You are here

How fast will identity thieves use stolen info?

Share this page

If you’ve been affected by a data breach, or otherwise had your information hacked or stolen, you’ve probably asked yourself, “What happens when my stolen information is made public?” At the FTC’s Identity Theft workshop this morning, our Office of Technology staff reported on research they did to find out.

First, they created a database of information about 100 fake consumers. To make the information realistic, they used popular names based on Census data, addresses from across the country, email addresses that used common email address naming conventions, phone numbers that corresponded to the addresses, and one of three types of payment information (an online payment service, a bitcoin wallet or a credit card).

They then posted the data on two different occasions on a website that hackers and others use to make stolen credentials public. The criminals were quick to pounce. After the second posting, it took only nine minutes before crooks tried to access the information.

In total, there were over 1,200 attempts to access the email, payment and credit card accounts. The identity thieves tried to use our fake consumers’ credit cards to pay for all sorts of things, including clothing, games, online dating memberships and pizza.

The research shows that Identity thieves are actively looking for any consumer credentials they can find: if your account data becomes public, they will use it.

So what can you do to limit your risk? Well, in this study, two-factor authentication prevented thieves from gaining access to the accounts. Two-factor authentication is a process that requires both your password and an additional piece of information (such as a code sent to your phone). Because these thieves did not have access to the second factor, they were unable to access the accounts. It’s not a cure-all, but it can help.

For more tips, check out our article on Computer Security.


Thank you for this great info!

Thanks for news helps me out to understand

So you found a site that thieves use as a clearing house for stolen identities but you didn't take it down? How many thousands of people got ripped off while you were doing your little experiment?

The FTC does not have the authority to take down web sites.

We think it's important to alert email and payment service providers that these sites exist, so they can monitor the sites for the listing of stolen credentials and lock down compromised accounts to nip identity theft in the bud. It's far easier to develop countermeasures when the sites are public than when credentials are made available on the dark web or in private hacker forums.

Your Web sites policy specifically states that all .gov networks are monitored by DHS, ISP's, Cyber Command, Etc, & publicly touted Eneistein3, a DHS intrusion prevention & monitoring program that in addition to ISP participation, & best in class public sector pattern & traffic analysis allows for "realtime deep packet inspection monitoring of all traffic flowing either to, from, through, between, including your Internet Service Provider for every connection". It also states this can be and is shared with Federal Agencies who's responsibility is national cybercrime prevention, detection, & apprehension of perpetrators. You also state DHS records IP addresses, publicly posted information regarding technical proficiency/expertise even if it's professional & legal, as well as common forms of cyber protection, I.e. Use of VPN and Proxy nodes for individual, business, or organization network security & will flag this as "suspicious & potentially malicious activity" going so far as to record actual Personal Info such as email addresses, locations, Service Providers, Hardware Signatures, Traffic Analysis, etc...with a defined bias toward IT/Infosec/Network, Data, & Systems/Encryption Security Professionals especially with cryptographic & programmatic backgrounds (but you don't garget individuals just security threats, yet provide Public Service Providers with IP addresses to alert, analyze, & track using "patterns" on the above criteria) your IP is a unique enough personal fingerprint, & the DHS document your site links to basically states "[paraphrase] those who understand how to do something will be added to all CyberDefense Federal Watchlists upon being flagged as potential security threats because they either A. Are following best security & privacy practices to protect their personal or business from malicious actors Or B. Possess the Technical Capability/Knowledge to potentially at some nonspecific future point use said knowledge for "evil" instead of "good" it justifies directing targeted AI pattern, meta data, aggregate analyitics & deep packet inspection to decipher content consumed through traffic analysis & build a behavior pattern /profile of digital activity but it's okay because your using the # an ISP assigns a customer as their IP address to track US Citizens in. LegLly justifiable way, & you kindly redact our PII unless it's deemed relevant. DHS also states use of sinkhole servers to redirect traffic & no legally defined restrictions on retention of PII, or IP/HW signatures for non-threats; BC they CLEARLY point out they Routinely GATHER IRRELEVANT INFORMATION PERSONAL & otherwise on a Larger than Necessary Scale, & RETAIN it.

