Roughly four months after a notorious hacking group claimed to have stolen a vast amount of sensitive personal information, a significant portion of this data has reportedly been released for free on an online marketplace for stolen personal data. The implications of this breach are far-reaching, with experts warning of the potential for widespread identity theft, fraud, and other serious crimes.
The breach centers around the hacking group USDoD, which in April announced that it had stolen the personal records of 2.9 billion people from National Public Data (NPD), a major data broker. NPD provides personal information to a range of clients, including employers, private investigators, and staffing agencies, primarily for background checks. According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, USDoD offered to sell this massive dataset for $3.5 million on a forum frequented by hackers.
Last week, a member of the USDoD group, known only as Felice, posted on the same forum, claiming to offer “the full NPD database” which purportedly includes 2.7 billion records, each containing sensitive information such as full names, addresses, dates of birth, Social Security numbers, and phone numbers. In some cases, alternate names and birth dates are also included, making this breach one of the most concerning in recent memory.
Teresa Murray, consumer watchdog director for the U.S. Public Interest Research Group (PIRG), emphasized the seriousness of the breach. “If this is indeed the entire dossier on all of us, it’s much more alarming than previous breaches,” Murray said in an interview. She warned that if people have not been taking precautions against identity theft, this breach should serve as a “five-alarm wake-up call.”
National Public Data has yet to issue a formal notification about the breach. However, in an email response to inquiries, the company acknowledged being “aware of certain third-party claims about consumer data” and stated that it is investigating the issue. The company also claimed to have “purged the entire database” of all entries, effectively opting everyone out of its data collection. Despite this, NPD mentioned that it might retain certain records to comply with legal obligations.
Cybersecurity experts who have examined portions of the leaked data have confirmed that it appears to be genuine. If the leaked material is indeed as comprehensive as claimed, it poses significant risks. The information could be used to impersonate individuals, take over their financial accounts, or create fraudulent accounts in their names. While the dataset reportedly lacks email addresses and government-issued ID photos, which are often used for identity verification, it still provides enough critical information to enable a wide range of fraudulent activities.
Murray highlighted the potential dangers, noting that with just a few key pieces of information—such as your name, Social Security number, date of birth, and address—criminals could wreak havoc on your financial life. They could attempt to take over your bank accounts, access your investments, or even reset passwords on important accounts.
Moreover, criminals could potentially combine this newly leaked data with information from previous breaches, creating a more complete and dangerous profile of individuals. With such comprehensive data at their disposal, bad actors could commit a variety of crimes, steal large sums of money, and cause significant chaos.
Given the severity of this breach, experts strongly advise individuals to take immediate steps to protect themselves. One of the most effective measures is to freeze your credit with the three major credit bureaus—Experian, Equifax, and TransUnion. A credit freeze prevents criminals from opening new financial accounts in your name. While it does require temporarily lifting the freeze if you need to apply for credit yourself, it is a crucial step in safeguarding your financial identity.
As data breaches become increasingly common, it is clear that sensitive information about most individuals is likely already available in some dark corner of the internet. The best defense is vigilance—monitor your accounts closely, be wary of suspicious activity, and take proactive measures to protect your identity.
