Data Breach: 3 Billion National Public Data Records with SSNs Dumped Online

ph1l

ph1l

https://hackread.com/data-breach-national-public-data-records-ssns-dumped/
byWaqas
August 6, 2024
3 minute read
National Public Data, a service by Jerico Pictures Inc., suffered a massive breach. Hacker “Fenice” leaked 2.9 billion records with personal details, including full names, addresses, and SSNs in plain text. The breach poses significant risks for identity theft and financial fraud. Jerico Pictures Inc. faces potential lawsuits and legal challenges due to the incident.

A hacker using the alias “Fenice” has leaked what they claim is a treasure trove of 2.9 billion records (including duplicate data) belonging to National Public Data. This API firm specializes in criminal records and background check services and is owned and operated by Jerico Pictures Inc.




The data, which has been leaked to Breach Forums—a notorious cybercrime and hacker platform—has been divided into two links, totaling a whopping 277GB worth of information.

It is worth noting that initially, National Public Data made headlines back in April 2024 when a hacker using the alias “sxul” claimed to have breached the company and put the database on sale for $2 million. Days later, the USDoD hacker, known for breaching the FBI’s security platform InfraGard, provided their services to “sxul” and offered the data to interested parties for $3.5 million.

It is unclear whether the duo successfully sold the data, but Jerico Pictures Inc. is already facing a massive lawsuit over the breach. Meanwhile, some users aware of the incident are already taking to Reddit to reveal the misuse of their Social Security Numbers (SSNs).


An unsuspected victim of data breach at the National Public Data (Screenshot credit: Hackread.com)
What’s in the leak?
The Hackread.com research team managed to analyze the data and found that it contained personal details of unsuspecting users, including full names, addresses, cities, counties, states, ZIP codes, and Social Security Numbers (SSNs) in plain text.

Here’s a full breakdown of the leaked data, in which we have replaced the original PII data with ABC and SSN with 000000000:

ID: 10
First Name: ABC
Last Name: ABC
Middle Initial: (missing)
Suffix: (missing)
Address Line 1: ABC
City: ANCHORAGE
County: ANCHORAGE
State: AK (Alaska)
ZIP Code: ABC
Additional Fields: (various missing or empty fields)
SSN: 000000000

The data contains:

An identifier (ID) for the record.
Personal details: First name and last name.
Address details: Address line, city, county, state, and ZIP code.
Social Security Number (SSN).
The data breach at National Public Data is potentially one of the largest and most significant cybersecurity incidents in recent years. Previously, the Yahoo data breach impacted 3 billion users, setting a precedent for large-scale data compromises.




The latest breach poses a major threat to Americans as it includes plaintext SSNs, which are critical identifiers used for various financial and governmental transactions. In the wrong hands, these SSNs are highly susceptible to abuse by identity scammers, making the breach a significant security risk.


Fenice on Breach Forums (Screenshot credit: Hackread.com)
With access to these Social Security Numbers (SSNs), cybercriminals can commit identity theft, open fraudulent credit accounts, secure loans, and even file false tax returns. This can lead to considerable financial loss, damaged credit scores, and prolonged legal and administrative battles for victims to reclaim their identities and rectify fraudulent activities.

Moreover, the lifelong nature of the SSN means that these risks can persist indefinitely, causing long-term vigilance and potential financial instability for those affected.

The data leak has put Jerico Pictures Inc. in a situation where the company might face additional lawsuits and other legal challenges. Hackread.com has reached out to National Public Data for comment. Stay tuned!
More...

That explains why I've been getting emails with content like:
upload_2024-8-7_10-20-35.png


I locked my credit files with the three U.S. enslaverscredit bureaus a few years ago. You might want to think about doing something similar.
 
Oops


No matter how many billions these corporations pay to keep systems in place there will always be someone smarter on the otherside !!!

At this point no one's information is protected as much as they ever say it is.
 
And this is why nobody should ever think a national digital ID is a good thing. Even Elon trying to make his Twitter an "everything app" is the dumbest idea when you consider how many people lose their accounts every day. Imagine having your whole personal and financial life on one app.
 
It's the credit bureau's releasing the data to sell a monitoring package. No different than McAfee releasing viruses into the wild so that he could market a solution.












