National Public Data’s Collection Suddenly Very Public krebsonsecurity.com

Lawrence Abrams, Bleeping Computer:

Almost 2.7 billion records of personal information for people in the United States were leaked on a hacking forum, exposing names, social security numbers, all known physical addresses, and possible aliases.

The data allegedly comes from National Public Data, a company that collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators.

National Public Data is believed to scrape this information from public sources to compile individual user profiles for people in the US and other countries.

Troy Hunt, creator of Have I Been Pwned?:

So, this data appeared in limited circulation as early as 3 months ago. It contains a huge amount of personal information (even if it isn’t “2.9B people”), and then to make matters worse, it was posted publicly last week:

[…]

[…] Instead, we’re left with 134M email addresses in public circulation and no clear origin or accountability. […]

Connor Jones, the Register:

The data broker at the center of what may become one of the more significant breaches of the year is telling officials that just 1.3 million people were affected.

Jones got this number from a report National Public Data was required to file with the Maine attorney general which, for whatever reason, is not embedded or linked to in this story — here it is. My bet is National Public Data is bad at filing breach notifications. It says, for example, the breach was discovered “December 30, 2023”, the same day on which it occurred. Yet in the notice it is mailing to affected Maine residents, it says there were “potential leaks of certain data in April 2024 and summer 2024”, which would be difficult to know in December 2023.

Brian Krebs:

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.

This is not the first time a huge amount of compromised data has been traced back to some legitimate but nevertheless scummy broker. There was Exactis with 340 million records, People Data Labs with 622 million, and Apollo with around 200 million. The only reason most of us have heard of these businesses is because they hoard our information and — critically — do not protect it. These giant brokers evidently do not care about basic data privacy practices and should not be allowed to operate, and their executives should be held responsible for their failure.