
Stripe Atlas Vendor Leaked SSNs - sunils34
https://twitter.com/kwuchu/status/1213306146225823749
======
mjevans
I agree with
[https://twitter.com/constmontague/status/1213309357204688899](https://twitter.com/constmontague/status/1213309357204688899)

"... we need a new personal identifier, SSNs are all stolen at this point"

Though identity and authentication should be different things, as an
identifier the only real problem with SSNs is that we should be using UUIDs
instead.

The hard part is authentication, which should have a far more secure process
than merely knowing 9 digits everyone (re)uses.

~~~
miki123211
I think we need a worldwide, federated identity system.

There should be multiple identity providers, mostly governments and
organizations who already have lots of info about you, for example banks. This
already works in Poland and several other european countries. Such
organizations should verify that you are you the way they currently do, and
give you a way of authorizing yourself, i.e. sms, mobile app, one time
passwords etc. If someone needed to verify your identity, they would go
through your chosen org for authentication. This approach has several
benefits.

1\. You can provide as much or as little info as you want. The info you
provide could include true/false assertions. For example, a porn website could
just ask the org whether your age >= 18, without the need to know your exact
birthdate,. Same for citizenship, disability, criminal record etc.

2\. You can easily integrate that with other services, for example payments or
even a secure communication channel, letting companies contact you without
learning any details about you. There could even be a secure shipping service,
where the company selling you the product only gets a special qr code to stick
on the package,. Only one shipping company would get your real address, the
rest would just know the next leg of the route.

3\. You could provide instant "not a robot" verification, without any
captchas, without any personal data and without any hassle. The authorizing
org would just give the requestor a token, different for each visit, that they
could send with a "add to blacklist request". The next time a blacklisted user
would try to log in to that service, their org would refuse to provide the
token.

4\. Ability to provide legal accountability without rewealing anything. The
authenticating org would just provide a token to a service. The user could do
whatever they wished, but, in case they'd do something illegal, the police
could just force the org to actaully reveal who was behind that token.

Of course, the system would have to be regulated by a global body of
governments or organizations. Each org would have certain resoponsibilities,
i.e. allowing you to port your id to somewhere else, not requesting more data
than necessary, honoring blacklists etc. If that system existed, implementing
a safe, seamless online and real0-life experience would be trivial. Just
imagine if it would be trivial to trace each website, each comment, everything
to a real person with a court order, while not giving most companies any data
whatsoever.

~~~
g2graman
If we had a worldwide, federated identity system, there's a problem with this
I can already see: what's stopping nation's like China from expanding their
social credit system to the population of the world then, against their will
for example? For what purpose, I can't know, but it doesn't seem ideal.

On one hand, it would be incredibly useful to only ever have to deal with one
service or standard for identities (and that could include the possibility of
making things easier for identity theft products to do their job) but it
brings with it these other risks around centralizing that kind of information.

~~~
Nextgrid
What prevents them from doing so now? They can already scrape public internet
activity and create social credit profiles based on that.

Here I am posting a picture of Winnie The Pooh which I know Xi Jinping
absolutely loves: [https://ohmy.disney.com/wp-
content/uploads/2016/01/Pooh.jpg](https://ohmy.disney.com/wp-
content/uploads/2016/01/Pooh.jpg) and my "social credit" is presumably now at
zero.

Thankfully I am not in China, never will be, so even if the Chinese social
credit system hates me I can still take a train, get on a plane, etc.

------
nedwin
Why are they notifying folks via mail instead of good old fashioned email?

Haven't got a letter yet but would be super easy for me to check my inbox...

~~~
JBerlinsky
Each state has different laws about how people need to be notified about data
breaches. U.S. mail is generally the lowest common denominator across states.
See
[https://info.digitalguardian.com/rs/768-OQW-145/images/the-d...](https://info.digitalguardian.com/rs/768-OQW-145/images/the-
definitive-guide-to-us-state-data-breach-laws.pdf) for more information if
you're curious.

