Since April, a hacker with a history of selling stolen data has claimed a data breach of billions of records — impacting at least 300 million people — from a U.S. data broker, which would make it one of the largest alleged data breaches of the year.
The data, seen by TechCrunch, on its own appears partly legitimate — if imperfect. The stolen data, which was advertised on a known cybercrime forum, allegedly dates back years and includes U.S. citizens’ full names, their home address history, and Social Security numbers — data that is widely available for sale by data brokers.
But confirming the source of the alleged data theft has proven inconclusive, such is the nature of the data broker industry, which gobbles up individuals’ personal data from disparate sources with little to no quality control.
The alleged data broker in question, according to the hacker, is National Public Data, which bills itself as “one of the biggest providers of public records on the Internet.”
On its official website, National Public Data claimed to sell access to several databases: a “People Finder” one where customers can search by Social Security number, name and date of birth, address, or telephone number; a database of U.S. consumer data “covering over 250 million individuals;” a database containing voter registration data that contains information on 100 million U.S. citizens; a criminal records one, and several more.
Malware research group vx-underground said on X (formerly Twitter) that they reviewed the whole stolen database and could “confirm the data present in it is real and accurate.”
“We searched up several individuals who consented to having their information looked up,” the group wrote, adding that they were able to find those people’s information, including names, address history going back more than three decades, and Social Security numbers.
“It also allowed us to find their parents, and nearest siblings. We were able to identify someones [sic] parents, deceased relatives, Uncles, Aunts, and Cousins,” vx-underground wrote.
TechCrunch made similar efforts to verify the authenticity of the data, with mixed results.
Contact Us
Do you have more information about this incident, or similar incidents? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You can also reach out to Zulkarnain Saer Khan on Signal at +36707723819, or on X @ZulkarnainSaer. You also can contact TechCrunch via SecureDrop.
In our review of a smaller sample of five million records, we found reams of names and addresses that match corresponding public records, but also some data that doesn’t always make sense — like email addresses with different names that have no apparent bearing on the rest of the associated individual’s data. Some records contained alleged information about known high-profile individuals, including the personal data of a former U.S. president.
TechCrunch provided USDoD, the hacker who is selling the data, with the names of eight people who gave their consent, in an attempt to verify that the hacker actually has legitimate data. The hacker did not return any data for the eight people.
TechCrunch also reached out to a hundred people whose numbers and emails were in the sample. Only one person responded, and confirmed that part of his alleged stolen data was accurate, but not all.
Going straight to the alleged source of the data theft didn’t answer much either.
Despite several attempts to contact the company, National Public Data has not responded, and neither has its founder and CEO Salvatore Verini. After TechCrunch first reached out to National Public Data last week, the company took down its website pages that included details on the databases it sells access to.
Not all data breaches claimed by hackers, especially those advertised on hacking forums, turn out to be real. That’s why TechCrunch and other cybersecurity reporters often spend considerable amounts of time trying to verify a data breach, efforts that sometimes end up with inconclusive results.
But this alleged breach of a data broker appears to be an outlier, in part because some of the data appears genuine and some already verified.
The proliferation and commoditization of personal data across the data broker industry also makes it more challenging to identify the source of data leaks. And even if this particular data breach remains unsolved, it shows once more that the data broker industry is out of control and poses real privacy issues to ordinary people.
We couldn’t definitively solve the mystery of this data breach, but there was enough there to detail our verification efforts. One thing is clear. As long as data brokers collect personal information, there remains a risk that the data will get out.