Constella Intelligence

Main Menu

The Future of Identity Protection: Real-Time Threats and Scams

Alberto Casares on November 5, 2024

In today’s digital landscape, protecting your identity from real-time threats is more critical than ever. As a cybersecurity expert, I’ve seen an evolving spectrum of threats that go far beyond traditional identity theft. From classic dark web doxing to the advent of fullz—full identity kits sold for a few dollars—threat actors are leveraging these methods for a new breed of real-time scams, amplified by cutting-edge technology.

Recently, a project by Anh Phu Nguyen  and Caine Ardayfio demonstrated the capability to integrate facial recognition technology with Meta’s smart glasses, allowing instant identification of strangers. This development marks a significant leap from the traditional static forms of identity theft into real-time exploitation, where personal information is weaponized in the moment.

Classic Doxing and Fullz on the Dark Web

For decades, doxing and the sale of fullz (complete identity kits) have been staple methods of cybercriminals on the dark web. Doxing involves collecting and publicizing personal information such as home addresses, phone numbers, and social media profiles, often with the intent to embarrass, harass, or intimidate. OSINT tools (Open-Source Intelligence) allow attackers to scrape social media profiles, public databases, and breached datasets to compile detailed profiles on their victims. Once exposed, this data is used for targeted harassment or extortion.

Meanwhile, fullz provide a more comprehensive set of personal details, typically including social security numbers, financial data, and other sensitive information that can be exploited for identity theft. The sale of fullz on dark web marketplaces has enabled identity theft and financial fraud on a massive scale. For a relatively small fee, threat actors can purchase a victim’s entire identity, making it easy to perform account takeovers, create fake profiles, or apply for credit in the victim’s name.

In the past, these methods were effective but static. Attackers could steal and use personal data long after it was exposed. Today, however, advancements in technology have transformed these identity theft techniques into dynamic, real-time threats.

Real-Time Identity Exploitation: The New Era of Scams

The rise of facial recognition technology combined with wearable devices, like Meta’s smart glasses, introduces a new dimension to identity theft. By pairing this real-time data collection with pre-existing fullz or other doxing techniques, threat actors can instantly exploit an individual’s identity on the fly.

real-time threats

In this I-XRAY demonstration, Meta’s smart glasses were modified to scan faces in public, instantly cross-referencing them with public social media data and possibly with compromised identity information. Imagine walking down the street, unaware that someone can identify you, access your data, and target you with personalized scams—all in real time. This shift turns identity theft into a real-time, hyper-targeted activity.

Here’s how this modern version of doxing and scamming might unfold:

  • Real-time recognition: A malicious actor equipped with facial recognition on smart glasses could walk through crowded public spaces and instantly identify individuals based on a match with their leaked photos from social media or other sources. This is no longer hypothetical; the proof-of-concept has already been demonstrated.
  • Instant exploitation: Once an individual is identified, scammers could access their leaked fullz from the dark web, providing them with a detailed set of personal information. They could then approach the target in real-time, pretending to know them, creating a social engineering scenario where the victim believes the scammer is a legitimate acquaintance or authority figure.
  • On-the-spot phishing: Imagine being approached by someone who knows your full name, email, address, and the last few digits of your social security number. When they ask you to verify some information the victim could easily fall into the trap of handing over even more sensitive information—like bank account details—without realizing they’ve been scammed until it’s too late.

The Role of AI in Amplifying Real-Time Threats

AI plays an integral role in the future of identity scams. It allows for the rapid analysis and deployment of identity data, enabling new, sophisticated scams that were previously unimaginable. Here are several ways AI can enhance these real-time threats:

  • AI-Powered Deepfakes: Threat actors can combine AI-generated deepfakes with real-time data to impersonate individuals in both video and audio formats. By using AI to craft believable but fake messages or phone calls, scammers can extort or deceive people more convincingly than ever before.
  • Automated Identity Theft at Scale: AI tools can automate the collection and correlation of personal data across multiple sources—social media, leaked data, and public records—faster than any human could. This allows threat actors to assemble profiles on victims quickly, accelerating identity fraud.
  • Behavioral Analysis and Predictive Attacks: AI can analyze online behaviors to predict the types of scams most likely to succeed on a given target. For example, someone frequently searching for job opportunities could be targeted with a fake job offer, exploiting the victim’s immediate needs.

Insights from Experts: Combating Modern Threats

As highlighted previously, cybersecurity in the age of AI and real-time technologies requires an updated approach. The reliance on static data protection strategies, such as password managers or even two-factor authentication, is no longer sufficient. We need to implement dynamic identity monitoring, where AI-driven systems track unusual behavior related to your digital presence in real-time.

How Constella is Protecting Your Identity

At Constella, we are dedicated to staying ahead of evolving threats by leveraging cutting-edge AI technologies and continuous monitoring to provide comprehensive identity protection. Our unique approach not only covers traditional dark web monitoring but also focuses on a broader range of sources across the surface web, ensuring a proactive stance against emerging scams and data leaks. Here’s how we’re tackling the future of identity theft:

  1. Real-Time Identity Alerts: Our system is designed to provide real-time alerts when personal information is exposed across both the surface web, data brokers, and the dark web. Unlike traditional solutions that focus solely on the dark web, Constella offers a multi-source approach. This comprehensive coverage allows us to detect threats before they escalate, offering early warnings on a broader scale than any single-source monitoring service.
  • Advanced Dark Web Monitoring: We continuously scan the dark web to detect any exposure of your personal information, whether it has been compromised by infostealers or exposed through data breaches. Our unique approach involves not just scraping the dark web but correlating this data with surface web activities, giving you a more holistic view of your identity exposure. This enables a faster response to potential threats before they result in fraud or exploitation.
  • AI-Driven ScamGPT: Leveraging our proprietary AI technology, ScamGPT simulates potential scams that you may be targeted by using your own exposed personal information. This proactive approach allows us to train you before threat actors attempt a real attack, helping you recognize and avoid personalized phishing schemes, social engineering attempts, and other forms of exploitation. By generating potential scam scenarios based on your specific data profile, we ensure you are better prepared for what’s coming, long before the attackers strike.
  • Surface of Attack Mapping: Constella’s unique AI technology creates a detailed view of your real surface of attack, analyzing how your compromised information could be used against you. Using algorithms developed in collaboration with law enforcement agencies (LEAs), we connect the dots in the same way threat actors do, identifying all possible avenues they could exploit to target you. This approach allows you to see your vulnerabilities from the perspective of an attacker, enabling you to take targeted actions to secure those areas before they become active threats.

By integrating these advanced tools and methodologies, Constella provides a comprehensive identity protection solution designed to stay one step ahead of modern identity theft techniques. Our AI-driven insights ensure that you are equipped to defend against both current and future threats, safeguarding your personal information in an ever-changing cyber landscape.

