Almost 2.7 billion records of personal information for people in the United States were leaked on a hacking forum, exposing names, social security numbers, all known physical addresses, and possible aliases.
The data allegedly comes from National Public Data, a company that collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators.
National Public Data is believed to scrape this information from public sources to compile individual user profiles for people in the US and other countries.
In April, a threat actor known as USDoD claimed to be selling 2.9 billion records containing the personal data of people in the US, UK, and Canada that was stolen from National Public Data.
At the time, the threat actor attempted to sell the data for $3.5 million and claimed it contained records for every person in the three countries.
USDoD is a known threat actor who was previously linked to an attempted sale of InfraGard's user database in December 2023 for $50,000.
BleepingComputer, at the time, contacted National Public Data and never received a response to our email.
Stolen data leaked for free
Since then, various threat actors have released partial copies of the data, with each leak sharing a different number of records and, in some cases, different data.
On August 6th, a threat actor known as "Fenice" leaked the most complete version of the stolen National Public Data data for free on the Breached hacking forum.
However, Fenice says the data breach was conducted by another threat actor named "SXUL," rather than USDoD.
Source: BleepingComputer
The leaked data consists of two text files totaling 277GB and containing nearly 2.7 billion plaintext records, rather than the original 2.9 billion number originally shared by USDoD.
While BleepingComputer can't confirm if this leak contains the data for every person in the US, numerous people have confirmed to us that it included their and family members' legitimate information, including those who are deceased.
Each record consists of the following information - a person's name, mailing addresses, and social security number, with some records including additional information, like other names associated with the person. None of this data is encrypted.
Previously leaked samples of this data also included phone numbers and email addresses, but these are not included in this 2.7 billion record leak.
It is important to note that a person will have multiple records, one for each address they are known to have lived. This also means that this data breach did not impact 3 billion people as has been erroneously reported in many articles that did not properly research the data.
Some people have also told BleepingComputer that their social security numbers were associated with other people they don't know, so not all the information is accurate.
Finally, this data may be outdated, as it does not contain the current address for any of the people we checked, potentially indicating that the data was taken from an old backup.
The data breach has led to multiple class action lawsuits against Jerico Pictures, which is believed to be doing business as National Public Data, for not adequately protecting people's data.
If you live in the US, this data breach has likely leaked some of your personal information.
As the data contains hundreds of millions of social security numbers, it is suggested that you monitor your credit report for fraudulent activity and report it to the credit bureaus if detected.
Furthermore, as previously leaked samples also contained email addresses and phone numbers, you should be vigilant against phishing and SMS texts attempting to trick you into providing additional sensitive information.
Comments
GT500 - 3 months ago
I've been trying to put a freeze on my credit at the big three credit bureaus, however Equifax is having issues with their website. It looks like they have it back online today, so I can finally get this nonsense done.
cs_280zx - 3 months ago
Another day, another data breach...
Hmm888 - 3 months ago
"Another day, another data breach..."
As long as there is ransomware insurance, companies and corporations take a very back seat attitude. Things can only change when their CEOs are held personally and criminally liable, including mandatory jail times. Otherwise, fines and class action lawsuits are meaningless as these costs will be passed to customers and other stakeholders.
Sochotek - 3 months ago
So a good chunk of the info is from dead people? I mean simple math doesn't add up? 2.7 billion data records all with SSN. All from US, UK, and Canada. Assuming UK and Canada have something like a SSN, the totally population of all 3 is about 465mil... (Give or take).... So 2.3 billion are most likely all deceased??? Like if I were a hacker I wouldn't be boasting about 2.3billion records that you can't really do much with. Still sucks for the living lol ... But a little too much ego from the threat actor if you ask me ...
gregraygun - 3 months ago
I expected better from bleeping, that title is misleading.
NoneRain - 3 months ago
LOL you guys just need to learn how to read. Literally in the article:
"While BleepingComputer can't confirm if this leak contains the data for every person in the US, numerous people have confirmed to us that it included their and family members' legitimate information, including those who are deceased. "
"It is important to note that a person will have multiple records, one for each address they are known to have lived. This also means that this data breach did not impact 3 billion people as has been erroneously reported in many articles that did not properly research the data."
Hmm888 - 3 months ago
"LOL you guys just need to learn how to read. Literally in the article:
"While BleepingComputer can't confirm if this leak contains the data for every person in the US, numerous people have confirmed to us that it included their and family members' legitimate information, including those who are deceased. "
"It is important to note that a person will have multiple records, one for each address they are known to have lived. This also means that this data breach did not impact 3 billion people as has been erroneously reported in many articles that did not properly research the data.""
Did you actually expect anyone to read your jibber jabberand pasting? LOL!
Hmm888 - 3 months ago
"I expected better from bleeping, that title is misleading."
Look at how many people commented already? BC's intent is to promote engagement and visitor to be exposed to their ads and other critters running in the background.
