National Public Data Leak: 2.9 Billion Records Fuel Identity Theft Crisis

In July 2025, a colossal National Public Data leak exposed 2.9 billion records on a dark web forum, orchestrated by the hacking group USDoD. Containing names, Social Security numbers, addresses, and more from the U.S., Canada, and UK, this breach ranks among the largest ever, threatening widespread identity theft. This article unpacks the breach, its fallout, and how to secure your data.

On April 8, 2025, USDoD posted a 4TB database titled “National Public Data” on the dark web’s Breached forum, offering it for $3.5 million. The dataset, stolen from National Public Data (NPD), a Florida-based background check firm, included full names, Social Security numbers, addresses spanning decades, phone numbers, and email addresses for 2.9 billion records. Security expert Troy Hunt found only 134 million unique email addresses, suggesting multiple records per individual, but the scale remains staggering TechRepublic.

NPD, owned by Jerico Pictures, scrapes data from non-public sources, meaning many victims never consented to their information being stored. A Chicago resident, for instance, discovered their SSN and past addresses online after a credit alert, facing fraudulent loan attempts. The unencrypted data, dumped publicly by July 12, 2025, amplifies risks, as anyone can access it for free. NPD’s delayed response—only acknowledging the breach in August after lawsuits—has drawn criticism for leaving victims exposed Bloomberg Law.

The National Public Data leak creates a perfect storm for cybercriminals. Exposed SSNs and addresses enable identity theft, fraudulent loans, and tax scams. In 2024, Experian reported $12.7 billion in fraud losses from similar leaks, and this breach could dwarf those numbers. A UK small business owner found their details used for unauthorized credit applications, showing cross-border impacts. Email addresses in the dataset also fuel phishing campaigns, with attackers crafting convincing scams using real personal data CSO Online.

2.7 billion unencrypted records on the dark web site “BreachedForums”. (Source: BleepingComputer)

Businesses face equal danger. Leaked employee data can trigger phishing or ransomware attacks, as seen in the 2023 Optima Tax Relief breach. The dataset’s inclusion of deceased relatives’ information adds complexity, enabling fraudsters to exploit estates. With 70 million rows of U.S. criminal records also exposed, attackers can target vulnerable individuals. The breach’s public availability on the dark web means cybercriminals, from lone hackers to organized groups, can exploit it indefinitely. This breach follows a broader trend of rising credential leaks on underground markets, as detailed in our Dark Web 2025 credential breach report.

Cybersecurity professionals and individuals can mitigate the National Public Data leak risks with swift action. Freeze your credit at Equifax, Experian, and TransUnion to block fraudulent accounts—free and reversible online or by phone. Use authenticator apps like Google Authenticator for MFA, avoiding SMS-based codes that hackers can intercept. Check for compromised data using HaveIBeenPwned or npdbreach.com, and monitor financial accounts for unusual activity.

Businesses should deploy dark web monitoring tools like Flashpoint to detect leaked employee data early. Train staff to recognize phishing emails, a common follow-up to such breaches. Encrypt sensitive databases and audit third-party vendors to ensure compliance with CCPA or GDPR. The 2024 AT&T breach showed that quick credit freezes reduced fraud incidents. Act proactively to secure systems and avoid costly breaches.

The National Public Data leak exposes the dangers of unchecked data scraping. NPD’s practice of collecting non-consented PII from obscure sources left billions vulnerable. IBM’s 2025 report notes 60% of breaches stem from unsecure databases, a problem worsened by lax oversight. Lawsuits against NPD demand encryption and third-party audits, but broader regulations are needed. The 2017 Equifax breach, affecting 147 million, prompted stronger U.S. disclosure laws, yet companies like NPD lag behind. Stronger enforcement could prevent future leaks. We’ve seen similar database exposures, like the Rockerbox tax leak, where sensitive documents were left open due to cloud misconfigurations.