Earlier in August, Christopher Hoffman filed a lawsuit against Jerico Pictures Inc., the company that operates the NPD service, on behalf of the others affected. In the lawsuit, Hoffman accused the company of leaving about 2.9 billion records of sensitive personal data unencrypted and vulnerable to unauthorized access.
According to the complaint, a cybercrime organization known as "USDoD" allegedly infiltrated NPD’s systems in late December 2023.
The hackers reportedly began leaking data in April 2024, with further leaks occurring throughout the summer. The compromised data includes Social Security numbers, mailing addresses, email addresses, phone numbers and other personally identifiable information for the last three decades. (Related: PayPal hack exposes names, social security numbers of 35,000 customers.)
The lawsuit, filed in the United States District Court for the Southern District of Florida, also alleges that many of the affected were not customers of NPD. Their information was allegedly "scraped" by third parties and shared with the company without their consent. The database was then put on sale on the dark web for $3.5 million.
In line with this, the NPD published several statements admitting to the data breach.
In a notice published by the Office of the Maine Attorney General on Aug. 17, the NPD disclosed that 1.3 million people, including over 2,000 residents of Maine, were affected by the breach. Before that, the NPD also released an undated statement on its website to acknowledge the breach and advise consumers to mitigate potential harm associated with the unauthorized use of Social Security numbers. Additionally, the NPD sent letters on Aug. 10 to notify affected consumers of the breach and advise them to take steps to protect their financial information.
NPD recommended that individuals contact the three major U.S. credit reporting agencies – Equifax, TransUnion and Experian – to obtain a free credit report and consider placing a fraud alert on their credit files.
Some cybersecurity experts try to downplay the hacking
Troy Hunt, the founder of the "Have I Been Pwned" (HIBP) service, tried to downplay the hacking. Hunt stated that one version of the leaked database contained 134 million unique email addresses. He also revealed discrepancies within the data, including incorrect associations between names and dates of birth, as well as outdated addresses.
These findings mirror his own experience, as he discovered one of his email addresses is associated with two different birthdates, neither of which is correct.
Similarly, Bleeping Computer, a cybersecurity news platform, discovered that access to the official statement of the NPD regarding the breach has been blocked for IP addresses in various U.S. regions and even outside the country. Tests conducted by BleepingComputer found that some individuals were linked to incorrect names, and in some cases, outdated addresses were listed. Meaning, not all of the information in the leak appears to be accurate.
But many of the victims also confirmed the accuracy of the records included in the compromised data. The data even includes information about deceased individuals.
Visit CyberWar.news for more stories of data breaches and other hacking incidents.
Watch this video discussing the massive data breach of Social Security numbers.
This video is from the AllTheWorldsAStage channel on Brighteon.com.
More related stories:
Social security expected to run out of money by 2033, a year earlier than previous predictions.
Social Security reserves draining faster than expected.
Health Ranger warns: Inflation will WIPE OUT pensions, Social Security.
Sources include:
Please contact us for more information.