Inside the Dark Web: How Threat Actors Are Selling Access to Corporate Networks

Alberto Casares on October 21, 2024

In recent weeks, underground forums on the dark web have continued to flourish as bustling marketplaces where cybercriminals sell unauthorized access to corporate networks. From VPN credentials to Remote Desktop Protocol (RDP) access, threat actors take advantage of compromised corporate environments, often leveraging data from recent breaches or stolen via infostealers. This analysis highlights the trends observed in the last few weeks, shedding light on the types of actors involved, the most targeted countries and sectors, and the types of access being traded.

Selling Access to Corporate Networks Through Key Actors on Underground Forums

In just the last few weeks, over 250 distinct threat actors have been identified on underground forums, all involved in selling access to corporate networks. These actors can be divided into two major categories:

  • Individual cybercriminals – Typically specializing in phishing attacks or leveraging malware like infostealers, these individuals focus on lower-value or opportunistic attacks.
  • Organized cybercrime groups – These structured groups act as access brokers, offering extensive credential dumps and long-term, persistent access to corporate environments. Their capabilities are far more advanced, often involving sophisticated breaches and after-sale services to ensure buyers can maximize the value of the access.

Breakdown of Threat Actors:

  • 60% of the identified actors are individuals, concentrating on smaller, low-value targets, often selling low-risk access points.
  • The remaining 40% are part of coordinated cybercriminal groups, focusing on high-value targets with comprehensive access that often includes post-sale support like lateral movement within networks and privilege escalation.

These actors don’t just stop at initial access. A significant number of them provide additional services, such as helping buyers navigate through compromised corporate systems and avoid detection. The after-sale support offered by these groups often includes technical assistance to move laterally within the network and maintain persistent access, ensuring attackers can continue exploiting their entry points over time.

The data from just a few weeks offers a window into the vast and diverse ecosystem of cybercrime thriving on underground forums. This highlights the rapidly evolving nature of these threat actors and underscores the need for corporations to stay vigilant against an ever-growing array of cyber threats.

The persistent activity observed emphasizes the continuous development of more advanced methods to breach and exploit corporate environments, making it clear that cybersecurity must remain a top priority for organizations across all sectors.

Most Targeted Countries

Recent data from underground forums shows that threat actors are targeting companies and institutions across multiple continents, with a clear focus on high-value sectors like finance, technology, government, and energy. Here’s a summarized breakdown of the affected countries and continents:

North America

  • United States: Primarily targets in the financial and technology sectors.
  • Canada: Focus on financial and real estate sectors.
  • Mexico: Targets include government agencies and financial services.

Europe

  • Russia: Focus on energy and government sectors.
  • Poland: Targets in the manufacturing sector.
  • United Kingdom: Primarily financial services and wealth management.

Asia

  • Israel: Focus on finance and technology sectors.
  • Japan: Targets in educational and technology firms.
  • India: Significant focus on IT and outsourcing sectors.

South America

  • Brazil: Targets in the financial and government sectors.

Middle East

  • Iran: Focus on educational institutions.

Africa

  • South Africa: Limited but significant interest in the financial sector.

Recent Data Trends in Cybercriminal Targeting & Selling Access to Corporate Networks

The latest data from underground forums indicates a growing focus on three main sectors: finance, education, and real estate. These sectors are increasingly becoming targets for cybercriminals, primarily due to the wealth of sensitive information they hold and their operational importance.

Finance Sector

Access to financial services firms has become one of the most common offerings on underground forums. Financial institutions are especially vulnerable because they manage vast amounts of sensitive data, from customer information to transaction details. This data is not only valuable for direct financial gain but also for long-term exploitation, such as fraud and identity theft.

Threat actors are selling access to financial organizations, particularly banks and investment firms, that control billions in assets. These listings often include VPN and RDP access to corporate networks, allowing attackers to infiltrate the system and potentially deploy ransomware or steal sensitive data. Cybercriminal groups see this as a high-return opportunity, especially since financial institutions are often willing to pay ransoms to recover their operations quickly.

Education Sector

Educational institutions, particularly large universities with many employees and students, are becoming frequent victims of cyberattacks, especially ransomware. Schools and universities hold sensitive intellectual property, personal student data, and research information, making them attractive targets. Attackers frequently exploit this data by using stolen credentials obtained from phishing or malware campaigns. Once inside, they can lock down critical systems and demand a ransom, often crippling educational services and access to essential resources.

This rise in attacks on educational institutions aligns with the broader trend of ransomware-as-a-service (RaaS), where organized cybercriminal groups offer ransomware to affiliates, who then launch attacks and split the ransom payments. Educational institutions, especially those involved in cutting-edge research or government-sponsored projects, are prime targets for these sophisticated, high-impact ransomware campaigns.

Real Estate Sector

The real estate sector is another emerging target for cybercriminal groups, with listings for real estate firms becoming more common. These companies hold critical data on property ownership, transactions, and financial dealings, making them attractive to attackers seeking to steal valuable information or disrupt operations. The real estate industry also relies on secure networks to manage large transactions and sensitive communications, further making it a target for ransomware and data exfiltration.

Ransomware-as-a-Service (RaaS) Influence

Organized cybercriminal groups are increasingly using RaaS to monetize stolen data. This model allows cybercriminals to sell access or share ransomware tools with affiliates who conduct the attacks, splitting profits with the developers of the ransomware. The shift toward this model has lowered the barrier to entry for cybercriminals, allowing even low-skilled attackers to participate in high-impact attacks. Institutions in the finance, education, and real estate sectors are prime targets for RaaS-based attacks because of the high potential for extortion, intellectual property theft, and operational disruption.

Overall, the convergence of RaaS with sector-specific targeting demonstrates how organized cybercrime is evolving, with specialized groups focusing on high-value sectors that are more likely to pay ransoms or suffer significant disruptions from attacks.

Links to Public Breaches and Infostealers

Much of the data traded for corporate access originates from well-publicized breaches or is harvested via infostealers. These infostealers, like Vidar and Redline, are frequently used to siphon login credentials from compromised devices. These credentials are then sold in bulk on underground forums or offered as part of access packages.

One prominent example is the sale of credentials linked to a breach at a North American financial institution. The listing offered RDP access to the company’s network, likely obtained through a combination of phishing and infostealer malware. Similarly, credentials linked to healthcare organizations and university networks in the U.S. and Canada have been offered for sale, highlighting how infostealers play a critical role in these underground economies.

Types of Access Sold

The most commonly sold types of access on these forums include VPN credentials, RDP access, and increasingly, cloud platform access. VPN credentials allow buyers to gain access to secure corporate networks by bypassing firewalls, while RDP access grants full control over a target machine, allowing attackers to move laterally within the system and escalate privileges.

Cloud platform access is also becoming more prevalent as companies move critical infrastructure to cloud services like AWS and Azure. Listings advertising admin access to a company’s cloud infrastructure, such as AWS environments, have attracted interest, as cloud-based environments represent a significant attack surface for organizations.

