National Public Data Breach: Protect Yourself Now

Imagine someone photocopied every phone book in America, added Social Security numbers and home addresses, then left all 2.9 billion copies in an unlocked storage unit for anyone to grab. That's essentially what happened with National Public Data.

In August 2024, one of the largest data breaches in history exposed personal information on nearly every American adult—and millions of people in Canada and the UK. The stolen database didn't just leak online. It spread across hacking forums where criminals trade identity theft tools like baseball cards.

If you've ever had a background check, applied for a job, or simply existed with a Social Security number, your data is likely in this breach. Here's what you need to know and do right now.

The National Public Data breach explained

National Public Data (NPD), a background check company owned by Jerico Pictures Inc., scraped and aggregated public records from across the internet. They compiled billions of records containing names, addresses, Social Security numbers, and phone numbers—then sold access to this data.

In April 2024, a hacking group called USDoD claimed to have stolen the entire NPD database. By August, the data appeared on hacking forums as a free download. The breach included approximately 2.9 billion records spanning decades of accumulated information.

Here's what makes this breach different: NPD never asked for your consent to collect your data. You couldn't opt out. Most people had no idea this company even existed until their Social Security numbers started circulating on the dark web.

The company filed for bankruptcy in October 2024, leaving victims with few options for accountability or compensation. Multiple class-action lawsuits are pending, but legal remedies will take years—and won't put your Social Security number back in the box.

Key takeaway: This breach exposed information on virtually every American adult, including people who never directly interacted with National Public Data. The stolen data is now freely available to criminals worldwide.

What data was exposed in the NPD breach

The leaked database contains a toxic mix of personally identifiable information (PII) that criminals can use for identity theft, account takeovers, and synthetic identity fraud.

Confirmed exposed data includes:

• Full names (including maiden names and aliases)
• Social Security numbers (complete 9-digit SSNs)
• Current and historical addresses (dating back 30+ years in some cases)
• Phone numbers (landlines and mobile)
• Date of birth information
• Family member names and relationships

Security researchers who analyzed the leaked files found records dating back to the 1990s. If you've moved multiple times, the database likely contains every address you've lived at—creating a detailed map of your life that criminals can use to answer security questions or impersonate you convincingly.

Social Security numbers are the crown jewels here. Unlike passwords, you can't change your SSN. Once exposed, it remains a permanent vulnerability. Criminals use stolen SSNs to open credit cards, file fraudulent tax returns, obtain medical services, and create synthetic identities that blend real and fake information.

The breach also exposed relative information—names of parents, siblings, and children. This data helps criminals bypass "secret questions" like "What's your mother's maiden name?" or "What street did you grow up on?"

Key takeaway: The combination of SSNs with full addresses and family data gives criminals everything they need to commit sophisticated identity theft that can take years to detect and resolve.

How to check if your data was included

Assume you're in the breach. Seriously. With 2.9 billion records covering most American adults, the odds heavily favor your inclusion.

That said, you can verify your exposure through several free tools:

Have I Been Pwned (haveibeenpwned.com) added National Public Data to its database. Enter your email address to see if it appears in known breaches. This won't catch all NPD exposures since the breach primarily contains SSNs and addresses rather than emails, but it's a good starting point.

NPD Breach Check (npd.pentester.com) is a specialized tool created by security researcher Bob Diachenko specifically for this breach. Enter your name and birth year to see if your records appear in the leaked database. The tool displays partial SSN digits if found—enough to confirm exposure without revealing the full number publicly.

GhostMyData's free exposure check scans for your information across data broker sites where NPD data has already migrated. Our free exposure check searches 1,500+ data broker databases to show exactly where your personal information appears for sale right now.

One surprising fact that most people miss: Even if your specific record doesn't appear in the leaked database, that doesn't mean you're safe. Data brokers constantly aggregate information from multiple sources. The NPD breach data is already being merged with other datasets and sold on broker sites that you've never heard of.

Checking once isn't enough. Breached data gets repackaged and sold repeatedly. What doesn't appear today might surface tomorrow on a different broker site.

Key takeaway: Don't wait for confirmation to act. The breach is large enough that protective measures make sense for everyone, and verification tools can't catch every exposure as data spreads across broker networks.

Immediate steps to take right now

Time matters. The longer you wait, the more opportunity criminals have to monetize your data. Take these actions this week—not next month.

Step 1: Freeze your credit with all three bureaus

A credit freeze blocks new creditors from accessing your credit report, preventing criminals from opening accounts in your name. This is free and takes about 15 minutes total.

Contact each bureau directly:

• Equifax: equifax.com/personal/credit-report-services/credit-freeze (1-800-349-9960)
• Experian: experian.com/freeze/center.html (1-888-397-3742)
• TransUnion: transunion.com/credit-freeze (1-888-909-8872)

You'll receive a PIN or password to lift the freeze when you need to apply for credit legitimately. Don't skip any bureau—criminals will simply use whichever one you leave open.