The fact that I wrote this post would flag me if i wasn't aware I already am, & a federal employee had the GALL to reply it is not the FTC's mandate to take down cyber criminals...but apparently it is to create a honeypot full of false PII, & then monitor how quickly you got them to "flag" themselves for monitoring , even though you are not a law enforcement body. Please provide Actual CyberSecurity guidelines to protect unknowing consumers; because the average household is vulnerable through its "smart" thermostat or TV (sorry ABC.govs) I know Bluetooth & wifi frequencies hopping to. Breach peremiters is the cakewalk way in; but consumers need to realize if I was a malicious actor your "smart" IoT devices, especially wearables provide more personal & compromising info than you filling out a survey ; their security is practically nonexistent, their built for interoperable connectivity, & they have sensors that track EVERYTHING. Plus anything that emits electromagnetic waves can be utilized to penetrate any electronic device...meaning even if you practice reasonable "traditional" network security, your WiFi Espresso Machine just made it all pointless. 20 lines of code & a signal amplifier I can read your "smart" power meter & gather enough useful information to discern what channel your watching on your TV....This makes Households Vulnerable in ways they never were before. And remember the Government is not going to use its capability to shut down a hacker's Botnet performing DDOS attacks in your "smart security system" or worse your Business Infrastructure; breaches cost $$$. Layered Security, multi tiered; invest in your digital protection most valuables are now represented electronically.

Great insight and fantastic Technical Knowledge. You should be working FOR the FTC then, or the to catch these Cyber criminals. I deal in Consumer Protection at the state level. We try to explain the various methods Cyber Criminals use to steal our personal and financial information, then how to follow all steps to protect one's Credit History at the minimum. Very difficult to convince senior citizens how technology works.
It is mind boggling how many ways there are to "track" our info. Thanks for the lesson.

I'm getting frustrated I can't get them off my phone and use my phone

If Two-factor authentication helps, why doesn't our social security numbers have two-factor authentication, so that no one with the number can use it without the second factor which is changeable? Seems crazy that you can steal a SS# and unlock a person's life with only that one thing.

Social Security Administration will re-attempt two-factor authentication log-in on 10 June 2017.

My identity has been stolen over the past 5 years through My Social Security # !! I have always had a 2 factor I'm just lost

If you need help recovering from identity theft, go to It explains what reports to file right away, who to contact and how to repair the damage.

@ justWondering, I think it depends who you give your SS # to. Using it with a credit card, for example, depends on that credit card having the 2 step authentication. I just read, think from FTC, that finally Medicare will stop using our SS #'s as an ID #. Anyway, this article is good info. Very interesting 'test' of the scumbags. (Yes, I've been the victim of ID theft, hence the sentiments for these 'people'.)

Still one-two years away!

I was shocked when I signed up for Social Security and realized my account is my Social security number. Everyone has it now. What happened to don't give your SS# to anyone?

Sad thing is that when a person dies, his or her SS# becomes public information almost immediately. Why?! Shortly after both my father and later my Mother dying, they both had their SS#'s hijacked and attempts to take over their identity! I got at least one of them caught. FBI wouldn't give me any particulars but they said the person was apprehended.

How do I get my personal info off the internet?

some one got a hold of my ssi# my b date my mothers maiden name n hrme likes in Jamaica

This is good stuff. I tried to report someone tampering with my identity, and was told that I had to have a 'tangible loss' before they would act on it. Kinda like waiting for the weazel to actually eat the eggs, instead of grabbing the crook beforehand, no?

Something is not right here. report to police and get a copy of report so that you and they have records of the case something really does happen. And batten down the hatches with preventative measures so that any more attempts don't go further..change passwords, get alerts,get fraud alert protection and notify all business contacts of these attempts so that they are on alert. This must be done regularly.

Nigerian man Marco bright has scammed me out of 2,500 his phone number is +2349037852880 and I've had to report him to face book on there his name is Marco bright all his friends on his Facebook friends list got all scammers on it they shouldn't be allowed to get away with it

Doing some surveys online next couple of days later $1998 check from a bank in New Jersey is delivered in my mail by USPS. Wait I never completed any surveys because they were non-sense! A female named Kimberly Finks mailed it from New York to me but after I deposit then I am to email a Mr.PHowellat a hotmail acct. Also another email address is PHOWELL@ myretail     There are to be withdrawn from my acct. and sent to two different men in two areas of TX. My pay is $300 plus $70 for gas used to do this "Mystery Shopper" assignment. I knew from the dtart it was actually a scam. There were three men in different areas with the same number and they think I am stupid! Desperately needing funds to help me and my daughter to hAve a car but by any illegal means! I will keep praying to God! Sad this always happens! I am a victim of ID theft and getting no where with this! If it is real oh well! It was not mine! I will not regret destroying these people if I can! I hope all you evil preyers of people's. ID. rot in hell. O!

Why is it that so many places require you to enter your soc sec number, in whole or part, as a way to identify yourself, either on the computer or by phone, when it is supposedly illegal to use for any other purpose? I have had strangers, even Workers Comp, call and demand it as proof who I am, before they deal with me. I refuse, then they say I can't prove who I am. Credit cards, cell phones, etc, even when I initiate the contact.

