Earlier this year, one of the most active underground forums for stolen data, BreachForums, went dark. Hundreds of thousands of user records tied to the site leaked online, comprising account information tied to forum user accounts, and not new consumer data.
On the surface, that may sound like good news. The leak included usernames, email addresses, and hashed passwords connected to forum accounts, information that could support ongoing investigations. But for everyday consumers, what this means is more complicated.
A forum breach doesn’t erase stolen data. Social Security numbers, dates of birth, and other identifiers that were already sold don’t get deleted. Once that information is out there, it tends to move — from large public marketplaces to smaller, quieter channels where activity is harder to see and harder to stop.
What does this mean for your SSN?
Unlike passwords or card numbers, SSNs don’t expire. A number exposed years ago can still be used today to open accounts, file fraudulent tax returns, or support synthetic identities that blend real and fake information.
In many cases, the first sign is administrative and not financial. A tax return may be rejected because one has already been filed using the same number. Reuse can also show up on payroll reporting, when an SSN appears in wage records or verification checks tied to work you didn’t do. Because none of these require access to an existing account, they often don't trigger alerts you'd expect from your banks.
What next?
- Start by reducing how often you share your SSN. Federal agencies continue to advise providing it only when legally required, and to ask how it will be stored and who can access it before handing it over. A lot of misuse still starts with paperwork that didn’t need an SSN in the first place, or with documents that were lost or reused later.
- For tax-related misuse, prevention is your default step. The IRS’s Identity Protection PIN adds an extra verification step to your tax return so a filing submitted without that code is rejected, even if the SSN is correct. Before 2021, the IRS limited these PINs mostly to confirmed identity theft victims. That changed when the program opened to anyone with an SSN or ITIN, meaning you no longer have to wait for a problem before opting in.
- If the IRS contacts you about suspicious activity tied to your SSN, timing matters. Follow the instructions in the notice and submit an identity theft affidavit so the IRS can mark your account and apply additional checks to future filings and refunds.
Some of the steps above help prevent misuse. Others help limit the damage once it happens. What’s harder is keeping track of where SSN-related irregularities tend to show up over time — across credit reports, data breaches, and IRS notices that don’t always arrive at once.
Aura is one option AICPA members can use to watch for these alerts in one place. It includes three-bureau credit monitoring, data breach alerts, and support if you need help responding to potential identity theft. Aura will also coordinate recovery in case of fraud. Get up to 68%* off and a 60-day money-back guarantee** on annual plans.
*Based on standard pricing starting at $13/month for the Individual Plan.
**You may cancel your membership online and request a refund within 60 days of your Aura membership purchase either through your Aura Account Membership portal or by calling us at 1-855-712-0021.