The Importance of Comprehensive Corporate Protection

Many of the cyberattacks observed on underground forums are rooted in data obtained from data breaches or infostealers, highlighting the urgent need for organizations to expand their security focus beyond traditional corporate credentials. While many companies concentrate their defenses on securing credentials from corporate devices, cybercriminals do not discriminate between data obtained from corporate or personal devices. Their sole interest is in accessing valuable data from targeted or attractive companies.

For threat actors, it doesn’t matter if credentials were compromised on a work-issued laptop or a personal device; as long as the credentials grant access to sensitive corporate systems, they are of high value. This means that companies must protect all potential entry points—both professional and personal. Employees often use the same passwords across platforms or access corporate resources from personal devices, creating a significant vulnerability.

On the other hand, there is another important issue because many organizations continue to rely heavily on Multi-Factor Authentication (MFA) and VPN solutions as their primary security mechanisms. However, recent studies, such as those by Constella Intelligence, have demonstrated that these protections are no longer as foolproof as once believed. Infostealers—malware designed to harvest login credentials and other sensitive information—have proven effective at bypassing these security measures. Threat actors can use stolen data to circumvent both MFA and VPN mechanisms, rendering them ineffective against sophisticated attacks.

In particular, infostealers can capture session tokens, cookies, and authentication tokens that allow attackers to bypass MFA entirely. Even if a corporate system requires two-factor authentication, attackers can replay these tokens to gain unauthorized access. Likewise, VPN protections can be bypassed if attackers obtain the necessary credentials and tokens, allowing them to enter corporate networks as legitimate users without raising red flags.

This growing threat underscores that, while MFA and VPNs are important components of a security strategy, they can no longer be the sole lines of defense. Organizations need to adopt more advanced security measures that address the vulnerabilities exposed by credential-based attacks.

Escalation of Cyber Warfare in the Israel-Palestine Conflict: A Deep Dive into Recent Israeli Breaches

Alberto Casares on October 16, 2024

The geopolitical conflict between Israel and its adversaries has shifted into the digital sphere, where sophisticated cyberattacks have become a primary tool for targeting critical sectors. In recent months, cyberattacks have exposed Israeli defense data, diplomatic communications, and sensitive civilian information. Among the prominent players in this cyberwarfare is the Handala Group, a hacktivist entity leveraging advanced persistent threat (APT) tactics to disrupt Israeli operations. Other actors, such as EagleStrike and the Hunter Killer hacker group, further complicate Israel’s cybersecurity landscape.

This blog analyzes recent Israeli breaches, the types of data compromised, and the strategic implications of these attacks, offering insights into the evolving digital conflict.

Handala’s Cyber Campaign: Recent Breaches Targeting Israel

In the past few months, Handala has launched a series of attacks across various sectors in Israel, targeting critical infrastructure, government entities, and individual high-profile figures.

1. Doscast Hacked (October 10, 2024)

Handala targeted Doscast, a major audio platform for the ultra-Orthodox Jewish community. This attack disrupted the platform, which hosts a variety of commentators and conversationalists, exposing its vulnerabilities and impacting its wide user base. The symbolic nature of this hack underscores Handala’s ideological objectives, as Doscast is a prominent site within the religious community.

2. Ambassador of Israel in Germany Emails (October 8, 2024)

Handala compromised 50,000 emails from Ron Prosor, the Israeli Ambassador to Germany and former senior Mossad officer. The leaked emails expose sensitive diplomatic communications, potentially affecting Israel’s foreign relations. This breach also highlights Handala’s aggressive tactics, as they included personal threats against Prosor, claiming constant surveillance over his activities.

3. Max Shop Hacked (October 8, 2024)

The breach of Max Shop, a cloud-based terminal system used in over 9,000 stores, resulted in the theft of 1.5TB of data. The attack defaced store kiosks and sent threatening messages to 250,000 Israeli citizens. This attack directly impacted retail operations and exposed personal information, further heightening concerns over civilian data security.

4. Israeli Industrial Batteries (IIB) Leak (October 6, 2024)

Handala released 300GB of data from IIB (Israeli Industrial Batteries), a company involved in providing energy storage infrastructure to Israel’s military and defense sectors. The breach of IIB threatens the resilience of Israel’s defense logistics, particularly its energy-dependent military operations.

5. Shin Bet Hacked (October 3, 2024)

Handala successfully breached the Shin Bet’s security system, compromising their exclusive mobile security application used by officers. This attack poses a significant risk to Israel’s internal security, potentially exposing confidential communications, field agents, and counterterrorism operations.

6. Israeli Prime Minister Emails (October 2, 2024)

The group leaked 110,000 secret emails belonging to former Prime Minister Ehud Barak. Handala claims to have been surveilling Israel’s leadership for decades. This breach exposes sensitive government discussions, further undermining Israel’s internal political operations and national defense strategies.

7. Soreq Nuclear Research Center (September 28, 2024)

Handala targeted the Soreq Nuclear Research Center (NRC), a key nuclear research facility in Israel. The group claims to have stolen comprehensive data, including emails, infrastructure maps, personnel details, and administrative documents. This breach could severely compromise Israel’s nuclear capabilities and has far-reaching implications for national security.

8. Israeli Foreign Affairs Minister Emails (September 26, 2024)

Handala exposed 60,000 emails belonging to Gabi Ashkenazi, former Minister of Foreign Affairs and Chief of General Staff of the Israeli Armed Forces. The breach includes communications that could be used to disrupt Israel’s foreign policy initiatives, further eroding trust in the nation’s cybersecurity capabilities.

9. Benny Gantz Hacked (September 23-24, 2024)

Handala published 35,000 confidential emails and 2,000 private photos of Benny Gantz, the former Defense Minister. The group’s goal is not only to embarrass the official but to expose internal defense discussions. This breach is a significant escalation in the group’s attacks on individual high-profile figures, highlighting the personal risks involved for Israeli officials.

EagleStrike and the Hunter Killer Leak (September 2024)

On September 30, 2024, EagleStrike exposed a comprehensive data breach facilitated by the Hunter Killer group. The leak included critical Israeli state data, including:

  • Israel MFA Access: Over 370GB of data from the Ministry of Foreign Affairs was compromised, including remote desktop access (RDP) and SharePoint credentials. This breach threatens Israeli diplomatic operations and international communications.
  • Mossad Email Server Dump: 27,000 emails were leaked, revealing sensitive information from 2017 to 2023. This exposes Mossad’s covert operations and intelligence-gathering efforts, placing Israel’s security at significant risk.
  • Defense Contractors: Data from Rafael Advanced Defense Systems and Elbit Systems was also part of the breach. Intellectual property and defense technology information were exposed, severely impacting Israel’s defense development.
  • Military and SCADA Systems: Handala obtained access to 70 SCADA systems, which control critical infrastructure such as water and energy. The potential sabotage of these systems could lead to widespread service disruptions or worse, physical damage to key facilities.

