2.9 billion hit in one of the largest data breaches ever — full names, addresses and SSNs exposed

News
By
last updated

Stolen data was then put up for sale on the dark web

An open lock depicting a data breach
(Image credit: Shutterstock)

Regardless of how careful you are online, your personal data can still end up in the hands of hackers—and a new data breach that exposed the data of 2.9 billion people is the perfect example of this.

As reported by Bloomberg, news of this massive new data breach was revealed as part of a class action lawsuit that was filed at the beginning of this month. A complaint submitted to the US District Court for the Southern District of Florida claims the exposed personal data belongs to a public records data provider named National Public Data, which specializes in background checks and fraud prevention.

The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years, Social Security Numbers, and more, was stolen from National Public Data by a cybercriminal group that goes by the name USDoD. The complaint goes on to explain that the hackers then tried to sell this huge collection of personal data on the dark web to the tune of $3.5 million. It's worth noting that due to the sheer number of people affected, this data likely comes from both the U.S. and other countries around the world.

Here’s everything we know so far about this massive data breach along with some steps you can take to stay safe if your personal information was exposed online.

The result of overscraping

A digital concept image of an online database

(Image credit: Getty Images)

So how does a firm like National Public Data obtain the personal data of almost 3 billion people? The answer is through scraping which is a technique used by companies to collect data from web sites and other sources online.

What makes the way National Public Data did this more concerning is that the firm scraped personally identifiable information (PII) of billions of people from non-public sources. As a result, many of the people who are now involved in the class action lawsuit did not provide their data to the company willingly.

According to the complaint, one of the plaintiffs who resides in California first found out about the breach because he was using one of the best identity theft protection services which notified him that his data was exposed and leaked on the dark web.

As part of the class action lawsuit, this plaintiff is asking the court to have National Public Data securely dispose of all the personal information it acquired through scraping. However, he also wants the firm to compensate him and the other victims financially while implementing stricter security measures going forward.

How to stay safe after a data breach

A woman looking at a smartphone while using a laptop

(Image credit: Shutterstock)

With full names, addresses and Social Security Numbers in hand, there’s a lot that hackers can do with this information, especially when it was made available for sale on the dark web.

While we haven’t heard anything yet from National Public Data, the company will likely have to put out a data breach notification soon given the mess that scraping non-public sources for data has gotten it into. These data breach notifications will likely arrive in the mail, so you’re going to want to keep a close eye on your mailbox for the time being.

Normally after a breach of this size, the company responsible will offer free access to either identity theft protection or credit monitoring for up to two years. In the meantime though, you’re going to want to be careful when checking your inbox or even your messages as hackers often use this type of data to launch targeted phishing attacks. At the same time, you’re going to want to carefully monitor your bank accounts and other financial accounts for signs of fraud or suspicious activity.

Since this is almost as big of a data breach as the one that Yahoo! suffered back in 2013 which saw data on 3 billion people exposed online, this likely isn’t the last we’ll be hearing about it. Tom's Guide has reached out to National Public Data for more information on the matter and we'll update this piece if and when we hear back from them.

More from Tom's Guide

Anthony Spadafora
Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

16 Comments Comment from the forums
  • Fox Tread3
    August 6, 2024 - First of all, I think the way National Public Data goes about getting data. Should be considered illegal, and stopped immediately. They are invading the privacy of BILLIONS of people without their knowledge. I think the Credit reporting companies ("agencies"🤨 😏) are far too powerful as it is. So why is it necessary for a company like National Public Data to exist in the first place? U.S. and foreign countries' regulatory agencies are all over companies like Google and Microsoft for invading the public's privacy and using the personal data they collect to sell to other companies. These companies get their data in a fairly "transparent" way. However, National Public Data gets the data it sells in complete secrecy, and I believe violates existing privacy laws. I fortunately can limit to some degree my exposure online, and the data collected by companies and services I deal with. However, I do not use options offered by companies and services to have "convenience" payments like Auto-pay etc. Companies and corporations of every stripe have proven that they are incapable of keeping the important data of their customers safe. I pay my ISP extra every month to get a bill in the mail, and to pay by check. Lastly, I think it is almost criminal for various services to demand that customers that want to use their services. Have to have a credit/debit cards that the company can automatically charge every payment date. There is no reason why, a customer cannot make a payment via card upon the request of the servicing or streaming company. This is an example of government regulators ignoring the egregious business models of many large companies and corporations.
    Reply
  • CyberHunk
    Fox Tread3 said:
    August 6, 2024 - First of all, I think the way National Public Data goes about getting data. Should be considered illegal, and stopped immediately. They are invading the privacy of BILLIONS of people without their knowledge. I think the Credit reporting companies ("agencies"🤨 😏) are far too powerful as it is. So why is it necessary for a company like National Public Data to exist in the first place? U.S. and foreign countries' regulatory agencies are all over companies like Google and Microsoft for invading the public's privacy and using the personal data they collect to sell to other companies. These companies get their data in a fairly "transparent" way. However, National Public Data gets the data it sells in complete secrecy, and I believe violates existing privacy laws. I fortunately can limit to some degree my exposure online, and the data collected by companies and services I deal with. However, I do not use options offered by companies and services to have "convenience" payments like Auto-pay etc. Companies and corporations of every stripe have proven that they are incapable of keeping the important data of their customers safe. I pay my ISP extra every month to get a bill in the mail, and to pay by check. Lastly, I think it is almost criminal for various services to demand that customers that want to use their services. Have to have a credit/debit cards that the company can automatically charge every payment date. There is no reason why, a customer cannot make a payment via card upon the request of the servicing or streaming company. This is an example of government regulators ignoring the egregious business models of many large companies and corporations.
    Exactly this. These companies are no different than the hackers who steal people's personal information.
    Reply
  • Big Willie!
    Until the penalties for allowing these hacks are severe, these data aggregators will never have the same care and concern for our data as we do. But, as always, business donors and lobbyists are the primary constituents of our elected leaders, and laws and regulations will always favor businesses over individuals.
    Reply
  • say what boy
    admin said:
    Class action lawsuit in Florida has revealed that hackers stole a database full of sensitive information on 2.9 billion people before they tried selling it on the dark web.

