George in Maryland wrote to us. His Social Security number was stolen in the TraceSecurity healthcare vendor breach earlier this year. He did the things you're supposed to do — filed reports, froze his credit. Then a few weeks later, he got a USPS change-of-address confirmation for an address he's never lived at. Someone was trying to redirect his Social Security benefits. The first breach opened the door, and the second attack walked right through it.
That's the thing most people don't realize about SSN theft. It's not a single event — it's the beginning of a campaign. And George's experience is basically the textbook pattern now. The TraceSecurity breach gave criminals his SSN and medical data. The USPS change-of-address scam gave them a way to intercept his physical mail. Put those together and you've got everything you need to hijack someone's benefits.
Daniel sent us this question on George's behalf, and it's one of those prompts where the more you look at it, the more you realize how many layers there are. What makes SSN theft different from regular identity theft? Why are physical and digital attacks converging? And if you've already been hit, are you a permanent target — and what do you actually do about it?
The timing on this is not coincidental. This year saw what's being called the Social Insecurity breach — UpGuard's research team discovered it, and the numbers are hard to wrap your head around. Three point three billion records exposed from a background check company. SSNs, passwords, full financial profiles. That's more records than there are people on the planet, and it means the odds that your SSN is already circulating on criminal forums are — well, they're not odds anymore. They're a near certainty.
Three point three billion records. That's the "oops" of the century.
Here's the core tension that makes this whole thing so broken. Social Security numbers were never designed to be authentication tokens. They were created in nineteen thirty-six as a way to track earnings for retirement benefits. The card literally said "not for identification purposes" on it until nineteen seventy-two. But over decades, banks, hospitals, credit bureaus, utilities — they all started using it as a universal identifier and de facto password. So now you have a number that was never meant to be secret, never meant to be revocable, functioning as the master key to every financial and government system in the country.
It's like using your street address as your house key. Everyone can see it, you can't change it, and somehow we've all agreed it keeps the door locked.
That's exactly the analogy. And the Social Insecurity breach takes that broken system and pours gasoline on it. This isn't like a credit card getting stolen where you cancel the number and get a new one in three days. The Social Security Administration issues about six million new SSNs per year, and changing yours requires documented evidence of ongoing, severe harm. You can't just call up and say "mine's been in a breach, can I get a fresh one?" They'll tell you no unless you can prove someone is actively ruining your life with it right now.
Which is a bit like waiting until the house is on fire before they'll let you change the locks.
By then, the fire's been burning for a while. So George's situation — TraceSecurity breach followed by a USPS change-of-address attack — that's not bad luck. That's how the playbook works now. The SSN is the anchor, and criminals build outward from it using whatever other data they can scrape together. Physical mail, data broker profiles, public records, previous breaches. Each piece makes the next attack easier.
Where do we even start untangling this? Because George's question has multiple threads — how the attacks work, why prosecution is so rare, what he should actually do right now — and I think we need to walk through all of them.
Let's start by defining the scope, because SSN theft really is its own category of problem. Most identity theft is transactional — someone gets your credit card number, runs up charges, you dispute them, the card gets replaced, you move on. But an SSN is static. It's tied to your tax history, your earnings record, your benefits eligibility. You can't swap it out, and even if you could, you'd be starting from zero on everything linked to the old number. That's why criminals prize SSNs above almost everything else — they're a long-term asset, not a one-time exploit.
The Social Insecurity breach basically flooded the market with those assets. Three point three billion records. Even accounting for duplicates and outdated entries, that's a staggering volume of fresh, actionable data.
And what makes this breach particularly dangerous is what was in it. This wasn't just SSNs in isolation. It was SSNs paired with full names, addresses, dates of birth, and in many cases passwords. When you have all of that together, you're not guessing anymore. You're showing up to a bank's authentication system with the correct answers to every question they ask. This is what security researchers mean when they talk about the triangulation attack — you're not breaking the lock, you're showing up with the key because you assembled it from pieces that were never supposed to be in the same room together.
That's the word I want to sit with for a minute. Because most people think of a data breach as "someone got my password" or "someone got my credit card." They picture a single point of failure. What you're describing is more like — criminals are playing a jigsaw puzzle with your life, and each breach hands them a few more pieces.
