Background checking service National Public Data confirmed that hackers had breached its systems after threat actors leaked a stolen database containing millions of Social Security numbers and other sensitive personal information.
The company says the stolen data may include names, email addresses, phone numbers, social security numbers (SSNs), and mailing addresses.
Breach related to hacker attack in late 2023
In the statement about the security incident, National Public Data states that “the data allegedly stolen included name, email address, phone number, social security number, and mailing address(es).”
The company acknowledges that certain data was compromised in April and summer 2024 and believes the breach is linked to a threat actor “who attempted to hack into the data in late December 2023.”
NPD says they have investigated the incident, worked with law enforcement and reviewed records that may have been affected. If there are any significant developments, the company will “attempt to notify those affected.”
It’s worth noting that BleepingComputer’s testing found that access to NPD’s statement on the security incident was blocked for IP addresses in numerous locations in the U.S., as well as regions outside the country. However, the Internet Archive has more than a dozen captures of the page.
Although a large portion of the database stolen from National Public Data (NPD) was leaked ten days ago, partial copies had already been shared by various threat actors.
The leaks began after a threat actor using the code name USDoD offered 2.9 billion records allegedly stolen from the NPD for sale for $3.5 million in April.
Earlier this month, another threat actor called Fenice released the most comprehensive variant of the database for free, containing 2.7 billion records, with multiple records relating to a single individual.
It is unclear how many people were affected, but several people confirmed to BleepingComputer that the recordings contained details about themselves and their family members, including deceased ones.
According to Troy Hunt, the creator and operator of the Have I Been Pwned (HIBP) search service for compromised personal data, there were 134 million unique email addresses in a version of the leaked NPD database that he analyzed.
However, not all information may be accurate. BleepingComputer’s testing has shown that some people have been linked to someone else’s name.
Hunt’s analysis of the data set he received seems to confirm this, as he found that one of his email addresses was linked to two different birth dates, neither of which was his.
Additionally, BleepingComputer found that some information in the database may be out of date because the current address is not included for any of the people we verified.
Inaccuracies aside, the NPD incident has resulted in at least one class action lawsuit against Jerico Pictures, the company that operates the National Public Data service.
The NPD data is believed to come from public files, such as government records (federal, state and local), which contain all legal documents related to an individual.
Individuals affected by an NPD breach should monitor their bank accounts for signs of potentially fraudulent activity and report it to credit reporting agencies.
Since contact information is included in the leak, there is also the possibility of phishing attempts designed to trick you into revealing more sensitive data that could be used for fraudulent activities.