A new breach – one of the biggest in history – has potentially compromised the personal information of 2.9 billion records. Just by itself, this breach is bigger than all the breaches in the first half of 2024 and could rival the 2013 Yahoo! breach, which compromised the data of 3 billion records.
And while what hackers accessed and are selling on the Dark Web is not unique and has been available in criminal marketplaces for years -- every American’s Social Security number, addresses, for example -- it magnifies how easy it is to access the level of personal information we hold dear.
What happened
Identity Theft Resource Center Chief Operating Officer, James E. Lee, told ConsumerAffairs that what's different is the way we learned of the breach: through a lawsuit, not a state-mandated data breach notice. Typically in data breaches -- like what Ticketmaster and AT&T suffered -- those companies proactively communicate what happened directly to their customers.
The tentacles of this go back to April 2024 when an infamous hacking group known as USDoD claimed to have stolen these personal records from National Public Data (NPD) – a company that provides background check services to employers, investigators, and other businesses. USDoD offered the whole database for sale to the tune of $3.5 million. A version of the stolen data was later leaked for free on a dark web forum, according to Bleeping Computer.
As of now, there have been no formal notifications or warnings from NPD to the public, nor have there been any filings with state attorneys general, which some states require following data breaches. That means darn near every one of us has been left hanging for close to four months.
Were you lucky or unlucky?
The lawsuit said that the database does not contain information from individuals who use data opt-out services – for example, when you visit a website and click on the box saying that you do not want e-mails, pop-ups, or be included in the site's analytics.
The lawsuit claims that people who did not use data opt-out services and lived in the U.S. were immediately found. The records reportedly showed their:
First name
Last name
Address
Address history (3 decades+)
Social Security number
And allowed anyone looking at the database to also find:
Their parent
Their nearest siblings
Deceased relatives
Uncles, aunts, and cousins
Don’t let this happen to you
Because this data has been circulating for years, Lee says the steps people should take are the same habits they should have already adopted as part of good cyber hygiene:
Freeze your credit. It’s the only action that can stop an identity criminal from accessing your credit. The credit and identity monitoring you buy or get due to a data breach are helpful in telling you what happened, but cannot stop anything from happening.
ConsumerAffairs theft protection experts also suggest enrolling in a credit monitoring service. It can also alert you if your information appears on the dark web or if there are unusual activities in your accounts.
Make sure you have a different password on every account – no reusing the same or similar passwords on each account.
Use a password manager to help create and keep track of passwords. The password manager built into your browser is fine for most people, but you can always pay for one if you want. Apple is also about to launch a stand-alone password manager as an app.
"Better yet, create passkeys whenever they are available for your mobile devices. They are far more secure than a password," Lee suggests.
Make sure you use multifactor authentication (MFA) when available. "Ask any business where you have a relationship why they don’t offer MFA if it’s not available (and be prepared to go elsewhere if you don’t like the answer)," commented Lee.