Handala’s Extortion Tactics and Ransomware Campaigns

Handala is not only focused on cyber sabotage but also engages in ransomware and extortion, often targeting high-value industries. Notable ransomware campaigns include:

  • Healthcare Sector (February – June 2024): Handala targeted hospitals and healthcare organizations, demanding 8 BTC (~$569,252 USD) in ransom. This campaign involved the theft of patient records and financial data, crippling healthcare operations.
  • Defense and IT Sectors (March – May 2024): Handala launched coordinated attacks on Israel’s defense contractors and IT services. These breaches exposed proprietary technologies and military secrets, undermining Israel’s defense infrastructure.

Extortion Methods: Handala’s extortion model involves leaking data through Clearnet and TOR sites, alongside Telegram channels, if ransom demands are not met. These platforms enable Handala to continuously publicize their exploits and pressure victims.

Impacts on Israeli Citizens: Identity Theft and Civil Disruptions

While the breaches targeting government and military entities are alarming, Handala has increasingly targeted civilians, amplifying public concern over data security.

Max Shop Hack (October 2024)

This attack affected over 9,000 retail systems across Israel, leaking 1.5TB of personal and financial data from 250,000 Israeli citizens. Beyond the direct financial losses, victims are vulnerable to identity theft and phishing schemes. The hack demonstrates Handala’s capacity to disrupt civilian life and further erodes public trust in data security.

Identity Theft and Phishing Risks:

  • Financial Loss: Stolen identities can be used to open fraudulent bank accounts and apply for credit.
  • Phishing Campaigns: Detailed personal data enables highly targeted phishing attacks, further compromising individual security.
  • Long-term Privacy Concerns: Once personal data circulates on dark web markets, it remains accessible, prolonging the risk of exploitation.

Conclusion

Handala’s cyber campaigns against Israel mark a significant escalation in digital warfare. Their attacks on critical infrastructure, defense systems, and civilian sectors have exposed substantial vulnerabilities. These breaches not only undermine Israel’s national security and diplomatic standing but also pose severe risks to individual citizens through identity theft and financial fraud.

Israel must implement a multi-layered defense strategy that includes strengthening its cybersecurity infrastructure, enhancing public awareness, and fostering international cooperation. With adversaries like Handala continuing to innovate their tactics, robust defense measures are essential to safeguard the nation’s critical assets and its people.

How Cybercriminals Use Stolen Data to Target Companies — A Deep Dive into the Dark Web

Alberto Casares on October 6, 2024

The digital world has revolutionized the way we live and work, but it has also opened up a new realm for cybercriminals. The rise of the dark web has provided a breeding ground for hackers and other malicious actors to trade stolen data and launch attacks against companies worldwide. This blog post provides a summary of some of the trends observed over the past few days, highlighting how threat actors are using compromised data to exploit businesses, the sectors most impacted, and the dynamics of this underground market.

Cybercriminal’s Hidden Market for Stolen Data

Imagine an underground marketplace bustling with activity — vendors selling hacked streaming service accounts, buyers bidding on cloud storage credentials, and a community exchanging tips on how to bypass security features. This is the reality of the dark web, where forums like BreachForums act as virtual bazaars for compromised data.

Stolen information is incredibly valuable in this shadowy ecosystem. From streaming service logins to financial account credentials, threat actors peddle a variety of digital goods. But why is there such a demand? The answer lies in the sheer usability of this data — for unauthorized access, fraud, identity theft, or even blackmail.

Which Sectors Are Being Targeted the Most?

Recent activity on underground forums reveals a worrying trend: threat actors are targeting multiple industries. The most affected sectors include digital services, cloud storage platforms, and financial services, reflecting a shift in focus towards companies that hold valuable user data and offer high resale value.

1. Digital Services and Streaming Platforms:

  • Who’s at Risk? Companies like Netflix and Disney+ are prime targets. Their popularity and the fact that millions of users are willing to pay for premium content make them attractive for hackers.
  • What’s Being Sold? Compromised accounts are often shared or sold with details like session cookies, making it easy for buyers to bypass login security. This enables users to enjoy premium services without the account owner’s knowledge.
  • Why It Matters: Compromised accounts are often resold or shared for free, undermining these companies’ revenue models. For example, a Netflix account that allows multiple streams can be used by multiple individuals without the company’s knowledge.

2. Cloud Storage and File Hosting:

  • Who’s at Risk? Platforms like Mega.nz and Google Drive are frequently targeted.
  • What’s Being Sold? Access to cloud storage accounts can potentially contain sensitive personal files or proprietary business data.
  • Why It Matters: Access to these accounts can be devastating. Personal data may be exposed, business information can be leaked, and in the worst cases, this access can be leveraged for ransom or further exploitation.

3. Financial Services:

  • Who’s at Risk? PayPal and other online banking services remain high-value targets.
  • What’s Being Sold? Financial account credentials, often including transaction history and linked bank details, are sold for quick financial gain.
  • Why It Matters: Once compromised, these accounts can be used for fraudulent purchases, laundering money, or draining linked bank accounts.

4. Government and Educational Institutions:

  • Who’s at Risk? Certain threads also reveal a focus on educational and governmental institutions, often in specific regions. These breaches can lead to the exposure of sensitive or classified information and may be driven by politically motivated actors.
  • Why It Matters: Database access to regional entities such as educational systems and government bodies can spark interest, potentially signaling politically motivated targeting or the pursuit of classified information for espionage purposes.

A Growing Market: Why is Stolen Data So Valuable?

Data is the new oil — it’s valuable, in-demand, and fuels an entire underground economy. But what makes stolen data so enticing for cybercriminals?

  1. Ease of Access and Use:
    1. Many compromised accounts come with details like session cookies, allowing threat actors to bypass multi-factor authentication and other security measures effortlessly. This makes it easy to log in without the hassle of entering passwords or passing security checks.
  2. High Resale Value:
    1. Digital accounts, particularly for streaming services, can be resold for a fraction of the original subscription cost. Similarly, cloud storage accounts are valued for the data they contain, making them an attractive purchase.
  3. Potential for Further Exploitation:
    1. Some threat actors aren’t just looking to sell; they’re seeking to exploit. Access to cloud storage or email accounts can serve as an entry point for more targeted attacks, such as spear-phishing campaigns, business email compromise (BEC), or even corporate espionage.

Sophistication Levels: From Novices to Experts

Not all cybercriminals are created equal. The dark web is home to a diverse group of actors, each with varying levels of sophistication. Understanding these levels helps in identifying the potential impact of their activities:

1. Newbies:

  • Profile: Typically engage in low-risk activities such as trading basic credentials (e.g., single account login details for streaming services).
  • Activities: Selling or sharing low-value accounts for platforms like Netflix and Hulu.
  • Risk: Minimal, as these actors lack the skills to perform more complex attacks. However, their activities can still lead to widespread account sharing.

