The weirdest ‘3 billion people’ data breach ever

National Public Data, a company that collects personal data to resell and process background checks, is the target of a proposed class action lawsuit alleging it is the source of a massive data leak that includes information like Social Security Numbers and more on reportedly “3 billion people,” according to Bloomberg Law.

As reported by Bleeping Computer, the alleged stolen database was offered for sale on the dark web in April by a hacker group known as USDoD for $3.5 million. It advertised the haul as 2.9 billion rows of data originating from National Public Data (NPD) — a reported DBA name of Jerico Pictures, Inc. NPD has not commented publicly on the alleged leak or responded to questions.

Bleeping Computer reports multiple sources have released partial copies, and that each record contains a name, mailing addresses, and social security number, as well as possible aliases in some cases for people in the US, Canada, and UK. Many of the records are duplicates, so how many people that may impact is a much smaller number. The hacker and malware tracker @vx-underground on X also looked at the data and noted it didn’t contain records for people who use data opt-out services, supporting the idea that it came from a data aggregator.

If you’ve received an alert that your information is included in the data leak, other than keeping an eye out for any suspicious activity on your credit report, Bleeping Computer also warns people to be vigilant of scams and phishing attacks using leaked information that might try to get you to reveal more private info.

Have I Been Pwned operator Troy Hunt has experience looking at similar data leaks. He tracks and sorts their information for his site to alert people if their information has been compromised, and he says there are some weird things about this set of data that make the whole thing “…informational only, an intriguing story that doesn’t require any further action.”

On Hunt’s blog, he writes there’s “no concise way to explain the nuances” of the breach since the alleged source of the breach is a company with personal data that was not given to it directly, making it hard to trace back.

Hunt looked at the data and found one set with Social Security numbers but no email addresses, while another one has 100 million unique email addresses, but the rest of the data is “pretty random in appearance.” He found his email in the list, but confirmed the information next to it was inaccurate. Hunt adds:

Lastly, I want to re-emphasise a point I made earlier on: there were no email addresses in the social security number files. If you find yourself in this data breach via HIBP, there’s no evidence your SSN was leaked, and if you’re in the same boat as me, the data next to your record may not even be correct.