------
numchk
As more Social Security Numbers are leaked from security breaches like Equifax
et al - I have done a deep dive into all things publicly known about SSNs and
published the results on a hobby site (with limited ad revenue to cover the
server cost) to both educate myself on the historic data contained in a social
security number, how its usage has changed throughout the years (enumeration
at birth in the 80's for example) and then how finally the state and date
information was removed around 2009 so that numbers are now randomly assigned.
For those born before the 2010 - there is a real information encoded (or
deduced) from your number beyond what most are aware. If you are curious what
types of information a hacker could deduce, or additional ways your SSN could
be mis-used if disclosed (or guessed) take a gander at

[https://numchk.com/](https://numchk.com/)

------
etaioinshrdlu
Is this relevant to LLC formation only or also c corps?

~~~
binarynate
Unfortunately, C Corps are affected, too. I created a C Corp through Atlas and
was hoping that I dodged this issue, but I just received the notification of
the breach in the mail today.

------
throwGuardian
Why was Stripe sharing something as critical as [SSN+Name] with a third party?
If Atlas is simply a white labeled service of another service, then I hope it
was prominent in Stripe's communication with customers/potential-customers. I
say this because the market has many competitive offerings in the space, and
among the primary reasons to pick Stripe is the assumption of better security,
given it's multi billion dollar venture funding and valuation

------
zelly
The problem with SSNs is how short they are. 9 digits.

Even if you hash them, it's not that hard to make a 10^10 - 1 rainbow table.

It's the same problem with IPs (v4). You simply cannot store them at all if
you care about your customers' privacy.

------
mobileexpert
Strange to not see an official statement and post Mortem from Stripe mentioned
anywhere. Can someone who got a letter post a (redacted as necessary) scan of
it?

~~~
throwaway99898
For whatever reason there seems to be a semi-official version hosted by
Vermont: [https://ago.vermont.gov/blog/2019/12/31/stripe-legalinc-
noti...](https://ago.vermont.gov/blog/2019/12/31/stripe-legalinc-notice-of-
data-breach-to-consumers/)

~~~
scrollaway
Oh jesus

[https://ago.vermont.gov/blog/category/security-
breaches/](https://ago.vermont.gov/blog/category/security-breaches/)

There's 63 pages.

~~~
ckrailo
Scrolling through a few, the title of this one caught my eye:

University of Notice of Data Breach to Consumers

[https://ago.vermont.gov/blog/2019/10/02/university-of-
notice...](https://ago.vermont.gov/blog/2019/10/02/university-of-notice-of-
data-breach-to-consumers/)

------
miki123211
How could Stripe Atlas even require SSNs? Wasn't the whole point of that
service giving access to the U.S. market for people from other countries?

~~~
bdcravens
It could be used equally by US-based founders.

------
reviel
If anyone needs a Stripe Atlas alternative that doesn't require SSN and also
less expensive ($350 vs Stripes $500 + $400/yr) check out
[https://www.blook.io/stripe-atlas-alternative](https://www.blook.io/stripe-
atlas-alternative)

~~~
drombn
Thanks for this I was looking into setting up an LLC this year. I’ll check
them out!

------
ryanlol
Odds are that all these SSNs had been leaked from a bunch of other sources
anyways. Why the “fuuuuuuuck”? This doesn’t seem like a big deal at all.

~~~
marklyon
Presence on this list potentially indicates individuals of higher net worth
and credit history, making it more valuable than other sources?

~~~
ryanlol
You can just buy 1000s of high-credit profiles located in the wealthiest zip
codes for $1/pc max (I’ve seen prices below $0.1/pc but I suppose this is a
special request)

------
duxup
Is there any verification / info other than a tweet?

~~~
loganfrederick
As a Stripe Atlas customer, I received a snail mail letter from Stripe about
this issue. It included some suggestions from them to prevent identity theft.

As I texted a tech friend of mine: if I’m receiving a physical letter from a
leading tech co like Stripe, then it’s at least a moderately serious issue.

~~~
_Codemonkeyism
Google sends Google adwords ads with physical letters in Germany at least.

~~~
Buge
What does it mean to send an "adwords ad"? Has Google branched out from
digital advertising and started distributing ads via the mail?

~~~
kyleee
A solicitation to join adwords, often including an offer to run a certain
amount (ex. $100 worth) of free ads for new users

------
rolltiide
getting your identity stolen in any way that’ll effect you is all random

they’re all leaked now and people borrow them for things that would never show
up on your credit report

hope you don’t get framed! Good luck

~~~
3fe9a03ccd14ca5
Not me though! Equifax gave me 4 years of credit monitoring! I’m in the safe
right? /s