Also freeze your reports with the two lesser-known bureaus that specialize in banking and rental screening:

• Innovis: innovis.com/securityFreeze (1-866-712-4546)
• ChexSystems: chexsystems.com/security-freeze (1-800-887-7289)

Step 2: Enable fraud alerts

While you're freezing credit, add a fraud alert to your reports. This requires creditors to verify your identity before opening new accounts. Unlike freezes, you only need to file with one bureau—they're required to notify the others.

Fraud alerts last one year and can be renewed. Extended fraud alerts (for confirmed identity theft victims) last seven years.

Step 3: Change passwords and enable two-factor authentication

If you've reused passwords across accounts, criminals can use your exposed personal information to answer password reset questions and take over accounts.

Prioritize these accounts:

• Financial institutions (banks, investment accounts, PayPal)
• Email accounts (which can reset everything else)
• Healthcare portals (medical identity theft is growing fast)
• Government accounts (IRS, Social Security, state benefits)

Enable two-factor authentication (2FA) everywhere possible, preferably using an authenticator app rather than SMS codes, which can be intercepted through SIM swapping attacks.

Step 4: File your taxes early

Tax refund fraud is one of the fastest ways criminals monetize stolen SSNs. They file fraudulent returns in your name, claim your refund, and disappear before you notice.

File your return as early as possible each year—ideally in January or February. If criminals file first, you'll face months of bureaucratic hell proving your identity to the IRS.

Can't file early? Request an Identity Protection PIN from the IRS at irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin. This six-digit number is required to file any return using your SSN.

Step 5: Monitor your credit reports

You're entitled to free weekly credit reports from all three bureaus at annualcreditreport.com. Set a recurring calendar reminder to check every month.

Look for:

• Accounts you didn't open
• Hard inquiries you didn't authorize
• Addresses you've never lived at
• Employment information that isn't yours

Catch fraud early and it's an annoyance. Catch it late and it's a nightmare that can tank your credit score and take years to resolve.

Key takeaway: These five steps create defensive layers that make identity theft significantly harder. None are optional after a breach this large—your SSN is already in criminal hands.

How breached data ends up on data broker sites

Here's what most breach coverage misses: The NPD breach didn't just expose your data once. It created a permanent supply of verified information that data brokers are already aggregating, enriching, and reselling.

Data brokers operate by collecting information from public records, scraping websites, purchasing data from other brokers, and ingesting leaked databases like NPD. Our analysis of thousands of removal requests shows that breached data typically appears on broker sites within 30-90 days after a major leak.

The NPD data is particularly valuable to brokers because it includes verified SSNs linked to current addresses. Brokers can merge this with other datasets—your shopping history, social media activity, property records, court filings—to build comprehensive profiles worth $0.50 to $2 each.

These profiles appear on sites like Whitepages, Spokeo, BeenVerified, and hundreds of lesser-known brokers you've never heard of. Anyone willing to pay a small fee can access your SSN, address history, and family relationships.

Some brokers claim they don't display SSNs publicly. That's technically true but meaningless. They use SSNs internally to verify identity and link records, then sell "verified" profiles to employers, landlords, and anyone else willing to pay. Your SSN becomes the invisible key that unlocks your entire data profile.

The scale is staggering. GhostMyData monitors 1,500+ data broker sites—far more than competing services that cover only 35-500 brokers. Based on our removal data, the average person appears on 200-350 broker sites simultaneously. After major breaches, that number spikes as new brokers emerge to profit from freshly leaked data.

Want to see where you are right now? Our free exposure check scans the full broker ecosystem and shows exactly which sites are selling your information.

Removing your data from brokers isn't just about privacy anymore—it's breach damage control. Every broker profile containing your information is another attack vector for criminals who already have your SSN from the NPD breach.

Key takeaway: Breached data doesn't disappear. It gets absorbed into the data broker ecosystem where it's repackaged and sold indefinitely, multiplying your exposure long after the initial breach.

Long-term protection after a breach

The National Public Data breach isn't a one-time event you can address and forget. Your exposed SSN remains vulnerable for decades. Identity theft can occur months or years after a breach as criminals work through stolen databases.

Real-world timeline: After the 2017 Equifax breach, fraud rates among exposed consumers remained elevated for three years. Some victims didn't discover fraudulent accounts until 2020—three years after the initial breach.

This delayed exploitation happens because sophisticated criminals play the long game. They wait for people to drop their guard, cancel monitoring services, and stop checking credit reports regularly. That's when they strike.

