INDIANA – Almost 2.7 billion personal information records for people in the United States were leaked on a hacking forum, exposing names, social security numbers, all known physical addresses, and possible aliases.
The data allegedly comes from National Public Data (NPD). This company collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators. National Public Data is believed to scrape this information from public sources to compile individual user profiles for people in the US and other countries.
According to a class action lawsuit, NPD obtained the data without consent, and the breach occurred sometime in April 2024.
The lawsuit alleges that “upon information and belief,” USDoD was “able to exfiltrate the unencrypted PII of billions of individuals” and that the personal information was “published, offered for sale and sold on the Dark Web by cybercriminals.”
In April, USDoD claimed to sell 2.9 billion records containing the personal data of people in the US, UK, and Canada that were stolen from National Public Data.
At the time, the threat attempted to sell the data for $3.5 million and claimed it contained records for every person in the three countries.
USDoD was previously linked to an attempted sale of InfraGard’s user database for $50,000 in December 2023.
On August 6th, “Fenice” leaked the most complete version of the stolen National Public Data data for free on the Breached hacking forum.
However, “Fenice” says SXUL, rather than USDoD, conducted the data breach.
The leaked data consists of two text files totaling 277GB and containing nearly 2.7 billion plaintext records, rather than the original 2.9 billion number originally shared by USDoD.
While BleepingComputer can’t confirm if this leak contains the data for every person in the US, numerous people have confirmed that it included their and family members’ legitimate information, including those deceased.
Each record consists of the following information – a person’s name, mailing address, and social security number, with some records including additional information, like other names associated with the person. None of this data is encrypted.
Previously leaked samples of this data also included phone numbers and email addresses, but these are not included in this 2.7 billion record leak.
The data breach has led to multiple class action lawsuits against Jerico Pictures, which is believed to be doing business as National Public Data, for not adequately protecting people’s data.
If you live in the US, this data breach has likely leaked some of your personal information.
As the data contains hundreds of millions of social security numbers, it is suggested that you monitor your credit report for fraudulent activity and report it to the credit bureaus if detected.
Furthermore, as previously leaked samples also contained email addresses and phone numbers, you should be vigilant against phishing and SMS texts attempting to trick you into providing additional sensitive information.
Monitor your credit reports and look for unauthorized or fraudulent activity, including opening new bank accounts, credit cards, or large withdrawals.
If you receive notice from a debt collector or notice fraudulent activity, contact your financial institutions and law enforcement.
