Assuming not passwords. Things like name, address, passport number, etc.
If your important numbers (in the US that's passport, social security, and driver license) get leaked, it becomes easier and easier for someone to commit identity theft and open credit cards in your name which you will have will have to pay with either money or a lot of time proving it wasn't really you. Or they can get traffic tickets in your name which will become a warrant for you.
And if they know enough about you (address, likes and dislikes, etc), it becomes much easier to socially hack (https://en.wikipedia.org/wiki/Social_hacking) you. Any security is only as strong as its weakest link, and social hacking has been used to get access to people's bank account, email address (doesn't sound scary but if someone has access to your email, they likely have access to all of your accounts because they can trigger a password reset, intercept it, set a new password, then lock you out), and a lot of other things.
The financial sector abuses some of the more obscure facts about people (SSN, DL/passport number, bank account number, address history, mother's maiden name) as authenticators. They aren't. In the short term, someone can create a lot of bureaucratic hassle for you by knowing these facts. In the long term, institutions will adapt to the reality that knowing them no longer proves anything.
The stuff you should really care about, IMO: Contents of private conversations. Interests and opinions expressed online that could harm real-world relationships. Habits and characteristics that could signal insurance, credit, or crime risk. Political activity far from mainstream. Relationships with controversial or high-risk people. Evidence of excessive wealth for your context.
The fact that person with your metadata exists and does normal life things like having a home, a job, a cell phone, and a bank account is always going to be well-known. This information is more or less neutral. The real secrets are those which might prompt some actor (friend, lover, ex-spouse, family member, boss, insurance underwriter, lender, police, secret police, conman, vigilante, person who is wrong on the internet, etc) to turn against you, or to do worse damage than they would otherwise.
It's inexcusable that someone can pretend to be you, sign up for stuff at various services, and some how that ends up being your responsibility to fix. It should be the various businesses who failed to correctly identify you and they should be financially liable, not you who had ZERO to do with it.
How do you avoid the people-search sites coming up in Google? When I search my name, Google instantly provides several Whitepages-like sites with my full name and address. Some of them (actual Whitepages included) provide options for removal, but there are so many and they all pull from the same source that it's a losing battle.
I'd also like to see executives be personally liable for the fines too.
What is the likelihood of being a target of this? Are there people out there that you expect might want to mail you an unexpected package or stalk you at your home?
I get that there are people who have stalkers and such, but for the average, random person, what is the likelihood a criminal is going to pick their name and address out of some leaked information and...what? Mail them a bomb? Travel from Estonia or wherever the hacker lives to burgle a house in the US? Why? There's no point to doing that.
As we see in the instances of so-called "revenge porn", you don't have to be famous to be the victim of these tactics. It just takes one person who becomes annoyed enough to use some of these tools and then you're left with an expensive and time consuming mess.
Did you have a nasty break-up? Fire someone? Do you have a business rival who would like to see your reputation ruined? Did you leave a comment on a website that just happened to offend the wrong person [1]? The tools to completely ruin your life are becoming easier and cheaper to wield, and the costs of defending against them are only increasing.
Even if the likelihood isn't high, the consequences are severe enough that you should take the risk seriously. Objectively, the likelihood of you getting robbed isn't that high either, but you lock your doors and don't leave valuables sitting out in your car either.
[1]: https://gizmodo.com/when-a-stranger-decides-to-destroy-your-...
EDIT: note that in the link above, the attacker wasn't even using non-public data. Imagine how much more damage someone with the ability to gain access to bank accounts, etc. could have done.
I am not a unique/unusual/margin case.
Saying "there are some people who have stalkers and such" discounts large swaths of (mostly) women who have been victimized, far more than a non-victim would ever realize.
This is a very real concern for more than an insignificant number of people. We are just people who you would not necessarily realize exist.
Because you think your physical address doesn't otherwise exist? Or are you talking about packages personally addressed to you?
Thrown in jail: https://www.marketwatch.com/story/how-being-an-id-theft-vict...
"Hi, <insert name here>. I know all about you. For instance, <insert the piece of personal information you have>. Wire me <insert large sum here> or I'll publish your browser history (or credit card statements, or anything else that sounds sufficiently compromising among some segment of the population)."
Against any particular target, this may not be effective if they don't care about the leverage you claim to have or call your bluff. However, since you have a data dump you can send this to every single affected individual and you'll get at least some bites.
Did you receive that in an email recently? I've already deleted it, but I got almost that exact email in my spam on my junk mail account the other day. They were clearly working off of the Adobe password leak.
They quoted my old password in the email and gave the same ol', 'I will email a list of your perverted pornographic interests to your family and employer'
Like you said, they cast a wide net in hopes of catching a few fish. That being said, asking for BTC seems to really narrow the pool to folks who, I assume, would be less likely to fall for this scam.
If said stupid mark is lawered up enough, they will try to fob their failure to do their due diligence off on anyone they can including you with the imaginary crime of "having your identity stolen" as if such a thing was even possible.
