Since April, a hacker with a history of selling stolen data has claimed a data breach of billions of records affecting at least 300 million people from a US data broker, making it one of the year’s greatest reported data breaches.

The data, as seen by TechCrunch, looks to be somewhat authentic – albeit imprecise. The stolen data, which was sold on a well-known cybercrime site, purportedly stretches back years and contains U.S. persons’ full names, home address histories, and Social Security numbers – information that data brokers frequently sell.

However, determining the source of the alleged data theft has been difficult; this is due to the nature of the data broker sector, which collects personal information from a variety of sources with little or no quality control.

READ MORE: The Zero-Click Era Requires Interesting Data Partnerships.

According to the hacker, the purported data broker is National Public Data, which claims to be “one of the biggest providers of public records on the Internet.”

On its official website, National Public Data claimed to sell access to several databases: a “People Finder” where customers can search by Social Security number, name and date of birth, address, or telephone number; a database of U.S. consumer data “covering over 250 million individuals;” a database containing voter registration data that contains information on 100 million U.S. citizens; a criminal records database, and several others.

The malware research organization vx-underground announced on X (previously Twitter) that they had evaluated the whole stolen information and could “confirm the data present in it is real and accurate.”

“We searched up several individuals who consented to having their information looked up,” the organization wrote, adding that they were able to locate those people’s information, including names, address histories dating back more than three decades, and Social Security numbers.

“It also helped us find their parents and nearest siblings. We were able to identify someone’s (sic) parents, deceased relatives, uncles, aunts, and cousins,” vx-underground stated.

READ MORE: Metrics And Measurement: The Data Behind CTV Integration With Digital Media

In our review of a smaller sample of five million records, we discovered reams of names and addresses that match corresponding public records, as well as some data that doesn’t always make sense, such as email addresses with different names that have no obvious bearing on the rest of the associated individual’s data. Some documents contained alleged information about well-known individuals, including a former US president’s personal information.

TechCrunch provided USDoD, the hacker selling the data, with the identities of eight persons who granted their authorization in an attempt to confirm that the hacker indeed has legitimate data. The hacker did not return any information for the eight individuals.

TechCrunch also contacted a hundred people whose phone numbers and email addresses were in the sample. Only one guy answered, confirming that some of his supposed stolen data was correct, but not all.

Going straight to the claimed source of the data theft yielded little information.

READ MORE: ChatGPT Now Maintains Chat History, Even If You Have Opted Out Of Sharing Training Data

Despite many attempts to reach the company, neither National Public Data nor its founder and CEO, Salvatore Verini, have answered. After TechCrunch contacted National Public Data last week, the company removed sections from its website that contained information about the databases to which it sells access.

Not all data breaches alleged by hackers, particularly those published on hacking forums, are legitimate. That’s why TechCrunch and other cybersecurity reporters frequently spend significant amounts of time attempting to verify a data leak, which can occasionally yield inconclusive results.

However, this purported breach by a data broker looks to be an exception, in part because some of the material appears legitimate and has already been confirmed.

The expansion and commoditization of personal data in the data broker sector also makes it more difficult to pinpoint the source of data breaches. Even if this particular data breach goes uncovered, it demonstrates once again that the data broker sector is out of control and poses serious privacy risks to ordinary citizens.

We couldn’t completely solve the mystery of this data leak, but there was enough information to document our verification efforts. One thing is evident. As long as data brokers collect personal information, there is a chance that the data will leak.

Source