Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Data breach: DOGE 'accidentally' leaked the whole Social Security database [pdf](storage.courtlistener.com)
95 points by chirau 5 hours ago | 25 comments
fuoqi 2 hours ago | parent | next [-]

Hopefully, it will result in finally dropping use of SSNs as "secret" identifying person's identity and instead it will become an opaque ID which is safe to share.

christophilus 2 hours ago | parent | next [-]

Agreed. This could be a blessing in disguise. However, my money is on: nothing changes— it all simply keeps getting less secure, more complex and brittle until the heat death of modernity.

swed420 an hour ago | parent | next [-]

Most likely. Except:

> it all simply keeps getting less secure, more complex and brittle until the heat death of modernity

Is it modernity? Seems more likely to be archaic economic systems captured by elites and incentivizing the wrong behaviors on all levels.

BoredPositron 2 hours ago | parent | prev | next [-]

There is a whole growing industry depending on it..

PlatoIsADisease 2 hours ago | parent | prev [-]

I've already seen the change in my lifetime.

Need to bring water bills, credit cards, etc... Although not sure how this would work for a 18 year old with 0 of these ahead of time.

jve 2 hours ago | parent | prev [-]

As I am someone from EU, please explain me what can you do with this SSN number?

I mean is it like a unique database row id which happens to be a non-changeable-lifetime password which is stored in multiple places in plain-text and you can use it to... "unlock some doors"? Make legally binding agreements remotely... ? Or what?

Or it is PII - privately identifying information which is more of a privacy issue here?

nerdsniper 2 hours ago | parent | next [-]

It's used for all sorts of "prove you are who you are" situations. It's most commonly associated with applying for credit/loans, and taxes, but definitely not limited to those things. It's ridiculous that an immutable 8-digit number + name is used for authentication in the USA. It even says on the card "FOR SOCIAL SECURITY AND TAX PURPOSES - NOT FOR IDENTIFICATION" but apparently we've all lost our minds and ignore that. It can be very difficult to go through business processes if you refuse to give your SSN - some healthcare providers will just refuse to serve you.

With it, people can take out loans in your name, get into your accounts, file fake tax returns and get tax refunds in your name, and generally act as if they're you. Things are getting a little better nowadays (with additional information required) but we still don't have a secure method of identification online / over the phone.

ants_a 2 hours ago | parent [-]

Over here we use a PKI cert for that. A smartcard providing the root of that trust is provided by the government after verifying your identity using the typical stuff used for identity documents (any biometric data on file, birth certificate, etc.). That still doesn't mean that it's impossible to steal an identity, or acquire a made up one, but it does make it a whole lot harder.

nemomarx an hour ago | parent [-]

The thing about social security is that it was supposed to be used for a fairly narrow system, and the physical cards even have text like "not to be used as identification" on them. And then we used it for that anyway

namibj an hour ago | parent [-]

The German equivalent to the SSN in it's ubiquity, the "federal tax id", is illegal to use for non-tax purposes.

As a German that feels about correct.

noirscape an hour ago | parent | prev | next [-]

Basically in the EU, you usually have an ID card (or a passport/driving license/visa card, they're recorded on all of those too) that has a combination of a citizen ID and a document ID. Both of these details are combined considered to be "you" for the purposes of anything to do with the government. The government has a registration of every citizen ID+document ID combination and knows as a result what documents are in circulation. They're technically not required in most of Europe, although you must be able to procure one at request for legal reasons (ie. getting your employment properly sorted, opening a bank account, or a law enforcement official asking for your identity). Revoking a combination is as easy as getting a new ID card/passport since the combination is what counts. ID documents also usually expire eventually, so there's also an inherent time limit to what a leaked combination can cause issues with.

They're also as I understand it, used to handle things like sending everyone voter IDs for elections in advance; this is how the government knows who to send the voting cards to.

Bafflingly, the US does NOT have a national identification method that works like this. There's no country-wide identity document that provides the same assurances. As a result, most US entities (government branches & corporations) have settled on a "closest possible"... which is the social security number. A number that's used to identify every person with attachment to the US in some form since social security is something every US citizen has to interact with. (It also includes a ton of non-citizens since as I understand it, social security is something foreign workers also have to interact with, but that's besides the point.) It's a 9 character long numeric string that identifies you as a person... and has almost no revocation mechanism, even if it ends up in a data breach.