Sometimes you will have to share your number. Your employer and financial institutions need your SSN for wage and tax reporting purposes. A business may ask for your SSN so they can check your credit when you apply for a loan, rent an apartment, or sign up for utility service.

I looked for a cell phone # on US Phone Book online and out of curiosity looked up my own cell phone(which I thought was never public) and there it was: my name and town where i live.It had an opt out feature and as I tried to use it, I had a strange feeling about this site.I back spaced without opting out and looked up the company address with street view.To my chagrin,the address of 1821 Q St., Sacramento, CA is a fenced in GARAGE in a trash filled side street in a poorer section.How odd. Then on BBB there were many complaints9 and not accredited.)They also called themselves People Finders.I just thought it was weird how this company with an https website as US Phone Book is actually another company name in a garage in rundown area, with 3 people listed. I get calls with strange numbers and wanted to find out who they caller is on a cell phone. I thought my cell number was private(or at least not listed publicly).How did it get out into a public look up site and a shady looking one at that...out in california? Can someone look into this company...something doesn't seem right...

Unless you pay cash for 100% of everything, your phone number and other basics about you gets spread all over by companies that you do business with.

What all should you do when your FULLz was stolen? I have done the standard things. Inform police, change account numbers, call credit agencies. I doubt I could change social security number, medical number or military serial number.

Not even DHs or the ftc are left out of this witch hunt

Ive been a victim of IDentity theft and going on nine years trying to fix it with putting credit freezes as well using phablet . But , I'm still trying to catch up on the damage it has done to my life I feel like I've been left in the dark just by your self It has affected my life in so many different ways , making me feel so powerless and I'm so tired of fighting and trying to get things removed but Time is ticking. I can say after nine years it has ruined my life it so hard to get someone to help out. It takes money to fix and your paying bills Not even mine . Now I think its time to throw in the towel and claim Bankruptcy. The government needs more of a task force , agents , or a special division to work on these issues for the American people. So our Security won't be in Jeperdey , and the Red White and Blue is Not at such a Risk . More CyberSecurity will do US some good for our nation, Hard working Americans! My self I just don't use the internet anymore but that's just a big trust issue I have now due to this Identity Theft.

Dear JayHawk , this part of your comment "your paying bills Not even mine" , does no make sense. If you have appropriately notified all fraudulent creditors , that you are the "Victim" you should NOT be paying bills that are not yours. By submitting the FTC's Affidavit of ID Theft, and a copy of the police report to the Reporting agencies, they obligated to remove those from your credit history. AND by sending those documents by certified mail to the false creditors they too are to close those accounts and NOT sell it off to another collection agency. It was NOT your account. If either the Fraudulent Creditors or the Reporting Agencies refuse to close them , continue to report all of them to the FTC, CFPB and your Attorney General, and any other Consumer agency in your state, refusal to help an Victim of ID theft clear up the mistake is Fraudulent Practice also.

I think that we have come to a different age in technology and I do not understand why every site does not have a fingerprint system, facial recognition, as well as voice recognition. With those in place it would make it virtually impossible for anyone to hack anything. I think that our governments should be working on that instead of testing how long it takes for hackers to take advantage of people. I am going through identity theft as we speak and feel unsafe to the point that I do not even want to touch any electronics. Maybe that is my fault for being naïve, or trusting. One year ago I was just learning how to email. I have come a long way since, but apparently have way more to learn. I also think there should be an education level of technology before a person is even allowed to use a device like a computer or a phone. I wouldn't call myself a senior citizen, but I did come from an age group where it was not mandatory to learn computer skills in school. Now I wish I did. Now learning is consuming my life and I am happy to learn. I want to be able to protect all my family and the people I care about. I also want my freedom, as well as my privacy back.

i cant open my windows defender, turn on my firewall, or download anything at all

It seems like criminals have more rights than the victims. Where can one sell data on the black web? I'm protected better that way, than I would be as a victim. You guys make it too easy.

We are so happy to have found your web site, it is exactly what my friends and I have been hoping for. The up to date info here on the website is truely needed and is going to help me quite a bit. It looks like the site gained a lot of info concerning the things I am interested in and the other hyper links and information definitely show it. I'm not typically on the web during the week however when I get a break i'm always avidly searching for this type of information and things similarly related to it. I have two of my relatives that have picked up a liking in this because of all that I have gathered about it and they will more than likely going to be visiting this site because it is such an excellent score. I am also interested in government issues and how to deal with the drastic changes in elections. Recently I have also been interested in <a href=>romance mystery</a>

Leave a Comment