And the pieces come from everywhere. The TraceSecurity breach in January — that was the first major SSN leak of the year — gave criminals healthcare data. Medical record numbers, insurance details, SSNs. Then you've got data brokers selling profiles with your current and previous addresses, your phone numbers, your relatives' names. Add in something like the USPS Informed Delivery scam, where criminals sign up for digital previews of your incoming mail using just your name and address, and now they can see your benefit checks, your tax documents, your bank statements before you do. None of these pieces is enough on its own, but together they form a complete picture.
Let me trace the attack chain for George specifically. His SSN gets exposed in the TraceSecurity healthcare vendor breach. That's piece one. Then someone uses that SSN plus his name and address — which are trivially available from any number of sources — to file a USPS change-of-address. That's piece two. Now his physical mail is being forwarded somewhere else. What's the endgame?
The endgame is his Social Security benefits. Once they've redirected his mail, they can intercept benefit statements, tax forms, anything the SSA sends by paper. But more importantly, they can use that address change as a foothold to reset his online accounts. When you call the SSA or your bank and say "I've moved, I need to update my address," what do they ask to verify your identity? Your SSN, your date of birth, and your previous address. All three of which the attacker now has. They're not hacking a system. They're walking through the front door with a perfectly valid set of credentials.
This is where the design flaw in the whole system becomes impossible to ignore. We've built authentication around data points that are supposed to be secret but are actually just — biographical trivia. Your mother's maiden name isn't a password. It's a fact. Your previous address isn't a secret. It's public record. Your SSN was never meant to be confidential, and now it's the one piece of information that unlocks everything else.
The SSA's own authentication system relies on exactly these data points. If you want to create a "my Social Security" account online, you have to answer questions drawn from your credit history and public records. Questions like "which of these streets have you lived on" or "which bank holds your mortgage." Those are the same questions that a criminal with a breached background check report can answer. The system authenticates you based on information that is no longer secret — and in the post-Social Insecurity era, it's not even hard to find.
The thing that's supposed to protect George's benefits is a quiz that anyone with a twenty-dollar dark web purchase can ace.
That's the problem in one sentence. And it gets worse when you look at who's most vulnerable. The elderly — the SSA still mails over twenty million paper benefit statements every year. If you're eighty-five and you've been getting a paper check since nineteen seventy, you're not necessarily checking your online SSA portal every month to make sure nobody changed your direct deposit. Low-income individuals who rely on benefits portals with weak or nonexistent multi-factor authentication. People with limited digital literacy who may not know what a credit freeze is or how to monitor their credit report. These are the people the system is failing the hardest.
They're the ones who can least afford to have their benefits stolen. If you're living on Social Security, a single month of diverted payments is catastrophic.
And the criminals know this. They're not targeting millionaires with complex financial portfolios — they're targeting people whose entire financial life runs through a handful of government portals with outdated security. It's efficient, it's low-risk, and the victims often don't discover it for weeks or months.
That's the landscape. George's SSN is out there, the Social Insecurity breach means most Americans' SSNs are out there, and the attack pattern is shifting from simple credit card fraud to full-scale benefits hijacking using triangulated data from both digital breaches and physical mail interception.
That's before we even get into the question George asked about prosecution and whether he's a permanent target. But I think the first thing to establish is just how fundamentally different this moment is. The Social Insecurity breach isn't just another data leak. It's the one that changes the math for everyone. When three point three billion records are in circulation, the question isn't "has my SSN been exposed." The question is "has someone connected it to enough other data points to act on it yet.
If they haven't yet, the assumption should be that they will.
That assumption changes how we have to think about the whole threat model. Because SSN theft isn't just a digital problem with a digital solution. The hybrid nature of these attacks is what catches people off guard. You freeze your credit, you set up two-factor authentication, you feel secure — and then someone steals your mail.
Or more precisely, someone signs up for a digital service that lets them preview your mail without ever touching your mailbox. The USPS Informed Delivery thing you mentioned — that's not someone in a ski mask rifling through your curbside mail. That's someone sitting at a keyboard, using your name and address from a data breach to register for a service the Postal Service designed for convenience.
That's the convergence I want to highlight. The TraceSecurity breach exposed healthcare data — SSNs, medical record numbers, insurance details. That's a purely digital breach. But once that data is in criminal hands, it gets weaponized against physical systems. The USPS change-of-address form. Paper benefit checks. The physical and digital worlds aren't separate attack surfaces anymore — they're a single, integrated target.