Ongoing monitoring must include:

Credit monitoring alone isn't enough. You also need to monitor:

• Bank and credit card statements (weekly, not monthly)
• Medical insurance explanation of benefits (fraudulent medical claims)
• Social Security earnings statements (someone working under your SSN)
• Court records (criminals arrested using your identity)
• Data broker sites (where your information reappears after removal)

That last point is critical and widely misunderstood. Removing your data from broker sites isn't permanent. Brokers constantly refresh their databases from new sources. Information you removed last month can reappear next week from a different supplier.

Based on our analysis of thousands of removal requests, approximately 30-40% of successfully removed profiles reappear on the same broker sites within 90 days. High-activity brokers like Whitepages and Spokeo can re-list your information in as little as two weeks.

This isn't brokers ignoring your removal requests (though some do). It's new data flowing in from other sources—public records, purchased datasets, scraped websites, and other breaches. Each source must be identified and removed separately, creating a perpetual game of whack-a-mole.

Manual monitoring and removal is practically impossible. Each broker has different opt-out processes requiring different information, verification methods, and waiting periods. Multiply that across 1,500+ sites and you're looking at hundreds of hours of work annually.

Key takeaway: Post-breach protection requires ongoing monitoring and removal because your exposed data will circulate through data broker networks indefinitely. One-time actions provide false security.

How GhostMyData automates post-breach protection

After a breach like NPD, you face two problems: removing your data from brokers who already have it, and preventing it from reappearing as they acquire new datasets.

GhostMyData solves both through continuous automated removal across our network of 1,500+ data brokers—the most comprehensive coverage available. Competing services typically cover 35-500 brokers, leaving you exposed on hundreds of sites they don't monitor.

Here's how it works:

Initial scan and removal: Our system scans all 1,500+ broker sites for your information, identifies every profile and listing, then submits legally compliant removal requests on your behalf. This initial sweep typically finds 200-350 active listings for the average person.

Continuous monitoring: We don't stop after the first removal. Our system rescans broker sites every 30-90 days (depending on the broker's refresh rate) to catch reappearing data. When your information resurfaces, we automatically submit new removal requests without requiring any action from you.

New broker detection: The data broker ecosystem constantly evolves. New sites launch, existing brokers rebrand, and previously unknown operators surface. Our research team identifies new brokers monthly and adds them to your protection coverage automatically.

Breach response integration: When major breaches occur, we analyze where that specific data is most likely to appear and prioritize monitoring of those brokers. After NPD, we increased scan frequency for brokers known to purchase background check data and SSN-linked records.

The removal process typically takes 2-3 months for the initial sweep (some brokers have 30-60 day processing windows required by law), then continues indefinitely as long as your subscription remains active. You receive regular reports showing exactly which brokers had your data, what was removed, and what reappeared.

This matters specifically for breach victims because breached data spreads faster than normal data accumulation. The NPD database has already been downloaded thousands of times and is being actively merged into broker datasets right now. Manual removal can't keep pace with that distribution speed.

Compare that to the DIY approach: Removing your data from even 100 broker sites manually requires 40-60 hours of work—finding opt-out pages, filling out forms, verifying emails, mailing notarized documents to some brokers, and tracking removal status. Then you have to repeat the process every few months as data reappears.

Want to see what you're up against? Start with our free exposure check to see exactly how many broker sites currently list your information. Most people are shocked by the number.

For breach victims specifically, automated removal isn't a luxury—it's damage control. Your SSN is already circulating. Every day your data remains on broker sites is another day criminals can purchase verified profiles to commit fraud in your name.

Our pricing is transparent and significantly lower than the cost of resolving identity theft, which averages $1,500-$3,000 in direct costs plus 100-200 hours of time according to the Identity Theft Resource Center.

Key takeaway: The NPD breach created an ongoing exposure problem that requires ongoing protection. Automated monitoring and removal across the full broker ecosystem is the only practical solution for most people.

The bottom line

The National Public Data breach exposed your Social Security number, address history, and family information to criminals worldwide. That data is now freely available and will circulate indefinitely.

Immediate action—credit freezes, fraud alerts, password changes—creates defensive barriers against the most common fraud tactics. But the real challenge is the long game: preventing your breached data from being repackaged and sold through data broker networks for years to come.

Manual monitoring and removal across 1,500+ broker sites isn't realistic for people with jobs and lives. The NPD breach affects hundreds of millions of people, but only a tiny fraction have the time or expertise to protect themselves effectively.

That's the problem GhostMyData solves. We handle the tedious, ongoing work of finding your data, removing it, monitoring for reappearance, and repeating the cycle indefinitely across the industry's most comprehensive broker network.

Your Social Security number is already out there. The question is whether you'll let data brokers continue profiting from it while criminals use it to commit fraud, or whether you'll take control of your exposure starting today.

Start with our free exposure check to see the scope of your current data broker exposure, then decide whether ongoing automated protection makes sense for your situation. After a breach this large, doing nothing is the riskiest choice of all.