    2.9 billion hit in one of largest data breaches ever — full names, addresses and SSNs exposed : Read more
    Where do you come up with that number pull it out of rabbit's ass that would be the population of China and India and maybe another small country we only have 400 million in this country
    Reply
  • rgd1101
    if you read the article , it is from the source on bloomberglaw
    Reply
  • COLGeek
    say what boy said:
    Where do you come up with that number pull it out of rabbit's ass that would be the population of China and India and maybe another small country we only have 400 million in this country
    Explained in article..."The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years..."

    The big take away here is that internet connected entities, across the board, do not protect user data. Else, it wouldn't be so easily accessible for such aggregators.

    People leave a digital footprint, no matter how diligent they are, those we do business with are NOT. Scraping that exposed data has become almost trivial, unfortunately.

    Rules must change if this is going to improve.
    Reply
  • TheWerewolf
    COLGeek said:
    Explained in article..."The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years..."

    The big take away here is that internet connected entities, across the board, do not protect user data. Else, it wouldn't be so easily accessible for such aggregators.

    People leave a digital footprint, no matter how diligent they are, those we do business with are NOT. Scraping that exposed data has become almost trivial, unfortunately.

    Rules must change if this is going to improve.
    That's not actually an explanation relevant to his question.

    SSNs are unique to the US. Canada has SINs and the UK has NI numbers, for example. There are only 340M people in the US and so even taking into account 30 years of data, 2.9B is almost nine times the entire population of the US.

    If the article had said 2.9 billion distinct records, that would be possible, with multiple records per person (although, again nine records per person?).

    Alternatively, this is world data, but then why mention SSNs repeatedly when that's not relevant for most of the records (ie: 2.5B of the 2.9B, more or less?)

    Moreso, if the data includes past addresses for people going back 30 years, while this has its own issues, that data is less dangerous.

    In any case, other countries DO have laws against this sort of thing. That's what the GPDR and the EU data privacy laws are about. If this company has scraped data for Europeans, then they're going to get railed by the EU. The main problem is the US which is so protective of businesses' rights over citizens' rights that they'll never bring in that strict a set of laws to protect the public from this kind of infringement of privacy.
    Reply
  • JaniceIce
    TheWerewolf said:
    That's not actually an explanation relevant to his question.

    SSNs are unique to the US. Canada has SINs and the UK has NI numbers, for example. There are only 340M people in the US and so even taking into account 30 years of data, 2.9B is almost nine times the entire population of the US.

    If the article had said 2.9 billion distinct records, that would be possible, with multiple records per person (although, again nine records per person?).

    Alternatively, this is world data, but then why mention SSNs repeatedly when that's not relevant for most of the records (ie: 2.5B of the 2.9B, more or less?)

    Moreso, if the data includes past addresses for people going back 30 years, while this has its own issues, that data is less dangerous.

    In any case, other countries DO have laws against this sort of thing. That's what the GPDR and the EU data privacy laws are about. If this company has scraped data for Europeans, then they're going to get railed by the EU. The main problem is the US which is so protective of businesses' rights over citizens' rights that they'll never bring in that strict a set of laws to protect the public from this kind of infringement of privacy.
    Since 1936, about 500 million SSNs have been issued. This 2.9B click-bait article is WAY over exaggerated.
    Reply
  • COLGeek
    JaniceIce said:
    Since 1936, about 500 million SSNs have been issued. This 2.9B click-bate article is WAY over exaggerated.
    Source? That number would seem low.

    A lot of people have existed over the last thirty years, more than the existing population at one given time.

    Even if 2.9B is over the mark, the impact of this latest hack is massive and highlights the poor data protection mechanisms (added to outright selling of data) in place. Correlating all that data is trivial (in a manner of speaking) given the tools available to sift through all of this data.

    From personal experience, I have been notified via multiple monitoring services (all provided free due to previous incidents) about my own personal data being in this pile. Much of it is very dated and wrong. Some is correct and that is indeed worrisome.
    Reply
  • Enkimoré
    A data breach is the best way to launder money with fake political, faith, and countless ways of donation using your information. We can debate who's to blame but the real reason is for money laundering.
    Reply