The criminal playbook isn't "hack a database" or "steal a wallet." It's both, woven together. The database gives you the SSN and the date of birth. The stolen mail gives you the current address and the bank name. The data broker profile gives you previous addresses and relatives. And suddenly you've got every answer to every security question any government agency will ever ask.
The Social Insecurity breach supercharged this because of the sheer volume. Three point three billion records means that for practically every American, at least one piece of their identity puzzle is already assembled and waiting. The only question is whether the other pieces have been connected yet.
Let me walk through exactly how the triangulation works in practice. Imagine a criminal who just bought a batch of records from the Social Insecurity breach. They've got your SSN, your full name, your date of birth, your current and previous addresses. That's the foundation. Now they go to the SSA's "my Social Security" portal and click "forgot password." The system asks a series of knowledge-based authentication questions. Which of these addresses have you lived at? Which bank holds your mortgage? What's your monthly car payment within a fifty-dollar range? These are questions drawn from your credit file — the exact same data that was in the background check breach.
The security questions are drawn from the same database that got breached. That's not a vulnerability. That's a hall of mirrors.
The criminal has the answer key because they bought it for somewhere between two and five dollars per record on a dark web forum. That's the going rate for what's called a "fullz" — a complete identity package. SSN, DOB, address history, employment history, sometimes mother's maiden name. The Social Insecurity data is already being packaged and resold in exactly this format.
Two to five dollars for someone's entire financial identity. That's less than a sandwich.
That's the market working as intended, unfortunately. But here's where the physical-digital convergence gets really clever. The USPS Informed Delivery scam — to sign up, you need a name and address that match USPS records. That's it. So a criminal with your name and address from a data breach can register for Informed Delivery on your behalf. Now they're getting digital previews of every piece of mail headed to your physical mailbox — benefit checks, tax documents, bank statements, replacement credit cards. But the real value isn't just seeing the mail — it's knowing exactly when to strike. If they see a new debit card arriving Tuesday, they know to check your mailbox Tuesday. If they see a benefits statement, they know exactly how much you're receiving and when the next payment hits. And if they've already filed a change-of-address, that mail never reaches you at all.
The digital breach tells them who you are. The mail preview tells them what you're receiving and when. And the change-of-address ensures they get the physical documents. It's a three-step choreography.
The TraceSecurity breach added a new layer to this. That breach exposed healthcare data. Why does healthcare data matter for benefits theft? Because medical identity theft is a parallel attack vector. Someone with your insurance information can receive treatment under your name, and those bills go to your insurance provider. You might not discover it until you're denied coverage for hitting a benefit cap you never used. Meanwhile, the criminal has also used that same data to answer security questions at your benefits portal. Healthcare breaches feed financial fraud in ways that aren't obvious until you map the whole chain.
George experienced exactly this — the TraceSecurity breach gave them his healthcare data, which they then used as a springboard to go after his Social Security benefits. It's not two separate crimes. It's one campaign with multiple phases.
And this is why I keep coming back to vulnerable populations. The SSA mails over twenty million paper benefit statements annually. If you're receiving a paper statement, you're probably not logging into an online portal every week to check for suspicious activity. You might not even have an online account. So a criminal can create a "my Social Security" account in your name — because they have all your data — and you wouldn't know it exists. Then they change the direct deposit information, and your next payment goes to their account. You're sitting at home waiting for a check that was never going to arrive.
By the time you realize something's wrong and navigate the phone tree at the SSA, weeks have passed and the money is gone.
The SSA's fraud recovery process is not fast. You'll eventually get your benefits restored, but that doesn't help you pay rent this month. For someone on a fixed income, that gap is devastating. The same dynamic plays out with unemployment insurance fraud, which exploded during the pandemic and hasn't really slowed down. Criminals file claims using stolen SSNs, the benefits get paid out to prepaid debit cards, and the victim discovers it when they get a tax form for income they never received.
The vulnerable populations aren't just elderly people with paper checks. They're also anyone whose financial life depends on government portals that were built before anyone imagined this kind of coordinated attack.
