In a significant breach, a hacker has leaked more than 4 billion user records from NationalPublicData (NPD) and Tencent, marking one of the largest data breaches in recent history.
The stolen data, now circulating on the web, includes 2.7 billion records from NPD and another 1.4 billion from Tencent, exposing sensitive information of billions of individuals across the globe.
NationalPublicData info now public
The leaks were publicized by a threat actor known as “Fenice” on the Breached hacking forums. The NPD data breach, first disclosed on August 6, 2024, consists of 2.7 billion records with details like full names, addresses, Social Security numbers, and dates of birth. The data, amounting to 277 GB in uncompressed CSV files, was allegedly breached by a hacker identified as “SXUL.”
The files were made available for free download on the popular hacker forum, raising concerns about the potential for widespread identity theft and fraud.
NationalPublicData, also known as Jerico Pictures Inc., is a company specializing in collecting and selling access to personal data for background checks and related services. The breach, initially hinted at by a court document in a class action lawsuit filed on August 1, 2024, involves the exposure of personal data that NPD had amassed from various sources.
According to Bloomberg, the lawsuit alleges that nearly 3 billion individuals' data was compromised in the breach, making it one of the largest ever reported.
According to BleepingComputer, the data includes multiple records for individuals, often associated with different addresses, which could explain the massive size of the dataset despite the number of unique individuals being smaller. BleepingComputer confirmed the validity of the leaked NPD data, noting that it likely includes outdated information and contains inaccuracies, such as mismatched Social Security numbers.
Tencent claimed as breached too
On August 11, 2024, Fenice revealed another massive data leak, this time from Tencent, a Chinese multinational conglomerate known for its popular social media platforms and digital services.
The Tencent breach involves 1.4 billion records compressed into a 44 GB file, which expands to 500 GB when uncompressed. The leaked data includes email addresses, mobile phone numbers, and QQ IDs, which are widely used in China. This breach is especially alarming given Tencent's massive user base, which includes millions of individuals across various platforms.
Tencent, a major player in the global tech industry, operates some of the world's largest social media and messaging platforms, including WeChat and QQ. The company is deeply integrated into the digital lives of Chinese users, and its services span gaming, payments, and cloud computing. The breach of 1.4 billion records could have far-reaching consequences, potentially compromising the privacy and security of millions of users.
CyberInsider has contacted Tencent to ask about the validity of the threat actor's claims, but we are still waiting for a response. Though the leaked data has not be verified as authentic, the confirmation of NPD breach increases the likelihood of the Tencent allegations being truthful as well.
The leak of these records, now freely accessible on the internet, poses severe risks to the affected individuals. The data could be used for identity theft, phishing campaigns, and other malicious activities. The NPD breach is particularly concerning due to the inclusion of Social Security numbers, which are a critical component in the identification of U.S. residents. The scale of these breaches has already prompted class action lawsuits against Jerico Pictures Inc., accusing the company of negligence and failing to protect personal data adequately.
Individuals are advised to monitor their credit reports for suspicious activity, place fraud alerts on their financial accounts, and remain vigilant against phishing attempts. As the data continues to circulate, the true extent of the damage remains to be seen, but the potential for exploitation is vast.
NowWhat
I got nothing but a notification from I’vebeenpawned from any financial institutions. Information on what NPD actual do and who are their customers remains a mystery.