/

A background-checking company has confirmed it suffered a data breach, months after hackers started advertising stolen files with billions of lines of personal information.

By Umar Shakir, a news writer fond of the electric vehicle lifestyle and things that plug in via USB-C. He spent over 15 years in IT support before joining The Verge.

A laptop surrounded by green and pink message boxes that say “warning.”

Photo by Amelia Holowaty Krales / The Verge

National Public Data (NPD), a company that resells collected personal data for background checks, has confirmed that a data breach leaked names, Social Security numbers, physical addresses, and more. As reported by Bleeping Computer, dark web forum posters have advertised and shared supposedly stolen data from a breach of the company’s systems for months without a statement or response from NPD.

Finally, this week, it published a Security Incident page confirming a few details but leaving many other questions unanswered.

The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.

The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).

The massive leak reportedly included 2.9 billion rows of data for a still-unknown number of people, and analysis of files posted to hacking forums by Have I Been Pwned operator Troy Hunt showed inconsistencies in how the data is linked to specific people.

NPD says it “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you.”

Its website does not report how many people have been affected, offer any compensation to the people whose information has been linked, or provide any avenues of direct contact for more information. It warns people to keep an eye on their credit reports, but that’s just about it.