And the authentication on many of these portals is still fundamentally broken. Some state unemployment systems didn't even have multi-factor authentication until the pandemic forced emergency upgrades. Some still don't. A stolen SSN plus a date of birth is all you need to file a claim in certain states. That's not a security system. That's a welcome mat.
The Social Insecurity breach means that for anyone running this playbook, the welcome mat is now rolled out for essentially every American with a Social Security number. Which is everyone.
Three point three billion records. Even if you assume significant duplication, the coverage is effectively universal. And here's what keeps me up about this — the data doesn't degrade. Your SSN doesn't expire. Your date of birth doesn't change. Your address history only grows. So a criminal who buys this data today can sit on it for years and use it whenever they want. The breach happened in early twenty twenty-six, but the shelf life of the stolen data is effectively forever.
We've established the data is out there forever. What happens next is where it gets ugly. Because once someone has your SSN, they don't just open a credit card and call it a day. The attacks cascade.
They cascade in ways that are hard to spot until the damage is done. Take tax refund fraud. A criminal files a return in your name early in the season, claims a refund, and the IRS pays it out before you even sit down to do your taxes. You discover it when your legitimate return gets rejected because someone already filed under your SSN. That's a nightmare to untangle — the IRS fraud resolution process can take months, and you're stuck waiting for your actual refund the whole time.
That's the relatively simple version. The more sophisticated one is synthetic identity creation. A criminal takes a real SSN — say, a child's or someone who doesn't monitor their credit — and combines it with a fake name, fake address, fake employment history. They build an entirely fabricated person around that real number.
Here's why that's so dangerous. Synthetic identities don't set off fraud alerts because there's no real person to flag the activity. The credit bureaus see a thin file with no red flags. The criminal nurtures this identity for years, building credit slowly, looking like a responsible borrower. Then they max out everything and vanish. The FTC estimates synthetic identity fraud costs about six billion dollars annually, and that number is climbing as data from breaches like Social Insecurity makes it easier to construct convincing profiles.
The SSN is the seed crystal. Everything else grows around it. And the victim might not discover it for years — maybe when they apply for their first credit card and find out they already have a credit history they never built.
Medical identity theft is another cascade effect that people don't see coming. Someone uses your SSN and insurance details to get treatment, and now your medical records are contaminated with their diagnoses, their blood type, their allergies. You show up at an emergency room and the chart says you're diabetic when you're not. That's not just a financial problem — that's a safety problem.
The TraceSecurity breach specifically exposed healthcare data. So for George, that's not hypothetical. His SSN plus his medical record numbers plus his insurance details are all in the same criminal pipeline. The attack surface isn't just his credit report — it's his actual medical file.
Which brings us to the question George asked that I think a lot of victims are afraid to voice: if the perpetrators are caught, does that make me safe again? And the answer is — no. And it's not even close.
That's the prosecution gap, and it's the part of this story that most coverage skips.
Because most people assume that reporting the crime leads to justice. The FTC runs IdentityTheft dot gov, which is genuinely useful — it walks you through creating a recovery plan, generating an FTC identity theft affidavit, disputing fraudulent accounts. But the site explicitly states that it does not guarantee investigation or prosecution. And in practice, most SSN theft cases never see a courtroom.
Walk me through why. If someone steals George's SSN and redirects his benefits, that's a federal crime. Why isn't anyone going to prison?
The criminals are frequently overseas — Eastern Europe, West Africa, Southeast Asia. The FBI can't exactly send agents to Lagos to arrest someone for a five-thousand-dollar benefits fraud. The FBI and FTC prioritize cases with losses over a hundred thousand dollars. Most individual SSN theft cases don't hit that number — the damage is spread across multiple victims in smaller amounts. And third, attribution. Even when the crime is domestic, proving that a specific individual at a specific keyboard executed a specific transaction is extremely difficult. The digital trail might lead to a compromised server in a third country, and that's where the investigation dies.
The practical reality is: file the report, get your affidavit, follow the recovery plan — but don't expect a detective to call you with good news.
That's not cynicism. That's just the math. The volume of cases is enormous, the resources are limited, and the criminals have optimized for exactly this asymmetry. They know that a thousand five-thousand-dollar thefts are less likely to trigger a federal response than one five-million-dollar heist.