2. Intermediate Threat Actors:

  • Profile: Have the capability to conduct more sophisticated breaches, such as accessing cloud storage services or hijacking VPN accounts.
  • Activities: Frequent discussions around financial account credentials or access to cloud storage with potential sensitive information.
  • Risk: Moderate to high, as these actors can exploit compromised data for financial gain or to access deeper networks.

3. Advanced Threat Actors:

  • Profile: Possess deep technical expertise and may even carry out targeted attacks on specific industries or regions.
  • Activities: Breaching government or educational systems, reflecting interest in sensitive or classified data.
  • Risk: Very high, as these actors are capable of executing large-scale data breaches, espionage, or infrastructure disruption.

The Dark Web’s Pulse: Measuring Community Interest

The number of replies and discussions around specific types of accounts serves as a strong indicator of the community’s interest and perceived value of the stolen data. The vibrant discussions around cloud storage platforms and digital services suggest that these sectors remain high-priority targets.

The rapid growth in interest within hours of posting reflects the increasing demand for certain types of data. For businesses, this means staying vigilant and being aware of the value cybercriminals place on different types of data assets.

Conclusion: A Threat That’s Here to Stay

The use of compromised data by cybercriminals to target companies is not a passing trend — it’s a growing, complex issue that demands attention. From digital services and cloud storage to financial and governmental sectors, no industry is immune. The sophistication levels of threat actors continue to rise, and the vibrant underground markets provide an easy way for them to exchange and monetize this data.

For companies, this means investing more in security, training employees to recognize potential threats, and staying one step ahead by monitoring these underground forums for early warnings. The fight against cybercrime is ongoing, and understanding how threat actors operate is the first step in protecting our digital assets.

By shedding light on these dark activities, we hope to raise awareness and help companies build stronger defenses against the ever-evolving threat of compromised data.

Leveraging Infostealers to Breach Companies: A Cybersecurity Intelligence Perspective

Alberto Casares on September 16, 2024

Infostealers are specialized malware designed to extract sensitive data from infected systems. They operate in the background, collecting login credentials, browser histories, and cookies, often without detection. Deployed through phishing emails or malicious websites, infostealers are a growing favorite among cybercriminals due to their low risk of detection and the high-value data they yield.

Unlike more overt forms of cyberattacks like ransomware, infostealers are subtle and continuous. The stolen information is often sold in bulk on dark web marketplaces or used to launch further attacks, such as gaining access to company networks or committing financial fraud. The sophistication of these tools has grown, making them one of the most effective methods for threat actors to compromise corporate environments.

Why Infostealers Are Effective Against Companies

Infostealers are attractive to threat actors for several reasons:

  1. Low Detection Rates: Infostealers are designed to evade detection by traditional security measures such as antivirus software. Once deployed, they blend seamlessly into legitimate system processes, making it challenging for conventional security solutions to recognize or remove them. This stealth allows them to operate undetected for extended periods, gathering critical data.
  • Targeting High-Value Data: Infostealers are capable of extracting a wide range of sensitive information, including passwords, session cookies (which can be used to bypass multi-factor authentication), financial records, and proprietary business data. This stolen data is often sold on dark web marketplaces or used for extortion, leading to significant financial and reputational damage.
  • Wide Availability and Accessibility: Infostealers are readily available for purchase on dark web forums, frequently offered as part of malware-as-a-service (MaaS) platforms. This makes them accessible even to less experienced cybercriminals, lowering the barrier to entry for launching sophisticated attacks. The ease of access and customization further amplifies their appeal to threat actors across the cybercriminal ecosystem.

Top Threat Actors Leveraging Infostealers

We have seen that many cybercriminals are actively using infostealers data as a preferred method for infiltrating organizations. These groups have leveraged infostealers to breach companies, leading to extensive financial and reputational damage. Below are a number of threat actors that stand out for their sophisticated use of these tools:

  • USDoD: This threat actor has carried out high-profile attacks, including the breach of Airbus by exploiting compromised credentials from a Turkish Airlines employee. This attack underscores the significant risk that infostealers pose to supply chains, allowing hackers to penetrate companies through vulnerable third-party partners​.
  • Sp1d3rHunters: Known for exploiting Snowflake accounts, Sp1d3rHunters has executed breaches against major companies such as Ticketmaster and AT&T, exfiltrating sensitive data such as customer information and event tickets. Their operations demonstrate how infostealer logs can be used to gain access to cloud services and wreak havoc​.
  • IntelBroker: This notorious threat actor has breached both government and private sector entities, targeting organizations such as Apple, Zscaler, and Microsoft. By using Infostealer-collected credentials, IntelBroker has facilitated attacks on critical infrastructure and sold access to compromised systems on dark web forums, further intensifying the risk to companies​.
  • Andariel (North Korea): Part of the Lazarus Group, Andariel is a North Korean state-sponsored Advanced Persistent Threat (APT) actor. This group is known for using infostealers, alongside other tools like keyloggers and remote access trojans (RATs), to target sectors such as military, nuclear, and manufacturing. Andariel’s strategy of using Infostealers to gather intelligence and financial data is a key part of their cyber operations​.
  • Lapsus$: Emerging in 2021, Lapsus$ has quickly gained a reputation for its high-profile breaches of companies like NVIDIA, Samsung, and Vodafone. Lapsus$ utilizes info stealers to harvest login credentials, payment information, and proprietary business data. In a notable attack, Lapsus$ breached Electronic Arts (EA), stealing source code for popular games like FIFA. The group’s aggressive tactics have caused widespread disruption in the tech and financial sectors​.

These groups’ sophisticated use of infostealers illustrates why businesses must adopt more advanced detection and monitoring systems to protect against this growing threat.

How Companies Can Defend Against Infostealers

While info stealers present a complex threat, companies can adopt several key strategies to mitigate the risks and minimize the impact of such attacks:

  • Analyze Exposed Data for Risk Mitigation: After a suspected infostealer attack, companies must conduct thorough analyses of the stolen data to assess the potential risks. This includes examining session cookies that could be hijacked to bypass multi-factor authentication (MFA), as well as personal credentials that may be used to impersonate employees or escalate privileges within the organization. Proactively identifying and addressing these risks can help prevent follow-up attacks or unauthorized access.
  • Strengthen Authentication Practices: While MFA is an essential safeguard, it is not foolproof, especially if session cookies are compromised. Companies should implement adaptive MFA, which monitors for anomalies in login attempts (such as unusual locations or devices) to prevent attackers from using stolen credentials. Additionally, frequent reauthentication can help disrupt the use of stolen session tokens.
  • Monitor for Unusual Access Patterns: Regularly reviewing access logs and monitoring for anomalous login attempts—such as multiple failed attempts, logins from unexpected locations, or odd behavior patterns—can help detect infostealer activity early. Endpoint Detection and Response (EDR) systems can play a key role in identifying and mitigating the effects of infostealers by flagging unusual data access or exfiltration activities.
  • Educate Employees on Phishing and Cyber Hygiene: Many infostealers are deployed through phishing attacks or malicious links. Regularly training employees to recognize suspicious emails, websites, and attachments can significantly reduce the likelihood of an initial infection. Implementing phishing simulations and real-time feedback can help maintain employee vigilance.

