Were three billion people’s details leaked online last week?

National Public Data, a major background check company, is facing a class action lawsuit over a massive data leak. The breach allegedly exposed the personal data of nearly three billion people. A cybercriminal group called ASDoD reportedly listed this database for sale online at $3.5 million, but there’s no evidence that anyone has actually bought it yet.

If the breach were confirmed, it could be one of the largest data breaches ever. However, Troy Hunt, a well-known security expert and founder of the breach notification site HaveIBeenPwned, has cast doubt on the claims surrounding the leak. Hunt’s investigation revealed several discrepancies:

1. Population Mismatch: The database was advertised as containing data for the entire populations of the USA, Canada, and the UK, totaling 2.9 billion rows. However, Hunt points out that this number far exceeds the combined population of these countries.
2. Data Details: The ASDoD listing claimed the database included Social Security Numbers (SSNs), but Hunt notes that Canada uses Social Insurance Numbers (SINs) and the UK has National Insurance (NI) numbers, making the claim questionable.
3. File Size Inconsistencies: The post mentioned that the compressed database was 200GB and would expand to 4TB uncompressed. Yet, when verified, the uncompressed file was only 277.1GB. Additionally, Hunt found that the data contained many duplicates. In a sample of 100 million rows, only 31% had unique SSNs, suggesting that the bulk of the data was duplicated rather than being unique.
4. Data Accuracy: Hunt discovered that the first few rows of the database contained identical personal details, with only the names and addresses changed. He also found that many entries included mismatched or inaccurate information, even showing his own email address but without other correct personal details.

Hunt speculates that the hype surrounding the breach might stem from the initial mention of SSNs, which drew attention to the leak. He suggests that as a data brokerage, National Public Data could have compiled a large amount of publicly available information into their database before it was stolen.

While the breach likely contains some legitimate personal information, the overall scale and accuracy of the data might be overstated. There are still 134 million email addresses in the leak that could be used for phishing or targeting individuals, especially those without strong identity theft protection.