Which means the data lives on regardless. The original thief might get caught, might not — the SSN is still circulating. It's been sold, resold, bundled into fullz packages, traded on forums. The Social Insecurity data is already priced at two to five dollars per record on dark web markets. That's not a one-time sale. That's a commodity that gets resold indefinitely.
That's why the answer to George's question about heightened vigilance is an unambiguous yes. If your SSN has been compromised, you are a permanent target. Not for a year. Not until you file the FTC report. The data has no expiration date, and the market for it never closes.
What does permanent vigilance actually look like? Because I think that's the part where people get overwhelmed and do nothing. Give me the concrete steps.
Step one, and this is the single highest-impact thing anyone can do: freeze your credit at all three bureaus — Equifax, Experian, TransUnion. This has been free under federal law since twenty eighteen. A credit freeze blocks any new creditor from accessing your report, which means nobody can open a new account in your name. When you legitimately need credit, you temporarily unfreeze it — which takes about fifteen minutes — then freeze it again. This should be your default state.
Not a one-time fix. A permanent posture.
Step two: set up an IRS Identity Protection PIN. This is a six-digit code the IRS issues you annually, and you must include it on your tax return. Without it, the return gets rejected. Over ten million taxpayers are already enrolled, and it's available to everyone — you don't need to prove you've been victimized. Go to IRS dot gov slash get an IP PIN. It takes about ten minutes.
Even if someone has your SSN and files a fraudulent return, the IRS bounces it because they don't have the PIN.
Step three: lock your Social Security benefits account. The SSA launched the "my Social Security" account lock feature in twenty twenty-four. It blocks all online access to your benefits — nobody can change your direct deposit, nobody can view your statements, nobody can create an account in your name because the account is locked. You call the SSA to unlock it when you need to make changes. For someone like George who's already been targeted, this is essential.
That's the one that directly addresses what happened to him — the change-of-address into benefits hijacking.
Step four: credit monitoring, but with a specific requirement. Most services alert you when your credit score changes. You want one that alerts on SSN usage specifically — when someone uses your SSN to apply for credit, open an account, or verify identity. That's a different signal than a score change, and it catches fraud earlier in the chain.
File the FTC identity theft report at IdentityTheft dot gov even if you've already done the other steps. Not because it guarantees prosecution — we've covered why it probably won't — but because it creates an official record. That record is what you'll need if you ever have to dispute fraudulent accounts, prove to the SSA that you're a victim, or apply for a new SSN in the most extreme cases. The affidavit is your documentation that this happened, and you want that paper trail.
The five steps are: freeze credit, get the IRS PIN, lock your SSA account, set up SSN-specific monitoring, and file the FTC report. That's a morning's worth of work.
That's the part I want to emphasize. None of this is complicated. It's not expensive — three of those five steps are free. It's not technical. It's just that most people don't know they need to do it until they're already a victim. George is actually ahead of the curve because he's asking the right questions now, not after the next attack.
Let's turn those five steps into something listeners can act on right now, whether they've been breached or not. Because here's the mindset shift I think everyone needs to make: in the post-Social Insecurity era, you should treat your SSN as already compromised. Three point three billion records. The math says it's out there. The only question is whether criminals have connected it to enough other data points to act on it yet. Assume they will.
That's a grim starting assumption, but it's the honest one. So what's the unified checklist?
Freeze your credit at all three bureaus today. Don't wait for a breach notification — the notification might never come, or it might arrive after someone's already opened an account. This is free, it takes maybe twenty minutes total across Equifax, Experian, and TransUnion, and it's the single most effective barrier you can put between your SSN and a fraudulent account.
The PIN system at the IRS — that's the tax refund firewall.
IRS dot gov slash get an IP PIN. Six digits, renewed annually, required to file. Even if someone has your SSN and every other detail, the return bounces without that number. Over ten million people are enrolled.
Lock the SSA benefits portal. That's the one that directly stops what happened to George.
SSA dot gov slash my account. The lock feature blocks all online access to your benefits. Nobody changes your direct deposit, nobody creates an account in your name, nobody even views your statements online. You call to unlock when you need changes. For anyone receiving or approaching benefits, this is not optional.
Password manager and MFA on everything financial. That's the hygiene layer.
Don't just enable multi-factor authentication — make sure it's not SMS-based where you have a choice. App-based authenticators or hardware keys. SMS can be SIM-swapped, and that's a whole other attack vector, but trust me — avoid it when you can.