New Findings on the National Public Data Breach: Poor Security Measures and the Role of Infostealer Malware as a Possible Vector of Attack 

Julio Casal on September 11, 2024

In recent months, the National Public Data (NPD) breach has been a topic of intense scrutiny, with cybersecurity experts like Brian Krebs highlighting the poor security practices that contributed to the breach’s magnitude. As we continue to analyze the aftermath, new findings have come to light that underscore the dangers posed by inadequate security measures and the rising threat of infostealer malware as a vector of attack.

New Findings: Malware Infections and Shared Credentials

Our latest investigation into the NPD breach has uncovered two instances of malware infostealer infections associated with the site recordscheck.net, which raise serious concerns about the security of the affected infrastructure.

Infection #1: Shared Credentials or Compromised Systems?

The first case involves a user named Sal Verini, whose email and username were found alongside numerous credentials from creationnext.com. This overlap suggests two possible scenarios:

  • Shared System Usage: Sal may have used the same computer as someone from creationnext.com, leading to a potential cross-contamination of credentials.
  • Credential Sharing: Alternatively, Sal may have shared his credentials with someone at creationnext, raising the risk of unauthorized access.

Both scenarios point to poor security practices that could easily be exploited by attackers, leading to significant data breaches.

2. Infection #2: Weak Security and Admin account exposure

The second instance is even more alarming. It involves a user named “admin” who was using one of the most simple passwords possible — “passw***”—a glaring example of weak security. Looking at the autofill data, this account appears to be linked to Thomas S, a young independent Software Developer in Togo. The infection date was recorded as of May 26, 2023.

Were these infections the vector of attack to the NPD breach?

Recent breaches have increasingly been traced back to infostealer malware, which harvests credentials and other sensitive information from infected systems. These stolen credentials and cookies are then used to gain unauthorized access to networks, leading to data breaches and other cyber-attacks.

In the case of the NPD breach, it’s plausible that infostealer malware was the vector of attack. The presence of shared credentials and weak security practices only amplifies this risk, as attackers can use these stolen credentials to infiltrate systems and exfiltrate valuable data.

A Call for Better Security Practices

The NPD breach serves as a stark reminder of the importance of robust security practices. The use of weak passwords, sharing of credentials, and reliance on autofill features are all practices that can lead to catastrophic breaches. Organizations must prioritize security by implementing strong, unique passwords, minimizing the use of autofill for sensitive information, and regularly monitoring for signs of malware infections.

The Deception Game: How Cyber Scams Manipulate Trust to Access Sensitive Information

Alberto Casares on September 5, 2024

In recent years, the landscape of cyber scams has evolved, targeting even the tools designed to protect consumers. One such concerning development involves the exploitation of trusted services to mislead and scam users. This article explores a specific case in which scammers may have taken advantage of these services to deceive users into divulging sensitive information, leading to potential financial losses and identity theft.

The Mechanics of the Cyber Scams

At the core of this issue lies a highly sophisticated cyber scam that exploits the trust consumers place in services that were designed to alert users regarding suspicious activities or data breaches. In this case, however, scammers have managed to breach the very systems intended to safeguard user identities. Here’s how the scam operates:

  1. Compromised Alerts: Users receive seemingly legitimate alert emails from a trusted organization, notifying them of potential security issues. These emails include clickable links that direct users to what appear to be secure websites.
  2. Redirects to Malicious Sites: Upon clicking the link, users are redirected to malicious domains designed to look like legitimate websites or are taken directly to scam sites hosted on platforms like Telegram. These sites may request further sensitive information under the guise of security checks or offer downloads that contain malware.
  3. Exploitation of User Trust: The effectiveness of this scam lies in its exploitation of user trust. Since the alerts originate from a trusted source, users are more likely to click on the links without their usual level of scrutiny. This bypasses standard phishing detection mechanisms, which often filter out emails from suspicious or unknown sources.

Indicators of Deceptive Practices

Several red flags were identified during the investigation into these compromised alerts:

  • Clickable Links in Alerts: Unlike more secure practices adopted by other identity protection services, some alerts include clickable links. This practice is risky because it can easily be exploited to redirect users to malicious sites.
  • Use of Scam Domains: The domains used in these alerts were found to be registered for the explicit purpose of hosting scam operations. For example, one domain redirected users to a Telegram channel that further directed them to malicious downloads or additional scams.
  • High Click-Through Rates: Analysis of traffic to these scam domains revealed a substantial number of users clicking through from these alerts. This suggests a significant exploitation of these alerts, driving traffic to malicious sites and potentially resulting in a high number of compromised users.

Potential Implications and Risks of Cyber Scams

The consequences of this scam could be far-reaching:

  • Financial Loss: Users deceived by these scams might inadvertently provide sensitive information such as banking details, leading to financial fraud or unauthorized transactions.
  • Identity Theft: The exposure of personal information can lead to identity theft, where attackers use the information to open new accounts, make purchases, or engage in other forms of fraud.
  • Malware Infections: Users who download files from these scam sites could infect their devices with malware, further compromising their security and potentially leading to data loss or additional breaches.

Conclusion: How Constella Intelligence Leads the Way in Combatting These Threats

At Constella Intelligence, we’ve recognized the growing sophistication of scams targeting identity protection services and have implemented advanced mechanisms to safeguard our users.

Our systems incorporate a robust verification and curation process, designed to detect and mitigate these types of fraudulent attacks before they reach our customers. In line with the rigorous standards we detail in our blog Verifying the National Public Data Breach, we employ advanced data validation and monitoring techniques to ensure every alert is legitimate and free from manipulation. By continuously monitoring for suspicious patterns and ensuring that all alerts are authentic, we provide the most secure identity protection available on the market. As the leading identity protection provider, we’re committed to staying ahead of emerging threats and maintaining the trust our users place in us to protect their personal information.

Recommendations for Users

To safeguard against potential scams and enhance online security, consider the following steps:

  1. Avoid Clicking on Links in Emails: Even if the email appears to be from a trusted source, manually navigate to the company’s official website instead of clicking on links in the email. This reduces the risk of being redirected to a malicious site.
  2. Use a Password Manager: A password manager can help generate and store complex, unique passwords for each of your accounts, reducing the risk if one service is compromised.
  3. Monitor Your Accounts Regularly: Frequently check your bank statements and credit reports for any unauthorized activity. Early detection of suspicious activity can prevent more significant financial losses.
  4. Enable Multi-Factor Authentication (MFA): Whenever possible, use MFA on your online accounts. This adds an additional layer of security by requiring multiple forms of verification.

