Were three billion people's details leaked online last week? This top security expert isn't so sure
Troy Hunt casts doubt on authenticity of NPD breach
Top background check company National Public Data was recently hit by a class action lawsuit which claimed the personal data of almost three billion people was leaked online.
A cyber criminal group known as ASDoD listed the database for sale online at $3.5 million, but there is no evidence that anyone has yet paid the sum.
If confirmed, this could be one of the biggest data breaches on record - or could it? Troy Hunt, one of the most renowned security experts around, and the founder of breach site HaveIBeenPwned, looked into the breach and found much of the information surrounding the incident didn’t appear to add up.
Did ASDoD bump up the numbers?
Firstly, Hunt points out, the initial post of the database on the dark web stated that it contained 2.9 billion rows of data, and that it was the entire population of the USA, Canada, and the UK - which, at last count, doesn’t have a combined population of 2.9 billion.
ASDoD also stated the database contained social security numbers (SSN), which, Hunt points out “are a rather American construct with Canada having SINs (Social Insurance Number) and the UK having, well, NI (National Insurance) numbers are probably the closest equivalent.”
Secondly, the ASDoD post claimed the database is 200GB compressed, which expands out to 4TB uncompressed, but when verified by Hunt and cybersecurity repository vx-underground, the total file size only totaled 277.1GB uncompressed. What’s more, when checking to see if the database contained verifiable data and SSNs, Hunt found that the first six rows were the same person, just with the first name and last name alternated, and listed at different addresses in the same city.
Taking a larger sample of the data, Hunt found out of the 100 million row sample, just 31% contained a unique SSN. Now this does mean that a significant amount of the data does contain the legitimate personal information and SSNs of thousands of victims, but the scale may be slightly less than 2.9 billion people and is instead, just 2.9 billion rows of duplicated data.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Now as for whether the data was legitimate, Hunt ran into difficulties attributing the database to a single source because of how generic the data was. In Hunt’s words, “how many different places have your first and last name, address, SSN, etc?”
Curious, Hunt also searched to see if any of his own information had been included in the breach. His email showed up in 28 different rows, but without his own name, address, or correct date of birth, indicating that much of the data could be inaccurate and mismatched between victims.
Hunt speculates that the breach was so widely shared across social media and news outlets because of the initial legitimacy of SSNs in the first dump, with follow up dumps of data being sucked into the hype of ‘the biggest data breach ever.’ Hunt also suggests that as NPD is a data brokerage, they could have syphoned a huge amount of publicly available data into the database before it was stolen.
Ultimately there are a number of possibly legitimate SSNs floating around, but the data contained within the breach shows that they may not be displayed with the correct names and addresses. However, there are 134 million email addresses in public circulation, which could be used for phishing or to target those without adequate identity theft protection.
More from TechRadar Pro
- Take a look at the best people search finders
- Majority of US Congress members at risk of personal information being exposed
- These are the best browsers on offer today
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.