ST. PETERSBURG, Fla. — Reports are circulating of a major data breach that could impact nearly three billion people globally.
The information allegedly at risk includes Social Security numbers, names and addresses, according to Bloomberg Law, which was the first to report it. A subsequent headline from the Los Angeles Times reads, “Hackers may have stolen the Social Security numbers of every American.”
An Aug. 14 X post with more than 8.5 million views made similar claims that the personal information of nearly every American may have been compromised.
Data from Google Trends shows a spike in U.S. searches for "social security breach."
Multiple viewers have asked if it’s true that their personal information is now at risk. Here’s what we can VERIFY.
THE SOURCES
- National Public Data
- Class-action lawsuit filed in U.S. District Court for the Southern District of Florida
- McAfee, information security company
- National Cybersecurity Alliance
- U.S. Public Information Research Group (PIRG), a non-profit consumer watchdog
- Social Security Administration
WHAT WE FOUND
Editor's note: This story has been updated on Aug. 16 with new information since initial publication, including a statement from National Public Data.
Initial reports of the alleged breach stem from a class-action complaint filed in Florida.
The complaint filed Aug. 1 in U.S. District Court for the Southern District of Florida alleges hackers gained access to the personal information of “billions of individuals” from a company called National Public Data (NPD).
National Public Data is a background check company based in Coral Springs, Fla.
California resident Christopher Hofmann filed the complaint. He claims his identity theft protection service notified him his personal information had been compromised by the "nationalpublicdata.com" breach.
The complaint claims the exposed information includes Social Security numbers, past and current addresses, names, and information about parents and siblings – the kind of sensitive data that could allow a scammer to take a loan in your name or gain access to your banking information, cybersecurity experts warn.
Top Class Actions says at least two more class-action lawsuits have also been filed against National Public Data concerning the same data breach.
When did the breach happen?
In an update posted to its website, National Public Data said the hack happened in late December 2023, and certain data was then leaked beginning in April 2024.
A Social Security Administration (SSA) spokesperson said in an email that “recent reports related to a data breach are unrelated to the Social Security Administration’s internal systems and data, neither of which has been compromised.”
The complaint alleges a cybercriminal group named USDoD gained access to National Public Data’s network and then published and sold it on the dark web.
USDoD posted a database on a dark web forum on April 8, claiming to have the personal data of 2.9 billion people from countries around the world, according to the complaint.
It was asking for a purchase price of $3.5 million, the lawsuit claims.
To be clear, USDoD has no affiliation with the United States Department of Defense, which is commonly referred to by the acronym "DoD."
What does National Public Data say?
The company acknowledged the breach in a "security incident" update posted to its website stating, "information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es)."
National Public Data did not respond directly to VERIFY’s request for comment.
"We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you," the company said on its website. "We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems."
Some states require companies to report data breaches to their attorneys general offices. However, information security company McAfee said on Aug. 14 that it had not found any filings related to the breach.
Florida law requires companies to file notices of any data breach that impacts 500 or more Floridians. The Office of Florida's Attorney General told VERIFY on Aug. 15 that it was aware of the reported breach but had not yet received any notice from NPD.
How can I protect myself?
While the true scope of the breach remains unclear, it’s recommended you freeze your credit if you suspect your Social Security number or other important information about you has been compromised.
Freezing your credit can block bad actors from taking out a loan or opening a new credit card in your name.
It’s free to freeze your credit with the three major credit bureaus, Equifax, Experian and TransUnion, according to the U.S. Public Information Research Group (PIRG), a nonprofit consumer watchdog.
But PIRG warns never to freeze your credit in response to an unsolicited email or text claiming to be from one of the credit agencies – because it could be a scam.
Freezing your credit will limit access to your credit reports, notes the National Cybersecurity Alliance, and you’ll have to remember to unfreeze your credit if you’re applying for a new credit card or mortgage.
You can freeze your accounts with the three major credit bureaus by phone or online:
Freezing your credit does not directly increase or decrease your credit score, according to PIRG.
You can also sign up for a tracking service that will alert you if your data appears on the dark web through services provided by companies like Norton and Google One.
If you suspect you are a victim of identity theft, the Social Security Administration recommends:
- Contacting the Federal Trade Commission at www.idtheft.gov, or call 1-877-IDTHEFT (1-877-438-4338); TTY 1-866-653-4261,
- Filing a police report with the police department where the identity theft took place and keeping a copy of the police report as proof of the crime,
- Contacting the fraud unit of one of the three consumer reporting companies
- Reporting Social Security scams online at oig.ssa.gov
CBS News and VERIFY's Erin Jones and Ariane Datil contributed to this report.