By following these recommendations, users can better protect themselves from the increasingly sophisticated tactics employed by scammers to exploit even the most trusted services.

Potential Surge in Cryptocurrency Leaks

Alberto Casares on August 27, 2024

Increase in Cryptocurrency Leaks After Trump Supports Bitcoin

Recently, Constella Intelligence has observed an increase in attacks and data breaches resulting in cryptocurrency leaks. This surge could be partly attributed to comments made by former President Donald Trump in support of Bitcoin, which may have heightened hackers’ interest in these sites.

Former President Donald Trump has recently positioned himself as a pro-crypto presidential candidate. During his keynote speech at the Bitcoin 2024 conference in Nashville, Tennessee, held from July 25-27, 2024, Trump emphasized the transformative potential of cryptocurrencies. He pledged to make the United States a leader in Bitcoin mining and digital asset management.

These comments could have caused crypto-related sites to increase in value, making them more attractive targets for cybercriminals. As Bitcoin prices surge, the incentive for attacks on these platforms grows, highlighting the need for robust security measures.

Crypto Leaks Overview

In the first half of 2024, over 250 possible breaches or leaks related to cryptocurrencies, NFTs, and Bitcoin have been reported. These potential breaches could have affected users of various cryptocurrency platforms, including Bitcointalk, Crypto.com, Binance, eToro, and others.

Below are examples of how threat actors are offering information about these crypto-related sites on the Dark Web

Zuelacoin Data Leak:

zyelacoin cryptocurrency leak

This information was published on March 31, 2024. According to the threat actor the data includes:

  • Emails
  • Names
  • Social media profiles (Twitter, Facebook, Telegram)

Binance Cryptocurrency Leak:

Binance Cryptocurrency Leak

The post was made on May 27, 2024. The exposed information includes:

  • Emails
  • Full names
  • Phones
  • Countries

Mobile Apps like CashCoin, Coinbase, and KuCoin:

Mobile Apps like CashCoin, Coinbase, and KuCoin

The threat actor “whix” published this on March 26, 2024. The exposed information includes:

  • Emails
  • Usernames
  • Passwords
  • Countries
  • IP Addresses
  • Payment methods

eToro Cryptocurrency Leak:

eToro Cryptocurrency Leak

The same threat actor also reported this on March 25, 202, where the following information could be found:

  • Full names
  • Emails
  • Countries
  • IP Addresses
  • Amounts
  • Payment methods

Bitcointalk Cryptocurrency Leak:

Bitcointalk Cryptocurrency

According to the threat actor on March 25, 2024, a database exposing the following information was published:

  • Emails
  • Usernames
  • Ethereum Addresses

These platforms are integral to the crypto ecosystem, providing services such as trading, wallet management, and social interaction for crypto enthusiasts.

Extent of Infostealer Exposures

Constella Intelligence has checked if the information published could have been produced as the effect of infostealer infections. This check resulted in nearly 4 million users of these cryptocurrency companies being exposed to infostealer data. Most exposures have impacted major cryptocurrency exchange platforms:

  1. Binance: More than 2M users exposed.
  2. EToro: More than 500k users exposed.
  3. Crypto.com: More than 300k users exposed.
  4. Localbitcoins: More than 200k users exposed.

Digging into the infostealer exposures, Constella Intelligence also identified what seems to be infostealer infections of potential employees of some of those companies, including Binance.com, eToro.com, Crypto.com, and Localbitcoins.com, among others.

Implications of Crypto-Related Breaches

The exposure of such extensive and sensitive information has significant and far-reaching implications as it endangers the financial security and privacy of millions of users. The compromised data can be exploited for various malicious activities:

  1. Identity Theft: Personal information such as full names, addresses, and birthdays can be used to steal identities.
  2. Financial Fraud: Payment methods and transaction histories can be exploited to conduct unauthorized transactions.
  3. Phishing Attacks: Email addresses and social media profiles can be used to create convincing phishing scams.

Recommendations for Users

To mitigate the risks associated with the recent breaches, users should adopt the following security practices:

  1. Use Strong, Unique Passwords: Ensure that each cryptocurrency account has a strong, unique password. Consider using a password manager to generate and store complex passwords securely.
  2. Enable Two-Factor Authentication (2FA): Adding an extra layer of security through 2FA can significantly reduce the risk of unauthorized access to accounts.
  3. Monitor Crypto Transactions Regularly: Keep a close watch on your cryptocurrency transactions and wallet activity to detect any unauthorized activities. Early detection can help prevent significant financial losses.
  4. Be Wary of Phishing Attempts: Be cautious with emails and messages requesting personal information or directing you to log in to your accounts. Verify the authenticity of such requests through official channels.
  5. Update Security Settings on Crypto Platforms: Regularly review and update your security settings on cryptocurrency exchanges and wallets. Ensure that all recovery options are up-to-date and secure.

2024 Identity Breach Report: Navigating the GenAI Attack Revolution

Rachel Hamasaki on August 21, 2024

The cybersecurity landscape is rapidly evolving, and our 2024 Identity Breach Report: Welcome to the GenAI Attack Revolution offers essential insights into how artificial intelligence (AI) and complex data sets are transforming the threats we face today.

The New Face of Phishing: AI-Powered Scams

This year’s report highlights a dramatic shift in phishing tactics. With tools like FraudGPT and advanced natural language processing (NLP), phishing attacks have moved beyond the outdated Nigerian prince emails to become hyper-personalized and alarmingly convincing. These AI-driven attacks leverage Large Language Models (LLMs) to create realistic scams that often evade detection. Warren Buffett aptly noted that AI is propelling scamming into a “growth industry,” and research from Harvard Business Review confirms this trend, showing that AI reduces phishing implementation costs by over 95% while boosting success rates. This signifies a forthcoming surge in both the sophistication and frequency of phishing attacks.

The Escalation of Nation-State Cyber Threats

Our report also explores the rising influence of nation-state actors in cyber conflicts. In 2023, breaches linked to Russian entities were responsible for six of the top ten compromised domains, underscoring the escalation of cyber warfare. Accurate source attribution and a global data perspective are now indispensable for combating these state-sponsored threats. This approach is vital for effective defense against identity theft and for conducting thorough investigations to identify and neutralize bad actors.

The Growing Threat of Infostealers

Infostealers continue to be a significant threat in the cybersecurity landscape. These tools, which facilitate remote data exfiltration and theft, have seen a substantial increase in usage. Our report reveals a 140% rise in infostealer incidents since 2021, with no signs of this trend slowing. Infostealers remain a critical concern, emphasizing the need for advanced security measures to protect both consumer and corporate data.

