In a significant security incident, National Public Data (NPD), a background check service, has confirmed that their systems were breached by hackers, resulting in the leak of a valuable database containing millions of personal records, including social security numbers and other sensitive information. The breach potentially exposed names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses of affected individuals.

According to NPD, the compromised data was suspected to have been breached in April 2024 and the following summer. The company believes that the breach may be linked to a threat actor who attempted to hack into their systems in late December 2023. NPD assured that they promptly conducted an investigation, collaborated with law enforcement agencies, and carefully reviewed the affected records.

While the exact number of individuals impacted remains unclear, reports indicate that the leaked database has been circulating among multiple threat actors since its initial partial release. Earlier this month, a threat actor under the alias USDoD offered to sell approximately 2.9 billion stolen records from NPD for a staggering $3.5 million. Subsequently, another threat actor named Fenice shared a highly extensive version of the database, containing 2.7 billion records, free of charge. Notably, some records within the leaked database also included information about family members, including deceased individuals.

Troy Hunt, creator of the widely-used personal data search service, Have I Been Pwned (HIBP), analyzed one version of the leaked database and discovered 134 million unique email addresses. However, it is important to note that not all the information within the database may be accurate. Tests conducted by cybersecurity researchers revealed instances where individuals were associated with incorrect names. Furthermore, there were discrepancies regarding dates of birth, with Hunt noting that one of his email addresses was linked to two different dates of birth, neither of which were correct.

In addition to potential inaccuracies, BleepingComputer also found that some of the details in the leaked database appeared to be outdated, as they did not include current addresses for the individuals investigated.

The severity of this breach has prompted at least one class-action lawsuit against Jerico Pictures, the entity operating National Public Data. NPD is known to gather their information from public files, including government records at the federal, state, and local levels.

Authorities urge individuals affected by this breach to closely monitor their financial accounts for any signs of fraudulent activity and report any such incidents to credit bureaus promptly. As contact information is among the leaked data, there is also a possibility of phishing attempts targeting affected individuals, with cybercriminals attempting to deceive them into divulging further sensitive information for malicious purposes.

NPD is committed to keeping affected individuals informed of any significant developments in relation to the breach. However, it is worth noting that access to NPD's official statement on the incident has been blocked for IP addresses in several locations within the United States and abroad.