A massive database containing over 2.7 billion records has reportedly ended up on a criminal forum. These records belong to individuals in the US and were allegedly stolen from National Public Data (NPD). While the accuracy of the leaked data could not be verified, the hackers reportedly obtained sensitive information such as names, mailing addresses, and social security numbers. The scale of this breach is so vast that if you live in the US, it’s likely that some of your data is included.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
What you need to know
Bleeping Computer reported that the database was posted on the criminal forum Breachforums, where threat actors often post such leaks. What’s interesting is that the stolen database was up for free download. The user who posted it credited a hacker named “SXUL,” saying, “There’s a new player in town.” Usually, hackers sell leaked databases like this one for huge sums.
The database has been stolen from NPD, which collects data from public sources to compile individual user profiles for people in the US and other countries. NPD then sells this private data to all kinds of organizations, such as background check websites, investigators, app developers, and data resellers.
While the database has 2.7 billion records, it’s important to note that this doesn’t necessarily mean 2.7 billion people were impacted. Many of these records are repetitive, and some are incorrect. Still, the breach affects a significant number of people in the States.
This isn’t the first time NPD data has ended up on criminal forums. Bleeping Computer noted that back in April, a hacker known as USDoD claimed to be selling 2.9 billion records with personal data from people in the US, UK, and Canada, which was also stolen from NPD.
NPD is facing consequences
NPD, owned by Jerico Pictures, is facing multiple lawsuits for not protecting people’s data. One lawsuit, filed by California resident Christopher Hofmann, says NPD was negligent and breached its fiduciary duties and a third-party contract.
The plaintiff wants the court to order NPD to delete all the personal info it has collected and start encrypting data from now on. They’re also asking for more than just money—like having NPD set up data segmentation, run regular database scans, put in place a threat-management program, and get a third party to check its cybersecurity every year for the next 10 years.
We reached out to NPD for a comment but did not hear back before our deadline.
It’s time to invest in identity theft protection
Hofmann learned about the data breach through his identity theft protection service, which detected his data in the leaked database. The service notified Hofmann, prompting him to take action and file a lawsuit. Data breaches happen every day, and most never make the headlines, but with an identity theft protection service, you’ll be notified if and when you are affected.
While there are many services that you can sign up for, my top recommendation is Identity Guard. It can monitor personal information like your Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account. It can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.
One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
CyberGuy’s Exclusive Offer: Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year.
See my tips and best picks on how to protect yourself from identity theft.
5 ways to protect yourself from data breaches
In addition to opting for an identity theft protection service, you can follow these tips to protect yourself from data breaches.
1) Remove your personal information from the internet: While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap – and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
My top recommendation is Incogni, which has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 190+ data brokers. You can add up to 3 emails, 3 home addresses and 3 phone numbers (U.S. citizens only) and have them removed from data-broker databases. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
Get Incogni for your family (up to 4 people) here
2) Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
3) Be cautious of phishing attempts: Be vigilant about emails, phone calls, or messages from unknown sources asking for personal information. Avoid clicking on suspicious links or providing sensitive details unless you can verify the legitimacy of the request. The best way to protect yourself from clicking malicious links that install malware is to have strong antivirus protection installed on all your devices.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.
4) Monitor your accounts: Breaches of this magnitude will make it a necessity for you to start routinely reviewing your bank accounts, credit card statements, and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company.
5) Recognizing and reporting a Social Security scam: If there is a problem with a person’s Social Security number or record, Social Security will typically mail a letter. You can learn more about recognizing Social Security-related scams, including how to report a scam quickly and easily online to Social Security’s Office of the Inspector General, by reading more at www.ssa.gov/scams.
Top ways to keep your social security number safe
1) Hide/safe keep your social security number card
Put your social security number card in a very safe place, such as a safe, bank safe, or filing cabinet that can be locked. Because it is used so frequently, those 9 digits are worth memorizing. If your wallet is lost or stolen and you keep your SSN card in there, it will be messier than losing just money or your ID. Don’t carry your social security card in your wallet or purse!
2) Use an identity theft or fraud protection service
Companies such as Identity Guard can monitor your SSN and alert you if it is sold on the dark web or being used to open an account. The faster you know, the quicker you can shut down the damage. In fact, some companies will help you freeze your bank and credit card accounts to prevent further use by criminals. Fortunately, taking advantage of stellar fraud protection from our top pick, Identity Guard is even more affordable with an exclusive CyberGuy savings (up to 52% off).
3) Go online
Skip jotting down your social security number on in-person forms. When your social security number is jotted down on paper, it is hard to control how the information gets used or disposed of. If you can submit forms online, you can skip the risk of having your SSN from getting into the wrong hands. If you mail in forms that denote your SSN, you risk having that piece of mail stolen or lost.
4) Opt out of inputting SSN
Even though your SSN is requested on some forms, it is not always necessary. If a future employer is requesting your SSN, double-check why they need it. They would most likely need it to run a background check, which you should know about anyway. Additionally, some establishments allow you to provide the last 4-digits of your SSN until you are finalizing a screening process, etc.
5) Sign up for a social security account:
Go to the official Social Security Administration website to create an account. Because only one account can be created per social security number, it is safer if you claim it so no one else can by piecing together your personal information (along with your SSN) to claim it fraudulently. Make sure it is connected to a secure email account that you check frequently. This account also provides up-to-date data on earnings and benefit distributions so you can see if anything is ‘off’.
6) Combat child identity theft
Open accounts for your children’s SSNs because you want to claim them for them early and be able to monitor any movement related to their social security number.
7) Secure documents
Some records that contain your social security number are important to keep on hand, such as income tax filings. If they are kept digitally, encrypt and or password-protect the document or folder, especially if it is uploaded to the cloud. Keep offline documents with SSNs in a safe or shred instead of throwing them away.
