In August 2024, a massive breach at National Public Data (NPD) exposed approximately 2.9 billion rows of data, affecting an estimated 800 million individuals. The leaked dataset included full names, Social Security numbers, mailing addresses, email addresses, and phone numbers going back at least three decades.
This was not a breach of an account you signed up for. NPD is a data broker that aggregates public records, court filings, and other databases to sell background check information. Most people affected had no idea NPD even had their data.
What was exposed
The breach contained records with the following fields:
- Full legal name and known aliases
- Social Security number
- Current and previous mailing addresses (sometimes going back 20+ years)
- Phone numbers
- Email addresses
- Dates of birth
- Relatives and known associates
The data was initially offered for sale on dark web forums for $3.5 million and was later leaked for free in its entirety.
How to check if you were affected
Several services have indexed the breach data to let you check your exposure:
- npd.pentester.com - A free lookup tool that checks your name, state, and birth year against the leaked dataset. It shows which records matched and what data was included.
- Have I Been Pwned (haveibeenpwned.com) - Troy Hunt added the NPD breach to his database. Enter your email address to see if it appeared in this or any other breach.
- Mozilla Monitor - A free service from Mozilla that checks your email against known breaches and sends alerts for new ones.
What to do if you were exposed
If your Social Security number was in this breach (and statistically, it probably was if you are a US resident), take these steps:
1. Freeze your credit at all three bureaus
This is the single most important step. A credit freeze prevents anyone from opening new accounts in your name. It is free and takes about 10 minutes per bureau:
- Equifax: equifax.com/personal/credit-report-services/credit-freeze/
- Experian: experian.com/freeze/center.html
- TransUnion: transunion.com/credit-freeze
You will receive a PIN for each freeze. Store these PINs securely in your password manager. You will need them to temporarily lift the freeze when you legitimately apply for credit.
2. Set up fraud alerts
Place an initial fraud alert at one bureau (it propagates to the other two). This requires creditors to verify your identity before opening new accounts. It lasts one year and can be renewed.
3. Monitor your financial accounts
Review your bank and credit card statements for unauthorized activity. Set up transaction alerts so you are notified of any new charges in real time.
4. File an IRS Identity Protection PIN
Request an IP PIN from the IRS at irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin. This prevents someone from filing a fraudulent tax return using your SSN.
5. Be vigilant about phishing
Breaches like this fuel highly targeted phishing campaigns. Attackers now have your address, phone, and SSN, which makes their scam emails and calls much more convincing. Be skeptical of any unsolicited contact that references personal details, even if the details are accurate.
The bigger picture
The NPD breach is a reminder that your personal data exists in databases you never consented to. Data brokers operate in a regulatory gray area, and breaches like this expose the real cost of that model. While you cannot undo the exposure, you can take defensive steps to limit the damage. Freezing your credit is by far the highest-impact action most people can take.