Approximately 2.7 billion records containing personal information of individuals in the United States have been leaked on a dark web hacking forum.
The exposed data includes names, social security numbers, known physical addresses, and possible aliases. Contrary to some initial reports, this breach does not necessarily affect every American or contain information on 2.7 billion unique individuals.
The data is believed to originate from National Public Data, a company that collects and sells access to personal information for background checks, criminal record searches, and private investigations. National Public Data reportedly scrapes this information from public sources to compile individual user profiles.
The breach first came to light in April when a threat actor known as USDoD claimed to be selling 2.9 billion records of personal data from the US, UK, and Canada for $3.5 million. However, on August 6th, a different threat actor named “Fenice” leaked what appears to be the most complete version of the stolen data for free on the Breached hacking forum. Fenice attributes the actual data theft to another actor called “SXUL.”
The leaked dataset consists of two text files totaling 277GB, containing nearly 2.7 billion plaintext records. Each record typically includes a person’s name, mailing addresses, and social security number, with some entries containing additional information such as associated names. It’s important to note that individuals may have multiple records, one for each known address, which explains the high number of total records.
While many individuals have confirmed finding their legitimate information in the leak, including data on deceased family members, there are indications that some of the data may be inaccurate or outdated. The Verge has called it “the weirdest ‘3 billion people’ data breach ever.” Some people have reported finding their social security numbers associated with unknown individuals, and current addresses are often missing from the records.
Troy Hunt of Have I Been Pwned (his tweet mentioned above) noted that “there were no email addresses in the social security number files. If you find yourself in this data breach via HIBP, there’s no evidence your SSN was leaked, and if you’re in the same boat as me, the data next to your record may not even be correct.”
Cybersecurity experts advise those potentially affected to monitor their credit reports for fraudulent activity and remain vigilant against phishing attempts. The breach has already sparked class action lawsuits (like this one) against Jerico Pictures, believed to be operating as National Public Data, for allegedly failing to adequately protect personal information.
Information for this story was found via the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
