National Public Data confirms breach exposing Social Security numbers


Background check service National Public Data confirms that hackers breached its systems after threat actors leaked a stolen database with millions of social security numbers and other sensitive personal information. 

The company states that the breached data may include names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses.

Breach linked to late 2023 hack attempt

In the statement disclosing the security incident, National Public Data says that “the information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

The company acknowledges the “leaks of certain data in April 2024 and summer 2024” and believes the breach is associated with a threat actor “that was trying to hack into data in late December 2023.”

NPD says they investigated the incident, cooperated with law enforcement, and reviewed the potentially affected records. If significant developments occur, the company “will try to notify” the impacted individuals.

It is worth noting that BleepingComputer’s testing revealed that access to NPD’s statement on the security incident has been blocked for IP addresses in numerous locations in the U.S. as well as regions outside the country. More than a dozen captures of the page exist on the Internet Archive, though.

Although a large portion of the database stolen from National Public Data (NPD) was leaked 10 days ago, partial copies had previously been shared by various threat actors.

The leaks started after a threat actor in April using the alias USDoD offered to sell for $3.5 million 2.9 billion records allegedly stolen from NPD.

Earlier this month, another threat actor known as Fenice shared for free the most comprehensive variant of the database with 2.7 billion records, with multiple records referring to a single person.

Threat actor leaks database stolen from National Public Data
National Public Data data leaked on a hacking forum
Source: BleepingComputer

It is unclear how many individuals are impacted but multiple people confirmed to BleepingComputer that the records included details about them as well as their family members, including deceased ones.

According to Troy Hunt, the creator and maintainer of the Have I Been Pwned (HIBP) search service for compromised personal data, there were 134 million unique email addresses in one version of the NPD leaked database he analyzed.

Not all the information may be accurate, though. Tests from BleepingComputer showed that some people were associated with someone else’s name.

Hunt’s analysis of the dataset he received seems to confirm this, as he found one of his email addresses associated with two unique dates of birth, none of them his.

Furthermore, BleepingComputer found that some of the details in the database may also be outdated, as it does not include the current address of any of the people we checked.

Inaccuracies aside, the NPD incident has led to at least one class action lawsuit against Jerico Pictures, the entity that operates the National Public Data service.

NPD is believed to source their details from public files such as government records (federal, state, and local), which include all legal papers related to an individual.

People impacted by the NPD breach should monitor financial accounts for signs of potentially fraudulent activity and report it to credit bureaus.

Because contact information is present in the leak, there is also the possibility of phishing attempts to trick you into providing more sensitive details that could be used for fraudulent activities.



Source link