconds
Hackers and thieves don’t wait and neither should you! See if your passwords have been exposed in a data breach.
What Should I do if my Social Security Number is Stolen?
A stolen Social Security number is a serious threat and must be addressed immediately. If you suspect your SSN was stolen and might be on the dark web, take action now. The first step is to determine if preventative measures will be enough or if someone is already using it and you have been a victim of identity theft.
Step 1. Determining if you’ve already been the victim of ID theft
Create a my Social Security Account and Review Your Earnings
The Social Security Administration lets you create an account to request new cards and monitor activity. Create your my Social Security Account online to review your past earnings and check for any discrepancies. If you think your SSN has been stolen you should create an account before a potential thief can make one. If you discover that your income records are higher than what you make, this would be an indication that someone has used your stolen SSN to apply for a job.
How to Report a Stolen SSN
If you find errors in your report that lead you to believe your SSN was stolen, you should report any inconsistencies to the Social Security Administration immediately.
Check Your Credit Report
View your credit report provided by OmniWatch™ to see if any new accounts or changes have happened that don’t look right, specifically new inquiries to review your credit report that you did not request.
Monitor Your Credit Card Activity
Regularly review your credit card statements for any purchases you did not make. Report any suspicious activity to your financial institution and the police.
File an FTC Identity Theft Report
If you think your identity was stolen, you should file an identity theft report with the Federal Trade Commission. This will alert authorities of potential fraud activity and can help protect you from further damage. Report identity theft at the Federal Trade Commission’s Identity Theft webpage.
FBI IC3 is also a good resource for reporting Cybercrime. This is a cybercrime complaint reporting site run by the FBI and is the nation’s central hub for reporting online criminal activity.
After filing, you should immediately call OmniWatch support at 877-892-8249 to get a dedicated resolution specialist assigned to your case.
Step 2. Preventing thieves from using your SSN
If following the tips in Step 1 shows nothing out of the ordinary, you should immediately take the following steps to add additional layers of protection.
Monitor Your Credit Alerts
With any OmniWatch subscription, you’ll get alerts when anything changes on your TransUnion® Credit report, and if you have a premium subscription you’ll get alerts for all three credit bureaus –TransUnion®, Experian®, and Equifax® –so you can know when anything changes.
Lock/Freeze Your Credit With All 3 Bureaus
Locking or freezing your credit with all bureaus will prevent any new lines of credit from being opened on your credit reports. The downside is you will need to remember to unlock whichever credit report a potential lender uses if you need to open a new credit card or get a loan.
You can easily lock and unlock your TransUnion Credit Report right from OmniWatch. Simply toggle it on and off on the “credit” page. You can easily lock your Equifax report at no charge from their website by creating a free account here.
Experian charges you to lock your credit, but by law, they are required to allow you to “freeze” your credit. This has the same effect as locking your credit, but instead of being able to easily toggle it on or off, you have to authenticate your identity every time you want to freeze or unfreeze your credit. You can freeze your credit with Experian here.
IRS PIN
You can create a unique PIN that the IRS will require to accept your tax return. Change your IRS PIN code every year. This can help prevent anyone from committing tax fraud and stealing your tax return. You can access this feature by clicking here.
E-verify Lock
E-verify is used by businesses to verify that your SSN is valid and you are eligible to work in the United States. To prevent anyone from using your stolen SSN to get a job, you can lock your E-verify account to prevent any new inquiries from being run. Just like with credit lock, you’ll need to remember to unlock this if you are applying for a job yourself.
Lock Your Social Security Number
You can contact the Social Security Administration and have your SSN locked so that no one including you can make any changes to your record. This is a more extreme measure, so you should be careful doing this.
Leverage OmniWatch
If you already have OmniWatch, don’t worry you’re covered with up to $2 million in identity theft insurance (exclusions and limitations apply) if someone does steal your identity. We have US-based resolution specialists available 24/7 who will walk you through the entire process and even fill out and submit paperwork for you.
How Else can I Protect my Social Security Number?
Here are some additional ways you can limit the chances of someone getting a hold of your SSN.
Secure Your Home Network and Devices
Make sure all your home devices, including computers, laptops, mobile phones, and tablets are secured with strong passwords. Additionally, you should enable two-factor authentication on any accounts that offer it for an extra layer of security.
Be Smart About Sharing Personal Information
It’s essential to be aware of the sites you visit and what information you share online. Be sure to avoid clicking on suspicious links or emails, as they may lead to websites where your personal information could be stolen.
If anyone asks for your SSN you should inquire why they need it. Often, places such as doctor’s offices want that information but don't actually need it for anything service-related. This is sometimes a mechanism used to pre-qualify patients for cash-pay services that appear to be necessary and are often assumed to be covered by insurance, but in reality, are not. Medical industry investment in IT and security is far below the nationwide average, making these higher-risk locations to store sensitive data.
Using Two-Factor Authentication (2FA)
Two-factor authentication, meaning that along with a username and password, you need another “factor” to unlock your account, will also help make your accounts more difficult to access.
Common examples are when you have to enter a code you receive in your email or phone or an authentication app that provides a rotating code to enter to log in.
SMS two-factor authentication is the least secure method because phone numbers are easier to hack. In 2022, hackers claimed they breached T-Mobile over 100 times, partly to gain access to phone numbers to break into 2FA-enabled accounts. For more security, you can use either email-based 2FA or an app like Google Authenticator.
Google will also allow you to enable “advanced security” on your accounts and order a hardware MFA token directly from them. A FIDO2 hardware token is currently probably the most secure implementation of MFA. Consumers can also buy a FIDO2 token like a Yubikey on Amazon that will work with nearly every service they use.
Strengthening Passwords
Multiple tools can help crack passwords, especially if they are short or use things like addresses, emails, or anything that may be associated with you. Ideally, you want to create a long password with numerous special characters that spell no particular word. Better yet, you can use a complicated and unique passphrase. Since these are hard to remember, using password managers like 1Password® can help you create secure and varied passwords or passphrases well still allowing you to log into accounts easily and quickly.
Strengthening Security Questions
When creating answers to security questions, you should never put real answers. This information can be discovered. Instead, create your answers the same way you would create long difficult passwords
Sign up for an Identity Protection Service like OmniWatch
Identity protection services like OmniWatch can monitor your credit, help detect suspicious activity, and offer identity theft insurance if your identity is stolen.
To learn more about how OmniWatch identity theft monitoring can help you know if your Social Security number is stolen or other personal data is compromised, click here.
What Cybersecurity Professionals are Saying
Chester Wisniewski
Principal Research Scientist at Sophos
“Looking forward into 2023 has me very concerned with what developments we see with the malicious use of machine learning technologies”
Matt Kapko
Cybersecurity Reporter
"Threat actors don’t just follow the news — they react to it and identify new ways to target potential victims during moments of heightened sensitivity."
Chester Wisniewski
Principal Research Scientist at Sophos
"ChatGPT3 could easily be weaponized to help criminals write more convincing phishing and business email compromise scams."