A Florida company has all but confirmed that the confidential personal information of millions of people has been stolen and exposed by cybercriminals.

That information, billions of records in all, includes the names, Social Security numbers, physical and email addresses, and phone numbers of people in the United States, the United Kingdom, and Canada. It’s the kind of records that data brokers buy and sell on a regular basis.

And now it’s available for anyone to download and use for fraud via the dark web.

In April, criminals using the online name USDoD wrote on a cybercrime forum that they were allegedly selling 2.9 billion records, spread across multiple files in a 277GB archive, of US, Canadian and British citizens for $3.5 million, including their aforementioned names and phone numbers and Social Security numbers (if relevant), as well as their address history going back 30 years and details of their parents and relatives.

That silo of personal information was stolen from an organization called National Public Data, or NPD, a small information broker based in Coral Springs that offers API lookups to other companies for things like background checks. According to the USDoD, the stolen data was collected by NPD between 2019 and 2024. The company likely pulled the information from local, state and federal public records.

A cyberthief using the username SXUL stole the information and passed it on to USDoD to sell, leading to a lawsuit against NPD earlier this month.

Some of the stolen information leaked in bits and pieces across the dark web, though someone using the handle Fenice reportedly dumped 2.7 billion records from that collection onto the internet last week, free for anyone to download if they knew where to look. Note that this is a database with billions of rows, not billions of individuals; there are a lot of inaccuracies in the data, as well as a lot of dead people and duplication.

After weeks of silence and countless people receiving notifications from privacy and anti-fraud agencies that their personal information had been leaked, NPD has confirmed in mysterious language that it has been compromised, and that the data has been stolen and shared. According to the biz, it was breached in December and the leaks began in April, leading up to now. According to the USDoD, the data was passed on to the cybercrime underworld before being sold and now public.

“There appears to have been a data security incident that may have involved your personal information,” NPD said in a statement this week.

“The incident is believed to have involved a malicious third party attempting to compromise data in late December 2023, with potential breaches of some data in April 2024 and the summer of 2024,” the background checks company added. “We conducted an investigation and have uncovered further information.”

The sequel:

NPD said it is working with law enforcement and government officials in light of the theft, and pledged to better secure its IT: “We have also implemented additional security measures to help prevent a similar breach from happening again and to protect our systems.” It also advised people to place fraud alerts on their credit files so that any misuse of their information can be detected and stopped.

Troy Hunt, of HaveIBeenPwned.com fame, has a sobering analysis of the leaked data here . He points out that the file containing the citizen service numbers (BSNs) does not contain people’s email addresses. So if you get a notification that your email address has appeared in the publicly released NPD collection, don’t assume that your BSN is there.

He also saw that the archive contained criminal data, noting that USDoD had leaked 70 million such records via the dark web in May.

There are 134 million unique email addresses in the latest NPD breach, Hunt said. And according to statistics from Atlas Data Privacy, there are 272 million unique SSNs in the stolen collection, most of them with a name and address, and about a quarter of the time a phone number. The average age, interestingly, is 70.

It was also previously speculated that the database mainly includes people living in the United States. Some of them are British or Canadian, for example. That is why these citizens ended up in the archive.

People should also beware of criminals using this info in phishing attempts. Also think about this leak the next time you see organizations (like this one) using your name, address, and social security numbers for identification purposes, or if you are ever asked to build a system using that info as input.

Finally, as we previously reported, people who use a data opt-out service to keep their data out of databases, such as NPD’s, have found that their data was not in the leaked data. So on that basis, those services do work. ®