Which is more plausible?
a) I am not me anymore because my identity is stolen. b) Criminals stole from someone else. (likely leveraging their expectation of profit using the information available on absolutely everyone either from 'legitimate' brokers or shady darkweb stuff; not that I can't tell the difference)
Account take-over if the password was used elsewhere (credential stuffing).
Become a target for Extortion or Blackmail: https://www.troyhunt.com/the-opportunistic-and-empty-threat-...
Edit: Some companies still use birth dates, security questions or social security numbers for identification. If the information is public, any one can identify as that person via a phone call. https://krebsonsecurity.com/?s=SMS&x=10&y=14 https://krebsonsecurity.com/2018/10/voice-phishing-scams-are... https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-...
https://www.abc.net.au/radionational/programs/rearvision/the...
My parents had a criminal gang compromise their information and open up a savings account in their name. They then initiated ACH transfers from their legit accounts and filed a fraudulent income tax return in their name, to the tune of $50k refund.
The only reason they did not get away with it is that the online bank sent a gift to the house and my parents knew people from their careers that could get the attention of law enforcement quickly.
Their bank suggested that a relative probably stole their bank credentials and that it was “nothing to worry about”.
Your browser history?
Mails to your boyfriend/girlfriend?
Those agree comments in about your brother or boss sent to someone else?
The source code to your side project?
Your half-finished novel?
Work-related files?
Your IM chats?
Your full contact list and their numbers?
Your purchase history?
Photos?
You probably don't need to worry about the hack affecting you directly, but it is affecting you in ways you probably can't imagine.
What we should do is think about the post-privacy world, where all data is available to everyone. We won't be able to keep secrets and passwords anymore, but we won't have to secure them either, as we will have better authentication methods. No more paranoia, encryption, or fear of data leaks.
It blows my mind how few people are willing to concede the benefits of transparency, even if they're not willing to fully endorse it.
Either I don't fully understand what you're suggesting, or you don't fully understand what you're suggesting. ;)
Right to privacy is part of the Universal Declaration of Human Rights for good reasons. Violations and abuses of privacy have done a lot of damage to a lot of people throughout history.
So what does authentication even mean to you if all data is available to everyone? Why would you still need to authenticate?
Do you think it's a good idea for me & everyone else to see your bank balance? Personal emails? Personnel reviews at work? Letters to your girlfriend? Late night browsing habits? Purchase history? All your photos along with the video feed from your phone?
I don't see privacy ever not being a normal and reasonable thing to seek, not to mention rather important for developing democracies and as some protection against government abuses.
Unsustainability: It will only become more difficult to keep secrets as technology improves. Imagine cameras that can see through walls and drones the size of a fly.
Unenforceability: How do you make people forget information on demand? How do you delete data from the internet?
Inefficiency: We waste a lot of resources securing data. We waste a lot of resources requesting data. Allowing data to flow naturally would be more efficient.
I think it's a good idea to let "everyone else see [my] bank balance[.] Personal emails[.] Personnel reviews at work[.] Letters to [my] girlfriend[.] Late night browsing habits[.] Purchase history[.] All [my] photos along with the video feed from [my] phone[.]" However, I think it would be unfair to make the life of one person transparent in a society where the social and technical expectation is to keep secrets, although I think it would be better to make everyone's lives transparent in a society where transparency is supported.
I think the transition to a transparent society is inevitable. I also think that the later we prepare for the transition the more people will suffer. This is why I bring up the subject and encourage people to think about it.
David Brin explains it much better in his book:
On a date every year in October, just after midnight, Norwegian citizens' annual tax returns are posted online — and the country's Norwegian newspapers leap to produce top ten lists of the country's highest earners, the incomes and taxes paid by the political and cultural elites, celebrities and sportspeople. https://www.theguardian.com/money/blog/2016/apr/11/when-it-c...
Now she doesn’t leave home without police reports and documentation that she has been the victim of identity theft.
https://www.javelinstrategy.com/press-release/identity-fraud...
Surely, somewhere some victim of identity theft has suffered vast financial losses without recoup.
Surely, many victims of identity theft have a harder time getting approved for loans, leases, or even government clearances and background checks. These things are explainable, but isn't the fact that a person has to deal with this for the rest of their life (or at least 10-15 years following an identity theft event) enough of a problem that you would say it has caused a person "significant, damaging impact"?
But -
Like Ashley Madison? Medical records? Tax records. These have all had real life consequences for people. North Korean defectors had their details stolen the other day.
Like a email address to a site you comment on, so now it publically ties your comments to the real you?
Go on?
If your question is around identity theft which I think it really is, then I'd need to see proof, else the fear the NPCs have is actually what does the damage. (Also never heard of a domestic incident from a mass breach of addresses, I'd need proof to believe it, but it is enough to legitimately have to move house, so consequences)
(Passwords / unsalted/salted password hashes is of course the real killer, this has screwed a lot of people, but you've excluded this.)
Something tells me you won't. The reason you won't, is the answer to your question.
