National Public Data says "only" 1.3 million users at risk, but that it leaked its own password

The data breach at National Public Data may fortunately have been a lot smaller than initially thought, according to a new report filed by the company with the Maine Attorney General’s Office detailing the incident.

Initially, it was reported that an estimated 2.9 billion records were circulating on the dark web since April 2024, with compromised information including names, Social Security numbers, email addresses, home addresses, and phone numbers for individuals living in the US, Canada, and the UK.

Now, in the filing submitted to the Maine Attorney General, the data broker claims “just” 1.3 million people were actually affected by the leak.

Passwords leaked, too

The data spans over 30 years, and includes address histories and family connections. Furthermore, Troy Hunt of HaveIBeenPwned? said the leak included 134 million unique email addresses and 272 million Social Security Numbers. The average age for the affected individuals is 70 (meaning some of the people affected by the leak are 120+ years old and long deceased).

But not everyone thinks NPD's logic is particularly sound. The Register , for example, stresses in its report HaveIBeenPwned listed a hundred times as many unique email addresses as NPD says there were affected people.

“So, unless every one of the 1.3 million affected people had 100 email addresses, which is pretty unlikely, there is a chance that more people are affected than what NPD told Maine's AG,” the publication argues.

To make matters worse, NPD also seems to have had its own passwords leaked. According to KrebsOnSecurity , a sister NPD property called recordscheck.net was hosting an archive that included usernames and passwords for the site’s administrator. The archive was available from the Records Check website earlier this week, and it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages, Krebs concluded.

Whatever the case, the leak is enormous, and it will probably take a lot more time until we know for certain how many people had their data stolen. In the meantime, some people went with a class-action lawsuit, claiming the leaked data poses a significant risk for both identity theft , and fraud.

Those who are affected by the incident are warned to keep a close eye on their financial accounts, especially for suspicious transactions and purchases. Also, they should expect an increase in phishing emails and social media interaction.

More from TechRadar Pro

• National Public Data finally confirms it was hit by data breach — and that millions of users are at risk
• Here's a list of the best firewall software around today
• These are the best endpoint security tools right now