Yet in spite of this, it's still used as a country-wide ID mechanism for a lot of different things and replacing it with a proper ID mechanism has as I understand it (not American) very poor support as it's a culture war issue.

maccam912 2 hours ago | parent | prev | next [-]

It's often used as a way to verify identity. Historically it's been one of the more secret pieces of information about someone, so while name and birthday are not very secret, if someone wanted to steal an identity, it's generally the SSN that is hardest to figure out. As a result though, I think a lot of places treat it as "If you know the SSN, then you are who you say you are."

estearum 2 hours ago | parent | prev | next [-]

As an example, if you call your bank to report a lost credit card, and that you'd like it shipped to a different address than the one you registered with them, they'll ask you for the last 4 digits of your SSN.

So yeah, someone who knows (name, SSN) or especially (name, address, phone, SSN) can do a lot of harm.

Coneylake 2 hours ago | parent | prev [-]

Yes, to all of the above, unfortunately

chirau an hour ago | parent | prev | next [-]

CONTEXT:

I forgot to include the background to this court case. In 2025, the Chief Data Officer of the SSA, Mr Borges, whistleblew that DOGE had unlawfully uploaded a whole copy of NUMIDENT (the SSA datastore) to an insecure server. Here is the filing from Mr Borges.

https://whistleblower.org/wp-content/uploads/2025/08/08-26-2...

garyfirestorm 2 hours ago | parent | prev | next [-]

I haven’t yet figured out where it says that in the document. Would like to understand the content in the document that relays the headline here.

kittenhoarder 2 hours ago | parent | next [-]

1) Accessed Social Security PII after a court order supposedly cut that access.

SSA told the court that all DOGE access to personally identifiable information (PII) was revoked by March 24, 2025.

That turned out to be false: a DOGE member ran PII searches the morning of March 24, stopping only around 9:30 a.m.; access was not fully cut until about noon.

2) Sent SSA data to a DOGE official outside SSA.

On March 3, 2025, an SSA DOGE member emailed an encrypted file believed to contain names and addresses of ~1,000 people to Steve Davis, a senior advisor to the U.S. DOGE organization (and a DOL employee).

The file likely contained data derived from SSA systems of record.

It is unknown whether Davis received the password or accessed it.

3) Was given PII access during the TRO even though this was barred.

One DOGE member was granted access to 10 PII databases from March 26 to April 2 (never used, but still improper).

Another received a call-center profile that could access PII from April 9 to June 11; whether PII was viewed is unknown.

4) Had broader systems access than the court was told. SSA discovered additional access that had not been disclosed earlier, including:

Systems containing SSA employee records.

Systems controlling building/IT badge access.

Shared workspaces that could pool sensitive data.

A data-visualization tool that could reach PII.

Additional data-warehouse schemas.

5) Engaged in partisan election-related work inside SSA.

In March 2025, a political advocacy group asked two DOGE members to analyze state voter rolls to try to overturn election results.

One DOGE member signed a “Voter Data Agreement” as an SSA employee with that group on March 24, without agency approval.

SSA later referred this conduct to the U.S. Office of Special Counsel for possible Hatch Act violations.

6) Used an unapproved third-party server to share SSA data.

From March 7–17, 2025, DOGE members used Cloudflare links to transfer data.

Cloudflare is not authorized for SSA data storage; SSA still does not know what data were sent or whether it remains on that server.

thegreatpeter an hour ago | parent [-]

Still looking for the part about leaking the entire database of SSns

ubercore 2 hours ago | parent | prev [-]

Yeah my eyes started to glaze over a bit at the legal wording, but I didn't see anything about leaking the whole database.

sentrysapper 2 hours ago | parent | prev | next [-]

Department of Government Exfiltration.

mellosouls an hour ago | parent | prev | next [-]

Without any explanatory context this is a completely and inappropriately editorialised submission.

jagged-chisel an hour ago | parent [-]

I request that you contribute to the conversation by explaining the editorialization that you see.

gigatexal 2 hours ago | parent | prev | next [-]

And get there will be no justice for such egregious failures of duty and Elon will go forward to become a trillionaire. What a gaggle of idiots and fools this admin is

jmclnx an hour ago | parent | prev | next [-]

Not that it was already out that with past breaches. One example was the Experian breach, anyone who applied for a loan was already out there. Never mind all the other too many to count breaches that have occurred. Just now with DOGE we have 1 stop shopping.

Now that the US Gov. got to join that club we know there will be no consequences. Until execs from companies like Experian and now the US Gov. faces real Jail time, this will happen over and over.

I have not heard of a large breach from a Company for a while, are these so common that news orgs. no longer bother to report them ?

trhway 2 hours ago | parent | prev [-]

fun read:

"in March 2025, a political advocacy group contacted two members of SSA’s DOGE Team with a request to analyze state voter rolls that the advocacy group had acquired. The advocacy group’s stated aim was to find evidence of voter fraud and to overturn election results in certain States. "