GT500 - 3 months ago
I use my bank's free credit monitoring, and they let me know that the data included my Social Security Number. Assuming you're in the USA, if you're not using some form of credit monitoring, then you would never know if yours was in the leak.
Hmm888 - 3 months ago
"I use my bank's free credit monitoring, and they let me know that the data included my Social Security Number. Assuming you're in the USA, if you're not using some form of credit monitoring, then you would never know if yours was in the leak."
That's as useful as a radar detector notifying you that you've been already clocked by the police. Credit monitoring isn't a proactive measure. It's effectively useless.
GT500 - 3 months ago
"That's as useful as a radar detector notifying you that you've been already clocked by the police. Credit monitoring isn't a proactive measure. It's effectively useless."
If it wasn't for the credit monitoring, I wouldn't have known to put a freeze on my credit to make sure no one could open a new credit account in my name. That's the proactive step (other than maybe contacting the Social Security Administration), and the credit monitoring let's you know when you need to do it.
Without the credit monitoring you won't know anything's wrong until it's too late, and then you're stuck trying to clean up a mess. Unless of course you just leave your credit frozen all the time to be on the safe side.
wpontius - 3 months ago
These companies that carelessly store such sensitive personal information in clear text should be fined, sued and driven out of existence!!! It is inexcusable for such data not to be encrypted!!
Wannabetech1 - 3 months ago
Yes, but that will never happen.
GT500 - 3 months ago
Encryption isn't a silver bullet. In order for them to be able to access the data, they need to be able to decrypt it. This isn't like hashing passwords, where they don't need to be decrypted again afterwards. If a criminal gains access to the data, it's always possible they could gain access to the decryption key as well, and then the encryption was pointless.
Should the data be store encrypted? Yes. Would that prevent data leaks? Not with any certainty, although it would make it less likely that a thief could use any data they stole.
cncrndleakvctm78654 - 3 months ago
For those of us in Canada/UK, does the SSN field have our country's identifier in it? Or is it just blank?
Hmm888 - 3 months ago
"For those of us in Canada/UK, does the SSN field have our country's identifier in it? Or is it just blank?"
Pretty much. In Canada you need a SIN (social insurance number) to open a bank account, car loan, mortgage, credit card, etc. While technically you can decline, but if you do, your application will be denied.
cncrndleakvctm78654 - 3 months ago
""For those of us in Canada/UK, does the SSN field have our country's identifier in it? Or is it just blank?"
Pretty much. In Canada you need a SIN (social insurance number) to open a bank account, car loan, mortgage, credit card, etc. While technically you can decline, but if you do, your application will be denied. "
I don't think you understood my question...
I was asking if my SIN number would be in the leak? Like, if my name and address was in the leak, would the SSN field have my SIN because I'm in Canada, or would it just ne blank?
If they only captured SSNs, then this is a lot less worrying for Canadians.
_Spambust_ - 3 months ago
A Social Insurance Number (SIN) is a 9-digit number that you need to work and be paid in Canada and access government programs and benefits. It is also used to file taxes.
Hmm888 - 3 months ago
"A Social Insurance Number (SIN) is a 9-digit number that you need to work and be paid in Canada and access government programs and benefits. It is also used to file taxes."
Unless it was a bank/financial institution in Canada (they won't ask for your SIN via email), this is nothing more than fearmongering.
I recall in January, a few questionably credible sites were also engaging in fearmongering and saying the "mother of all breaches". Even Malwarebytes ran the story within their ad infested blog site, but did Global, CTV, CNN, AP, Reuters, and more cover the story? Nope, but Yahoo did which hasn't been credible since 2001.
Hmm888 - 3 months ago
Social media tech bloggers are running with this story. Yet, nobody really knows WTF National Public Data does, who their clients are. Those who are affected I received an email from I'veBeenPwned) but I have no idea which company I was listed was a victim of the breach.
With AI and computer geeks glued to the PC and dark/deep web, I think we'd have more info.
Anyway, I am not going to worry as nobody who used NDP formally has contacted me, which they would've by now.
mike_mclaugh - 3 months ago
What was their motivation behind this leak? Always curious why these hackers do what they do
Lawrence Abrams - 3 months ago
Commonly, it's to build reputation among their community.
DreamPhreak - 3 months ago
"What was their motivation behind this leak? Always curious why these hackers do what they do"
Lawrence Abrams is exactly right. Go look back at the screenshot of the forum post by Fenice. Notice at the bottom how it says "Ps. There is a new player in town", thats what someone would do when they're trying to build a new reputation, so future leaks for sale will have credibility
CityguyUSA - 2 months ago
I tried using one of these so-called services that provide a way to track down old friends, etc. What I found was that out of the 6 or 7 numbers they provided for each person not a single working number or valid email.
Just another scam to get your money. I'm betting that none of the SS numbers are valid either. I'm more concened that they're suggesting that they get this information by screeen scraping. Really? They have access to some screen where all this important data is being displayed. I can't even see my fuycking bank account or my account number with the telephone company. Yet they are able to screen scrap SS numbers?