A massive data breach has Americans worried about their private info getting into the wrong hands, but a pair of newly released websites could make it easier to find out if you’re affected.
The breach concerns a little-known company called National Public Data, which performs background checks on US residents. Last week, the company finally confirmed that hackers stole a large database containing records on people’s names, addresses, and Social Security numbers. Making matters worse is that the database has been freely circulating on an internet forum for cybercriminals and fraudsters to download.
The First Site: Atlas Privacy
Initially, it wasn’t easy to see if your personal information was ensnared in the breach since the stolen database is 277GB. But New Jersey-based Atlas Privacy Data Corporation has created npdbreach.com, which can flag if your Social Security, phone number, or full name and ZIP code are in the archive. The site also doesn’t store any user searches.
(Credit: Atlas Privacy)
Atlas, which helps people remove their personal data from the internet, has also been analyzing the leak and found it contains 272 million unique Social Security numbers from US residents, along with 600 million phone numbers. “This is very similar to the Equifax breach of 2017, but it’s twice as big,” says Arnaud de Saint Méloir, a software engineer and researcher at Atlas.
“Most of the time, when Social Security numbers are sold on the dark web, they are sold to a single customer,” he added. “Now 272 million leaked. This will definitely be used for identity theft and spammers.”
In addition, about 20% of the records in the database appear to be legitimate, according to Atlas, which has been cross-referencing the details in the leak with records found in other breaches.
That said, the information from the National Public Data leak likely impacts older Americans more than younger adults since the average age of the people contained in the database is 70. Another 2 million people in the database are also over 120 years old, an indicator that some of the information belongs to the deceased. Meanwhile, all the records appear to belong to people born before Jan. 1, 2002, added Atlas Privacy’s Chief Strategy Officer Zack Ganot.
Not all the information in the database is accurate either. Ganot noted the archive didn’t have the correct details on himself. Still, others might be shocked to see highly accurate records in the database, including their correct date of birth, Social Security number, and historic mailing addresses going back to at least the 1990s.
“We can’t really pretend anymore that Social Security numbers are private anymore,” Ganot said. “This is just another nail in the coffin. There have been so many breaches out there, every Social Security number is likely out there.”
(Credit: Douglas Sacha via Getty Images)
It’s not entirely clear how National Public Data collected so many Social Security numbers. But the company’s website previously said it tapped over 20 different sources, including voter registration data, criminal records, marriage and divorce records, along with “White Pages/Yellow Pages” to build its database. Ganot also speculates National Public Data had been retrieving credit files on US consumers to help uncover people’s Social Security numbers.
“Many times you can pull a credit header,” he said. “It will either have a full Social Security number, or it’ll have a partial Social Security number. But the way it works, if you pull two or three of them, the first [report] will block out the first four digits, the next one will block out the last four digits. And we know companies harvest this stuff to just put it all together.”
The Second Site: Pentester
A second cybersecurity company called Pentester also created a website at npd.pentester.com to help users see if they’re impacted. For better or worse, though, the site will reveal a user’s redacted Social Security number and date of birth, along with the full address and phone number record. On the plus side, this makes the site more helpful in discovering whether your friends or family members were ensnared in the hack. But on the downside, the site can easily expose phone numbers and address data for random users.
(Credit: Pentester.com)
Pentester took this approach “to give individuals enough context to verify if the data belongs to them without exposing the full sensitive information.”
Recommended by Our Editors
Hackers Steal 'Billions' of Social Security Numbers: How to Protect Yourself
Zero-Day Windows Bug Linked to North Korean Hacking Group Lazarus
Chinese Hacking Group Compromised an ISP To Spread Malware
“There are many duplicates as you can imagine,” Pentester told PCMag. “We understand the delicate balance between providing useful information and protecting privacy. The data shown is carefully limited to ensure users can identify their own information while minimizing the risk of further exposure. The only other option would be for people to enter their full SSN, which most are not comfortable inputting on a website. There are also many instances where the SSN is incorrect, but other information is accurate.”
In the meantime, Atlas says the breach at National Public Data underscores the need for the US to rein in the data broker industry, which has long been monetizing people’s personal data at the expense of security.
“The long-term effect of this will be devastating,” Ganot said. That’s because Social Security numbers are often used in conjunction with a date of birth to apply for loans and credit cards. Now fraudsters have a source to commit identity theft on millions of Americans.
"We're going to continue to see things like this until regulators take this stuff more seriously," he added.
To protect yourself, you should consider placing a no-cost credit freeze and fraud alert at the three major credit bureaus, Equifax, Experian and TransUnion. Doing so can prevent criminals from opening a new financial account or loan in your name.Users can also consider registering for anti-identity theft software.
National Public Data hasn’t explained how the company was breached. But this past weekend, the company notified Maine’s Attorney General about the incident. Surprisingly though, the company says only 1.3 million users had their data leaked through the breach.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
I've been with PCMag since October 2017, covering a wide range of topics, including consumer electronics, cybersecurity, social media, networking, and gaming. Prior to working at PCMag, I was a foreign correspondent in Beijing for over five years, covering the tech scene in Asia.
Read Michael's full bio
Read the latest from Michael Kan
- Microsoft 'Security Summit' to Discuss Avoiding Another CrowdStrike Debacle
- Feds: This Service Used Algorithms to Help Landlords Collude, Hike Rents
- Cyberattack Hits Major Oil Company Halliburton, Forcing Some Systems Offline
- Trump Teases Launch of His Own Cryptocurrency Platform
- More from Michael Kan
