Hackers May Have Stolen Every American's Social Security Number From Background Check Firm

Billions of records that purportedly contain personal data of every American, Canadian and Briton has reportedly found its way to a shadowy online identify-theft marketplace -- where it's been served up at no charge to legions of criminals. 

In April, a notorious hacker group called "USDoD" claimed it had obtained 2.9 billion personal data records that it stole from National Public Data, an obscure background check firm that is a DBA brand of a Jerico Pictures Inc in Coral Springs, Florida. Claiming the data covered every person in the United States, Canada and the United Kingdom, the hackers put the trove up for sale at $3.5 million.  

In the following months, other groups published distinct subsets of the data haul, Bleeping Computer reports. However, on August 6, someone claiming to have obtained breached National Public Data information via another person or entity called "SXUL," served up 2.7 billion records in two files totaling 277GB -- for free.

hackers may have stolen every americans social security number from background check firm
A screenshot captures a post to a hacking forum offering free access to the National Public Data personal-information trove (via
Bleeping Computer)

Each person contained in the database will have a separate record associated with each of their known residential addresses. "This data [set] may be outdated, as it does not contain the current address for any of the people we checked, potentially indicating that the data was taken from an old backup," reports Bleeping Computer. Nonetheless, "If you live in the US, this data breach has likely leaked some of your personal information."

Cybersecurity firm Pentester has created an online tool you can use to check if your personal information is included in the National Public Data breach. To use it, you need only enter your name, state and birth year. This Tyler Durden found his date of birth, mailing address, phone number and Social Security number are readily available to bad actors digging into the trove. 

hackers may have stolen every americans social security number from background check firm

A class action lawsuit has been filed against Jerico Pictures in US District Court in Fort Lauderdale. According to the 50-page complaint, National Public Data "scrapes the [personally identifiable information] of potentially billions of individuals from non-public sources" without their consent or knowledge, and failed its "legal and equitable duties...to protect and safeguard that information from unauthorized access."    

According to a page on National Public Data's website that addresses the vast data theft, "the information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).

“For somebody who’s really suave at it, the possibilities are really endless," Public Information Research Group consumer watchdog director Teresa Murray told the Los Angeles Times. She warns that identify thieves could combine the National Public Data information with data from previous hacks to "cause all kinds of chaos, commit all kinds of crimes, steal all kinds of money.

Here are a few ways to reduce your risk of being victimized: 

  • Freeze your credit files. To make it harder for criminals to open new accounts in your name, you can direct three major credit rating agencies -- EquifaxExperian and TransUnion -- to lock down your credit reports. Keep in mind, that will freeze your files for you too, so you'll need to unfreeze them when you're seeking credit or doing something else necessitating a credit check. 
  • Activate two-factor authentication for existing accounts. These protocols require an extra login step beyond just an email and password -- such as a code that's texted to you, or a code you obtain from an authenticator app linked to the account. This is important because criminals can use your leaked data to reset your login credentials. 
  • Strengthen your password game. Use many-charactered passwords, and avoid using the same one for multiple accounts -- especially the high-stakes ones. Consider a password-manager app to make that arrangement easier on you. 

While news of the breach is grim, it's a least spawned some fine humor, particularly from those who don't feel they have much to lose: 

Authored by Tyler Durden via ZeroHedge August 16th 2024