90% tongue in cheek
 
Last edited:
S2007S said:
No matter how many billions these corporations pay to keep systems in place there will always be someone smarter on the otherside !!!
More...

No.

It's irresponsible behavior.

It's possible to design systems where it is extremely unlikely to have data breaches like this but that takes actually giving a crap about protecting people's data.

Generally 99.99% of people at a corporation should never need to be able to look up your full SSN. Even if they do, the requests to the server should be rate limited and automatically flagged if someone starts pulling SSNs from the database at a rate faster than someone could possibly do anything proper with them.

These breeches happen because many corporations operate with minimal security, and almost no up front thought given to protecting user data. They just throw it in a big database on the same network as every employee and give everyone access.

It's like keeping all your data in a regular file cabinet sitting on sidewalk in a major and saying "we locked it"
 
ph1l said:
https://hackread.com/data-breach-national-public-data-records-ssns-dumped/


That explains why I've been getting emails with content like:
View attachment 346008

I locked my credit files with the three U.S. enslaverscredit bureaus a few years ago. You might want to think about doing something similar.
More...

Do you really believe everything you hear on the internet? There are trillions, maybe I should say infinity different group of numbers all over the web, and just because 1 of them matches your SSN you think someone has stolen your identity?

You need to chill out. If you see anything that doesn't make sense with your credit cards, you just cancel the payment, cancel the card, get a new card. Problem solved! There is no need to panic over some random number on the internet
 
Tokenz said:
Do you really believe everything you hear on the internet? There are trillions, maybe I should say infinity different group of numbers all over the web, and just because 1 of them matches your SSN you think someone has stolen your identity?

You need to chill out. If you see anything that doesn't make sense with your credit cards, you just cancel the payment, cancel the card, get a new card. Problem solved! There is no need to panic over some random number on the internet
More...
Several data monitoring services reported they found my name and social security number along with addresses and emails leaked from National Public Data, and I posted a recent article that explains the leak.

Your imagination about stolen identities, credit cards, and random numbers shows you don't seem to understand.

I still suggest readers with U.S. social security numbers keep their credit files locked to avoid potential fraud.
 
engineering said:
No.

It's irresponsible behavior.

It's possible to design systems where it is extremely unlikely to have data breaches like this but that takes actually giving a crap about protecting people's data.

Generally 99.99% of people at a corporation should never need to be able to look up your full SSN. Even if they do, the requests to the server should be rate limited and automatically flagged if someone starts pulling SSNs from the database at a rate faster than someone could possibly do anything proper with them.

These breeches happen because many corporations operate with minimal security, and almost no up front thought given to protecting user data. They just throw it in a big database on the same network as every employee and give everyone access.

It's like keeping all your data in a regular file cabinet sitting on sidewalk in a major and saying "we locked it"
More...

I recently attended a science centre with my nephew and in one of the pavilions in the science centre, the topic was cybersecurity and attacks. And right at the entrance, there was a huge information blackboard that shows the origination and destination of cyberattacks and more than 50% of the cyberattacks originate from Asia. So if you want to beef up data security in the firms, you need to hire data security experts. And data security experts are hackers, the best one LOL Do you trust hackers from Asia? That's the question.
 
TheDawn said:
And data security experts are hackers, the best one LOL
More...

Not necessarily. The guys you call to demo a skyscraper aren't the same guys you call to build it.

A decent design needs to realize that 0-day exploits are a fact of life and design a system that uses layed security.

Say I'm building an E-commerce Web site and I need to handle people's credit card numbers....
I put them on a separate server. Behind a firewall. Regular employees can delete entries and add entries but the can't read back full credit card numbers for existing entries. The only place the server will send full credit card info is a pre-approved whitelist of payment processing companies, via encrypted message.

Maybe have a second system on the network monitoring traffic looking for anything out of profile and killing the network connection to the server if an issue is detected.

Use multiple hardware vendors. Use multiple operating systems. Assume individual pieces are going to get compromised and have a plan to detect and deal with it. Don't give a single person all the keys necessary to bypass the safeguards on a critical system.

Once you factor in the need for test systems and redundant systems, you can see thing as a large project suited to a professional team. Sure the movies will tell you it's all done by one person, but really you need a team. You need to design, deploy, manage and update an complicated system.

Somebody won't be doing it in their spare time while also running a full forensics lab.
 
You must log in or register to reply here.
Back
Top