The data broker piece. You mentioned optoutprescreen dot com.
That's the starting point — it stops pre-approved credit offers that arrive by mail, which are a physical theft risk. But the bigger project is opting out of the data broker sites that sell your personal information. There are dozens of them, and it's tedious, but every profile you remove is one less piece of the triangulation puzzle available to criminals. Start with the major ones — Spokeo, Whitepages, BeenVerified — and work down.
The five-point checklist: credit freeze, IRS PIN, SSA lock, password manager with MFA, and data broker opt-out. That's a Saturday morning.
For someone like George who's already been hit, there are a few additional layers. Set up an extended fraud alert. The standard fraud alert lasts one year — you can request one that lasts seven years by contacting any one credit bureau and providing your FTC identity theft report. That bureau notifies the other two. A fraud alert requires creditors to take reasonable steps to verify your identity before opening new accounts. It's not as strong as a freeze, but it adds friction.
Seven years versus one. That's the difference between "I was breached" and "I am a permanent target.
Which is exactly how victims should think about it. Monitor your benefits portals monthly, not annually. Set a calendar reminder. Check your SSA account, your IRS transcript, your state unemployment portal if you have one. The faster you catch a change, the easier it is to reverse. And consider your credit freeze as a permanent state — unfreeze only when you need new credit, then re-freeze immediately. Don't leave it open because you might apply for something next week.
The default is locked. The exception is open. That's the inversion most people need to internalize.
You've got the checklist. But let's zoom out for a second — because the bigger question hovering over all of this is whether the SSN system itself is broken beyond repair.
It's the question nobody in Washington wants to touch. But if we're being honest, the Social Insecurity breach made it unavoidable. We're using a nineteen-thirties bookkeeping number as a national authentication token, and the whole world knows it.
There are models for doing it differently. Estonia rebuilt their entire identity infrastructure around digital IDs with cryptographic authentication. Every citizen has a chip card that uses public-key cryptography — you prove you're you mathematically, not by reciting your mother's maiden name. You can sign documents, access benefits, vote, all through a system where the authentication isn't based on secrets that can be stolen in bulk.
Estonia has one point three million people and built this from scratch after the Soviet Union collapsed. has three hundred and thirty million people and a hundred years of SSN infrastructure embedded in every bank, hospital, and government agency.
That's the political hurdle. Replacing the SSN isn't a technology problem — it's a constitutional-level change in how identity is managed. Every system that asks for those nine digits would need to be rebuilt. The cost would be staggering. And you'd need a national ID system, which triggers a whole different set of political objections in this country.
The realistic path isn't replacement. It's containment. Locking down everything around the SSN so the number itself becomes less useful to criminals, even if we can't get rid of it.
That containment is going to get harder, not easier. The future implication that worries me is automation. AI-powered data aggregation tools are getting cheaper and more capable. Right now, triangulating someone's identity still requires some manual work — scraping data broker sites, cross-referencing breaches, piecing together the profile. But as those tools improve, that whole process becomes automated. Feed in a name and a partial SSN, get back a complete fullz package in seconds.
The synthetic identity problem you described — six billion dollars annually according to the FTC — that number's going to climb. And the profiles will get harder to detect because they'll be constructed with machine precision, looking more legitimate than the real ones.
We're going to see a wave of synthetic identity fraud that makes current numbers look quaint. And the detection systems aren't ready for it.
Which brings us back to George in Maryland. George — freeze your credit today, set up the IRS PIN, lock your SSA account. Those three things take less than an hour and they close the most common attack paths. Then share this episode with someone who thinks it won't happen to them. The data is already out there. The only question is whether you're prepared.
Now: Hilbert's daily fun fact.
Hilbert: The shortest-reigning monarch in recorded history was Louis the nineteenth of France, who was king for approximately twenty minutes in eighteen thirty before abdicating in favor of his nephew — a reign so brief that some historians dispute whether he should be counted at all.
That's not a reign, that's a coffee break.
This has been My Weird Prompts. If you found this useful, share it with someone who still thinks a credit freeze is something you do after a breach, not before. We're at my weird prompts dot com. I'm Herman Poppleberry.
I'm Corn. Lock it down.