National Public Data (NPD), a background check and personal lookup company, has acknowledged that it was breached. Hackers have been disseminating 2.7 billion records for free, including names, Social Security numbers, addresses, and other personal information.
Cybernews previously reported that millions of Americans are at risk after hackers attempted to sell and later released for free a huge package containing their personal data.
About four months after the initial claims by the notorious threat actors about the data theft, a major data broker, NPD, has acknowledged the incident.
“There appears to have been a data security incident that may have involved some of your personal information,” the company said in a statement. “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”
NPD also confirms that the breach involved the name, email address, phone number, social security number, and mailing address(es).
“We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you,” NPD said.
The company also noted it has implemented “additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”
On August 6th, the threat actor with the alias “Fenice” posted 2.7 billion American records for free on the illicit marketplace BreachForums. Previously, another notorious actor, USDoD, tried selling the data for $3.5 million. Both groups attributed the actual breach to a third actor operating under the moniker SXUL.
The vast number of records led some to conclude that it covers “all” Americans. The anonymous threat analyst group vx-underground has analyzed the data and found that it is mostly authentic and accurate. However, it contains many duplicates and deceased people and does not include information from individuals who use data opt-out services. The data allows one to identify parents and nearest relatives, such as uncles, aunts, or cousins.
April 8th, 2024, a Threat Actor operating under the moniker undefinedUSDoDundefined placed a large database up for sale on Breached titled: undefinedNational Public Dataundefined. They claimed it contained 2,900,000,000 records on United States citizens. They put the data up for sale for $3,500,000.
undefined vx-underground (@vxunderground) June 1, 2024
National…
Following the massive breach, victims filed a class-action lawsuit. They found that NPD collected data on millions of individuals from non-public sources without their knowledge, including current and past addresses, for nearly two decades. The plaintiff accuses the company of negligence, unjust enrichment, and other violations.
Troy Hunt, a security consultant who runs the website Have I Been Pwned, noted that in many parts of the world, the NPD’s statement is inaccessible and requires an American VPN server.
NPD advises users to take preventive measures, such as monitoring financial accounts, and reporting any unauthorized activity to the financial institution.
“You may want to contact the three US credit reporting agencies (Equifax, Experian, and TransUnion) to obtain a free credit report,” NPD suggests. “It is also recommended that you place a free fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts.”
A credit freeze should also be considered, as it’s a measure that makes it harder for identity thieves to open new accounts.
Your email address will not be published. Required fields are markedmarked