(Yahoo) About four months after a notorious hacking group claimed to have stolen an extraordinary amount of sensitive personal information from a major data broker, a member of the group has reportedly released most of it for free on an online marketplace for stolen personal data.
The breach, which includes Social Security numbers and other sensitive data, could power a raft of identity theft, fraud and other crimes, said Teresa Murray, consumer watchdog director for the U.S. Public Information Research Group.
“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning” than prior breaches, Murray said in an interview. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”
According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Fla., the hacking group USDoD claimed in April to have stolen personal records of 2.9 billion people from National Public Data, which offers personal information to employers, private investigators, staffing agencies and others doing background checks. The group offered in a forum for hackers to sell the data, which included records from the United States, Canada and the United Kingdom, for $3.5 million, a cybersecurity expert said in a post on X.
The lawsuit was reported by Bloomberg Law.
Last week, a purported member of USDoD identified only as Felice told the hacking forum that they were offering “the full NPD database,” according to a screenshot taken by BleepingComputer. The information consists of about 2.7 billion records, each of which includes a person’s full name, address, date of birth, Social Security number and phone number, along with alternate names and birth dates, Felice claimed.
National Public Data didn’t respond to a request for comment, nor has it formally notified people about the alleged breach. It has, however, been telling people who contacted it via email that “we are aware of certain third-party claims about consumer data and are investigating these issues.”
In that email, the company also said that it had “purged the entire database, as a whole, of any and all entries, essentially opting everyone out.” As a result, it said, it has deleted any “non-public personal information” about people, although it added, “We may be required to retain certain records to comply with legal obligations.”
Several news outlets that focus on cybersecurity have looked at portions of the data Felice offered and said they appear to be real people’s actual information. If the leaked material is what it’s claimed to be, here are some of the risks posed and the steps you can take to protect yourself.
The threat of ID theft
The leak purports to provide much of the information that banks, insurance companies and service providers seek when creating accounts — and when granting a request to change the password on an existing account.
A few key pieces appeared to be missing from the hackers’ haul. One is email addresses, which many people use to log on to services. Another is driver’s license or passport photos, which some governmental agencies rely on to verify identities.
Still, Murray of PIRG said that bad actors could do “all kinds of things” with the leaked information, the most worrisome probably being to try to take over someone’s accounts — including those associated with their bank, investments, insurance policies and email. With your name, Social Security number, date of birth and mailing address, a fraudster could create fake accounts in your name or try to talk someone into resetting the password on one of your existing accounts.
“For somebody who’s really suave at it,” Murray said, “the possibilities are really endless.”
It’s also possible that criminals could use information from previous data breaches to add email addresses to the data from the reported National Public Data leak. Armed with all that, Murray said, “you can cause all kinds of chaos, commit all kinds of crimes, steal all kinds of money.”
How to protect yourself
Data breaches have been so common over the years, some security experts say sensitive information about you is almost certainly available in the dark corners of the internet. And there are a lot of people capable of finding it; VPNRanks, a website that rates virtual private network services, estimates that 5 million people a day will access the dark web through the anonymizing TOR browser, although only a portion of them will be up to no good.
