It is now being widely reported that a member of a notorious hacking group has released sensitive personal information four months after compromising a major data broker.
The group, USDoD, claimed it stole over 2.9 billion records of personal information from Americans, including their Social Security numbers and physical addresses.
The breach, which includes Social Security numbers and other sensitive data, could power a raft of identity theft, fraud and other crimes, said Teresa Murray, consumer watchdog director for the U.S. Public Information Research Group.“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning” than prior breaches, Murray said in an interview. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Fla., the hacking group USDoD claimed in April to have stolen personal records of 2.9 billion people from National Public Data, which offers personal information to employers, private investigators, staffing agencies and others doing background checks.The group offered in a forum for hackers to sell the data, which included records from the United States, Canada and the United Kingdom, for $3.5 million, a cybersecurity expert said in a post on X.
It appears the breach occurred sometime this spring.
According to a class action lawsuit, NPD obtained the data without consent, and the breach occurred sometime in April 2024.The lawsuit alleges that “upon information and belief” USDoD was “able to exfiltrate the unencrypted PII of billions of individuals” and that the personal information was “published, offered for sale and sold on the Dark Web by cybercriminals.”
In terms of the lawsuit, the issue is that the data the firm collected was scraped from other websites and “non-public sources” without the knowledge of the people whose data was being gathered.
The lead plaintiff in the lawsuit, a California man, was only made aware his data had been compromised when he was contacted by his identity-theft protection agency on 24 July, months after the data had been offered for sale on a popular clear web hacking forum.While the initial post is no longer live – the forum in question had been seized by the FBI in the interim – the details of USDoD’s claims are still recorded by threat-tracking service Falcon Feeds.“Hello… I’m proud to say that I got access to the biggest database ever,” USDoD said in a 7 April post.“This is the entire population of the USA.”The data for sale, according to USDoD, was collected between 2019 and 2024, and while we do now know the full extent of the breach, at the time, the threat actor only said that the data consisted of “300+ million rows”.“I’m selling the whole database,” USDoD said. “We will use official middleman from forum.”
Security professionals offer suggestions on how Americans can protect themselves from identity theft.
People should monitor their credit reports for possible fraudulent activity on their accounts and notify credit bureaus Experian, Equifax, and TransUnion if something looks suspicious.Consumers can ask the credit bureaus to place a freeze on their credit accounts by phone or email to prevent anyone from opening a bank account and taking out a loan or obtaining a credit card under your name.There is also a service that monitors your accounts and the dark web to protect you from identity theft, the Los Angeles Times noted.It is also good to manage your passwords and to use two-factor authentication for the passwords. You should avoid using the same login information for different services and make sure to routinely change your password on your accounts.
2024 keeps on getting more and more disturbing.
CLICK HERE FOR FULL VERSION OF THIS STORY