Remember you (usually) only get one social security number in a lifetime, it is important to safeguard that data with your ‘life’!
8) Remove your personal information from the internet
As mentioned above, a data removal service does all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites.
My top recommendation is Incogni, which has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 175+ data brokers. You can add up to 3 emails, 3 home addresses and 3 phone numbers (U.S. citizens only) and have them removed from data-broker databases. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
Get Incogni for your family (up to 4 people) here
9) IRS Identity Protection PIN (IP PIN)
To further protect your tax returns from identity theft, the IRS offers an Identity Protection PIN (IP PIN). This is a six-digit number that prevents someone else from filing a tax return using your Social Security number or Individual Taxpayer Identification Number (ITIN). The IP PIN is known only to you and the IRS, adding an extra layer of security to your tax filings.
How to get an IP PIN
- Online Request: The fastest way to receive an IP PIN is to request one through your online account on the IRS website. If you don’t already have an account, you must register to validate your identity.
- Alternative Methods: If you can’t establish an online account, there are other methods, but they take longer. You can file an application or request in-person authentication.
Using Your IP PIN
- Enter the six-digit IP PIN when prompted by your tax software or provide it to your trusted tax professional when filing your return.
- An IP PIN must be used on all federal tax returns during the year, including prior year returns.
- Do not reveal your IP PIN to anyone except your tax professional when you are ready to sign and submit your return.
Important information
- An IP PIN is valid for one calendar year, and a new one is generated each year.
- If you lose your IP PIN, you can retrieve it online or have it reissued by calling the IRS.
By using an IP PIN, you can significantly reduce the risk of tax-related identity theft and ensure that your tax returns are processed smoothly and securely.
HERE’S WHAT RUTHLESS HACKERS STOLE FROM 110 MILLION AT&T CUSTOMERS
Kurt’s key takeaway
If the database leak is legit, this is a big security fail on NPD’s part. Since their whole business is based on collecting and selling data, they should have strong encryption and security in place—especially if this isn’t the first time hackers have targeted them. If they’re putting people at risk, they should be held responsible and cover any financial losses people face because of the leak.
How do you feel about companies that collect and sell data? Do you think they should be held accountable for breaches? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2024 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
12 comments
This is gross negligence. NPD should be criminally liable and put out of business!
Any company that collects data from individuals should be held accountable with extreme punishment not a slap in the hand.
Does anyone know when this happened.
I’ve never heard a public official campaign on, or complain much about, all these intrusions into, manipulation of, and profiteering from OUR data. Does that mean they’re profiting from it too? This has gotten WAY out of hand, and WE are having to pay for products/services to TRY to keep our data safe. Until they stop collecting/selling our data, they should at LEAST be severely punished when they’ve been hacked.
Any company that collects data from individuals should be held accountable. We should not have to pay for services to keep our data safe. These companies should have to pay for identity theft services for ever! My purse was stolen 30 years ago and still to this day I have issues that pop up from time to time that I have to deal with. Last year I had to renew my passport and found out someone was using my name. Not to mention when your trying to straighten out identity issues the company/Governmental agency you are trying to resolve them with treat you like your the criminal!
Why is it even allowed for a company like this to have our information? My personal information, such as social security number, etc should not be considered public info. We need new laws (and enforce them) to eliminate this kind of problem. If these huge companies aren’t allowed to have our info, then it can’t be hacked. They obviously don’t care about our info so they should have to pay instead of us paying to protect ourselves!
Who said they can sell MY data? Why is this allowed?
There is never enough accountability, nor will there be. That is why they keep doing it, they get away with not protecting the info they collect from each of us. And I agree, who said they could even collect my data? I never gave permission! Hey look at the Equifax breach in 2017, another instance where data collection and subsequent storage of it, is not important enough to be protected. 147 million people had their data exposed in that 2017 Equifax breach or whenever it occurred. They didn’t come clean with admitting it until 2017. And whoopppeee…. I received a whopping $14 cash settlement, that is 14 – $1 dollar settlement out of the $425 M class action settlement when my costs to mitigate that data leak cost way more than that. Not to mention the headache and stress over identity theft.
They will never be held accountable. I think each State needs to be looking at this closely because the laws are so lax today, it is so easy for these companies to track you, collect data, and subsequently expose it with no MAJOR consequences. And I can not trust Big Government, they are the worst offenders.
They should be responsible for paying for every person whos data was stolen to have personal security monitoring. The government should do it’s job and prosecute this company for collecting our PII and fine them to include any reparations for persons who are targeted and robbed by hacker / thieves that made use of the stolen data, as well as being forced to pay for credit monitoring for the next 5 years! We are told to protect our SSNs and passwords and other PII, and here these companies collect, store and put that data at risk. How stupid to not encrypt it. Negligent!
Seems like a perfect case for a class action lawsuit, and I typically detest these types of actions, but in this case it seems well deserved.
Hold on! It’s going to get much worse as AI evolves. Most business is conducted online. And if that’s not something to consider, wait until the entire Internet grid goes down. I’m considering writing letters and paying bills by check again. It was much safer.
My autistic son and I received notifications from Change Healthcare (PO Box 989728, W Sacramento, CA 95798-9728) that our data was stolen between February 17th through February 20th, 2024. We are given instructions to call them and ask to enroll in IDX for two years. My husband and I have had data stolen several times before, but in those instances, we were directed to contact the credit monitoring company directly and use a specific code. On F&F you said to be aware of things coming through the mail, so this made me suspicious. Just thought you’d like to know.
Eula (end user license agreement ) is the root of all evil. People like myself scroll through the “fine print” for websites, software, and everything in our daily lives. That’s how your info is being shared and sold and stolen. Enough is enough.