Massive leak of US personal information shows up on hacking forum, including almost 2.7 billion records

data leak exposes personal information of billions of people

(Image credit: Shutterstock)

Nearly 2.7 billion personal information records for people in the United States have been posted to a popular hacking forum, exposing names, addresses, and even Social Security numbers. The data allegedly comes from a company that collects and sells the data for legitimate use, but was stolen and put up for sale in April 2024.

Originally, a threat actor known as USDoD claimed to have stolen the information from National Public Data. National Public Data scrapes the information from public sources, uses it to compile individual profiles, and then sells those portfolios. The company serves private investigators as well as entities needing to conduct background checks and obtain criminal records.

When USDoD first obtained the data, it offered to sell it for $3.5 million. The hacker claimed it contained 2.9 billion records and consisted of personal information for every person in Canada, the United Kingdom, and the United States. In the past, USDoD has been linked to another database breach, trying to sell InfraGard’s user database for $50,000 in December 2023.

On Aug. 6, a user going by the alias Fenice posted what’s believed to be the most complete version of the stolen National Public Data information for free on the Breached hacking forum. Fenice says, however, that the data breach was actually done by a different hacker than USDoD, one known as SXUL.

This isn’t the first time the data from this leak has been released, but previous posts have only included partial copies of the data. These included different numbers of records and sometimes different data. Fenice has offered the most complete version of the National Public Data information and has provided it for free.

BleepingComputer was unable to confirm if the leak actually contained data for every person in the U.S. or not, but did receive confirmation from numerous individuals that their and their family members’ details were included. Tom’s Hardware has also been unable to confirm the veracity of the claim, as the two files making up the leak total 277GB of data from a rather slow download server.

Other problems have been noted with the data, including incorrect Social Security numbers. Also, the records BleepingComputer could check contained old address data, suggesting the data may come from an old backup, Finally, many people in the data leak have multiple records, one for each address they have lived at. So it's unclear if all 333 million people in the U.S. are impacted.

Nonetheless, you should be a bit more attentive to your credit report for fraudulent activity in the coming months / years. Since the leak also includes email addresses and phone numbers, it would be a good idea to be more vigilant against phishing emails and SMS attempts trying to elicit more information from you as well.

Jeff Butts has been covering tech news for more than a decade, and his IT experience predates the internet. Yes, he remembers when 9600 baud was “fast.” He especially enjoys covering DIY and Maker topics, along with anything on the bleeding edge of technology.

Latest

A die photo of the original Pentium processor with its blocks labeled. The image is made of red and brown blocks, with one tiny segment zoomed and enhanced into.

30-year-old Pentium FDIV bug tracked down in the silicon — Ken Shirriff takes the microscope to Intel's first-ever recall

See more latest ►

21 Comments Comment from the forums

Gururu

Each day, I am beginning to appreciate two or more factor authentication. I have a couple of monitoring agencies watching my stuff but that is only because they were free after some organization got breached in the first place.

Everyone's info including SS# are in the dark web now. Keep watch on your accounts and check the credit reports for new unauthorized accounts.
Reply
COLGeek

Covered on our sibling site, as well:

https://forums.tomsguide.com/threads/2-9-billion-hit-in-one-of-largest-data-breaches-ever-%E2%80%94-full-names-addresses-and-ssns-exposed.537738/
Reply
stuff and nonesense

Privacy is hosed. Get your tinfoil hat out, put it on…

Every website tries to run scripts, place cookies, fill your screen with ads. You go to the local supermarket, they try to get you to sign on to their loyalty program.. every company wants your data, advertisers want to track you.. privacy shimacy.

Too few of these entities spend enough money on securing the data they have collected.
Reply
ThomasKinsley

None of this is acceptable, and yet society goes on barely noticing. Data mining the public has gotten out of hand until now your personal information is everywhere, ready for the next malicious actor or data corporation (I repeat myself) to hoover it up.

Gururu said:
Each day, I am beginning to appreciate two or more factor authentication. I have a couple of monitoring agencies watching my stuff but that is only because they were free after some organization got breached in the first place.
While there are real benefits to be had with 2FA, the concept is flawed. It's essentially trusting these same corporations who keep getting hacked with your phone number (the commonly used tool for 2FA) in order to secure your password. But when they get hacked again, it will be your password and your phone number that malicious actors possess. There are also ways to circumvent 2FA.
Reply
bolweval

stuff and nonesense said:
Too few of these entities spend enough money on securing the data they have collected.
Those entities are probably the ones selling our data...
Reply
yahrightthere

It's beyond time that the inept congress gets involved & stop any & all companies from collecting data on everyone. (yeah ok that will never happen, it's called under the table kickbacks)
If a company wants to sell a product, I should not have to agree to terms that give them the option to collect my data, especially not my social security number, that, should be used only for federal & state government purposes period.
Reply
Giroro

I would argue there is no such thing as a "legitimate" business that buys/sells Social Security numbers and related personal information en masse. Any database that is a mass-aggregation of citizen data could be used to threaten national security, and therefore should be seized, secured, and marked as classified so that the companies who aggregate, store, and manage this data could be held criminally accountable when they allow it to be released internationally - whether or not the release was intentional.
Rules would need to be put into place to determine how much data is too much data. But hopefully most people would agree there's a point where keeping too much data in one place starts to become a real problem.

That said, people in the US still have no guaranteed right to privacy whatsoever. Until some real legislation (preferrably a constitutional amendment) gets put into place to protect privacy at even the most basic level, then these giant data gluttons are just going to keep getting bigger, and more reckless.
Reply
stuff and nonesense

I can’t remember or find the source but I saw something a few years ago, paraphrasing, “It takes 7 pieces of information to identify you”. This was referring to data in an anonymised list. The data collectors often claim that your data is safe and anonymised….

There is one question I would like asking of the data collectors. What constitutes “Legitimate Interest” with regard to cookies etc. I have no relationship with companies that claim legitimate interest, needless to say I deny them permission.

I have scripts blocked, I have adverts blocked. TH looks like a good site, clean, neat and tidy. When the adblocker is off it’s a mess.
Reply
hotaru251

Technology has advanced as such a rate that USA needs to start making a new system to keep SSN#'s & the like secure. Even if it needs a system overhaul long term its worth it. Possibly have multiple req. such as having to authenticate any use of that SSN given how important that is to an american.
Reply
USAFRet

stuff and nonesense said:
I can’t remember or find the source but I saw something a few years ago, paraphrasing, “It takes 7 pieces of information to identify you”. This was referring to data in an anonymised list. The data collectors often claim that your data is safe and anonymised….
Back in the early 00's, there was a leak of anonymized search data from AOL. Millions of search records.
Zero actual user names, etc.

With just the info of what people searched for, a group managed to positively identify some humans. Name, address, etc.
Reply

Show more comments

Stay On the Cutting Edge: Get the Tom's Hardware Newsletter

Most Popular