The mystery of an alleged data breach by a data broker
4 mins read

The mystery of an alleged data breach by a data broker

Since April, a hacker seeking to sell stolen data has reported a breach of billions of records – affecting at least 300 million people – from a US data broker, making it one of the largest alleged data breaches of the year.

The data seen by TechCrunch itself appears partially valid, if imperfect. The stolen data, touted on a prominent cybercrime forum, allegedly dates back years and includes US citizens’ names, home address histories and Social Security numbers – data that is widely available for sale by data brokers.

However, confirmation of the source of the alleged data theft has proven to be inconclusive, such is the nature of the data broker industry, which devours individuals’ personal information from a variety of sources with little or no quality control.

According to the hacker, the alleged data broker is National Public Data, which bills itself as “one of the largest providers of public records on the Internet.”

On its official website, National Public Data claimed to offer access to several databases: “People Finder”, where customers could search by Social Security number, name and date of birth, address or telephone number; a database of U.S. consumer data “covering more than 250 million people”; a voter registration database containing information on 100 million U.S. citizens; criminal record one and several others.

Malware research group vx-underground said on X (previously on Twitter) that it has reviewed the entire stolen database and can “confirm that the data contained therein is true and accurate.”

“We searched several people who consented to having their records checked,” the group wrote, adding that they were able to find information about the people, including names, address histories dating back more than three decades and Social Security numbers.

“Thanks to this, we also managed to find their parents and closest siblings. We managed to identify someone’s (sic!) parents, deceased relatives, uncles, aunts and cousins,” wrote vx-underground.

TechCrunch made similar efforts to verify the authenticity of the data, with mixed results.

contact us

Do you have more information about this or similar incidents? From a device that is not working, you can contact Lorenzo Franceschi-Bicchierai securely via Signal on +1 917 257 1382, via Telegram, Keybase and Wire @lorenzofb or email. You can also contact Zulkarnain Saer Khan on +36707723819 or X @ZulkarnainSaer. You can also contact TechCrunch via SecureDrop.

In our review of a smaller sample of five million records, we found plenty of names and addresses matching the relevant public records, but also some data that doesn’t always make sense – for example, email addresses with different names that have no apparent impact on the rest of the associated person’s data . Some of the files contained alleged information about famous celebrities, including the personal details of a former US president.

TechCrunch provided USDoD, a hacker selling data, with the names of eight consenting individuals in order to verify whether the hacker actually had legitimate data. The hacker did not return any data of eight people.

TechCrunch also contacted 100 people whose numbers and email addresses were included in the sample. Only one person responded and confirmed that some, but not all, of the allegedly stolen data was accurate.

Directly finding the alleged source of data theft also did not provide many answers.

Despite several attempts to contact the company, National Public Data did not respond, nor did its founder and CEO Salvatore Verini. After TechCrunch first contacted National Public Data last week, the company took down websites that provided details about the databases it sells access to.

Not all data breaches reported by hackers, especially those advertised on hacker forums, turn out to be true. That’s why TechCrunch and other cybersecurity reporters often spend a significant amount of time trying to verify data breaches, sometimes with inconclusive results.

This alleged data broker breach seems out of the ordinary, however, in part because some of the data appears to be authentic and others already verified.

The proliferation and commoditization of personal data in the data broker industry also makes it difficult to identify the source of data leaks. Even if this particular data breach remains unresolved, it shows once again that the data broker industry is out of control and creating real privacy issues for ordinary people.

We couldn’t definitively solve the mystery of this data breach, but there was enough information to detail our verification efforts. One thing is clear. As long as data brokers continue to collect personal data, there is a risk that the data will be exposed.