Massive Cyberattack Exposes 2.7 Billion Sensitive Data Records, Including Social Security Numbers

Imagine someone out there knows your name, social security number, every address you’ve ever lived at, and even your aliases. For almost 2.7 billion people in the United States, this nightmare became a reality when their personal information was leaked on a hacking forum.

The data is believed to come from National Public Data, a company that collects and sells access to personal data for purposes such as background checks, criminal records, and private investigations. They allegedly scrape this information from public sources to create individual user profiles for people in the US and other countries.

Back in April, a cybercriminal by the name of USDoD claimed to be selling 2.9 billion records containing such personal data from the US, UK, and Canada, stolen from National Public Data. They attempted to sell the data for $3.5 million and claimed it contained records for every person in those three countries. USDoD is no stranger to the hacking world, having been previously linked to an attempted sale of InfraGard’s user database in December 2023 for $50,000.

We reached out to National Public Data for a comment, but they never responded to our email.

Stolen data leaked for free

Since then, various cybercriminals have released partial copies of the data, each with a different number of records and, in some cases, different data types.

On August 6th, a hacker known as “Fenice” leaked the most complete version of the stolen National Public Data for free on the Breached hacking forum. However, Fenice claims the data breach was conducted by another cybercriminal named “SXUL,” not USDoD.

The leaked data consists of two text files totaling 277GB and containing nearly 2.7 billion plaintext records, as opposed to the original 2.9 billion number shared by USDoD.

While we can’t confirm if this leak contains data for every person in the US, numerous people have told us that it included their own and family members’ legitimate information, even for those who have passed away. Each record consists of a person’s name, mailing addresses, and social security number, with some records containing additional information, like other names associated with the person. None of this data is encrypted.

Previously leaked samples of this data also included phone numbers and email addresses, but these are not present in the 2.7 billion record leak.

It’s important to note that a person will have multiple records, one for each known address they’ve lived at. This also means that this data breach did not impact 3 billion people, as has been erroneously reported in many articles that didn’t properly research the data.

Some people have also informed us that their social security numbers were associated with others they don’t know, so not all the information is accurate. Moreover, this data may be outdated, as it doesn’t contain the current address for any of the people we checked, potentially indicating that the data was taken from an old backup.

The data breach has led to multiple class action lawsuits against Jerico Pictures, which is believed to be doing business as National Public Data, for not adequately protecting people’s data.

If you live in the US, there’s a good chance this data breach has leaked some of your personal information. Since the data contains hundreds of millions of social security numbers, it’s essential to monitor your credit report for fraudulent activity and report it to credit bureaus if detected.

Additionally, as previously leaked samples also contained email addresses and phone numbers, you should be on guard against phishing and SMS texts attempting to trick you into providing more sensitive information.

This massive data breach serves as a sobering reminder of how vulnerable our personal information can be. As the digital world continues to evolve, it’s crucial to stay informed about the latest cybersecurity threats and best practices to protect yourself. To stay one step ahead of cybercriminals, keep coming back to learn more and don’t hesitate to contact us with any questions or concerns about your online security.