Why This Report Matters

The 2024 Identity Breach Report provides crucial insights into the evolving cyber threat landscape shaped by AI and data complexities. Understanding these developments is essential for enhancing your cybersecurity strategies and effectively addressing the risks of identity exploitation and cyberattacks.

Stay Ahead of Emerging Threats

To safeguard your organization against sophisticated threats, staying informed is key. The 2024 Identity Breach Report equips you with the knowledge needed to navigate the changing cybersecurity terrain. Stay ahead of emerging risks and protect your organization with the latest insights and recommendations from our in-depth analysis.

Verifying the National Public Data Breach: The Largest Social Security Number Exposure in History

Julio Casal on August 20, 2024

There have been conflicting reports recently published related to the National Public Database (NPD) breach, including claims that “3 billion people have been exposed,” or that “all U.S. social security numbers (SSNs) may have been stolen,” as well as confusion on the quality and veracity of the data.

This blog seeks to clarify and shed light on the real risk and exposure of the breach based on in-depth analysis of the data.

Key highlights of this National Public Data Breach analysis:

  1. How many people were affected?

Based on our analysis, the total number of unique individuals affected by the breach are:

292 million people were exposed, with 272 million including SSNs

This represents 60% of all historical SSNs issued by the IRS, marking the largest volume of SSN exposure on the dark web to date.

  1. Who is affected?

The data is outdated and goes back to the beginning when SSNs were first issued in 1936, including deceased individuals. Some insights include:

  • Only a small percentage of the SSNs exposed include those assigned within the last 20 years.
  • The larger population affected was born between 1950 and 1970, as shown in the graph below:
Date of birth for individuals affected by this breach
Date of birth for individuals affected by this breach
  1. What is the quality of the data?

The data comes from a poor collection operation from a mix of sources and includes many errors. We created tests to evaluate information with minimal accuracy that may pose some risk for identity attacks.

49% of the SSNs exposed don’t include the minimum quality to pose a risk for identity attacks

Data is always being updated on an ongoing basis, which most likely explains why the quality changes dramatically depending on the age of the data.

Note that even if there are deceased individuals in the dataset, the highest proportion of actionable information affects the living population.

The graph above shows the percentage of identities that have the minimal accuracy required to pose a risk to identity attacks
  1. What is the magnitude of the risk of this dataset?

Even if only 51% of the SSNs exposed hold a minimal quality to be used in identity attacks, this translates to added risk to an unprecedented 138 million people.

NPD is the largest SSN exposure ever surfaced in the dark web – this breach could be used to attack 138 million people

Again, even though the dataset includes many deceased individuals, the highest proportion of actionable information affects the existing population.

Analysis of the Data

Total SSNs Exposed

The total unique SSNs from the collision of Part 1 and Part 2 is 272 million. Since each SSN can only be assigned to one person, the total number of people that had their SSNs exposed, if all SSN numbers are true.

The IRS has assigned 453 million from the 1 billion total possible. This means that this dump exposes 60% of the total historical SSNs. The distribution of SSNs is shown below.

Social security number distribution

Total Number of People Impacted

In the subsequent section, it’s noted that there are 21 million exposed email records not linked to an SSN. Dividing this by 1.1 (the average number of emails per person) reveals an estimated 19 million individuals whose emails were exposed without their SSNs. Adding these 19 million individuals to the 272 million with exposed SSNs, the total number of people affected by the NPD breach amounts to 292 million.

Detailed Numbers

All National Public Data Breach:

  • Unique People:   294 million
  • Unique SSNs:      272 million
  • Unique Emails:    32 million

Detailed information from each package:

  • Part 1, also called “partial”:
    • Records: 42,084,115
    • Unique SSNs: 16,229,269
    • Unique emails: 32,052,804
    • Unique emails not associated to an SSN:  21,539,497
    • Unique SSNs with one or more emails: 10,513,307
    • Average number of emails per person: 1.1
  • Part 2, also called “full”:
    • Records: 261,538,219
    • Unique SSNs: 261.538.218
    • Emails: 0
    • Unique emails: 0

Quality Tests

The data consists of a mix of different sources from scraping of non-public sources according to the class action lawsuit. This has led to concerns regarding the quality of the data with a number of people reporting real findings as well as erroneous ones.

Testing SSNs

The most difficult step when testing the accuracy of SSNs is to have a good quality test dataset. Unlike emails and other credentials, SSNs have rarely been exposed in substantial volumes and are difficult to validate due to their sensitive nature — people generally do not and should not disclose their SSN publicly.

At Constella, we can leverage our extensive experience in protecting millions of identities for nearly 10 years. To assess the validity of SSNs, we gathered 100,000 records containing SSNs that were previously exposed in different breaches and leakages and were tagged as “high confidence” by our Alert Engine.

SSN Numbers Test

Out of the 1 billion potential 9-digit SSN combinations, the IRS has assigned only 46%. Our first test was designed to verify the authenticity of the SSN numbers in isolation, without considering any accompanying information like names, addresses, phones, etc.

76% of the SSNs we tested were found in the NPD data

Minimal Accuracy Test

Despite having a robust test dataset, verifying identity information presents significant challenges, particularly when an email is not included, due to the ambiguity in identity details:

  • Names often have variations, such as aliases, abbreviations, or different spellings in surnames. Additionally, individuals may change their surnames due to marriage or other reasons.

For example, in our dataset, a man listed as Miguel Guz*** appeared as Michael Guz*** in the NPD dataset, a woman recorded as Josie So*** was listed as Osie So***, a surname Giess***l appeared as Phillip Giess*** without the final “l”, and a woman named Deborah was referred to as Debra.

  • Addresses and phone numbers are also subject to change over time, further complicating the verification process. For this reason, when alerting SSN records it is quite rare to find a full match of an SSN exposed identity and the identity being tested.

Due to these variations, seeking exact matches between the test dataset and the data under review is often not very productive, as perfect alignment of details is rare. However, partial matches of the data can be sufficient for impersonation attacks, or can be completed with other datasets, or used for creating synthetic identities.

We created tests aimed to evaluate how many of the records include enough real information to pose actual risk of an identity attack. The test evaluates if an SSN, a first name, and a 3rd identity attribute (a surname, DoB, address, or phone) matched. For example: a first name, a surname name and SSN will match the test.

Only 51% of the identities passed the test. But this percentage is highly dependent on the age of the person, being much higher for the younger population. Data from people born in the 90s decade produced a 90% match, from 80s a 73%, and from the 70s a 58% match.

Age of the Data

Only 56% of the records include a Date of Birth. These records contain some “impossible” dates, such as dates of birth in the future or in the first century, affecting a total of 8,900 identities. In analyzing the distribution across decades, the most populated ones are the 1950s and 1960s.

In conclusion, the larger portion of the population was born from 1940 to 1980, the data is quite outdated, with a sharp drop in recent years. It goes way back in the past with 1 million people being born in the 1900’s decade.

About the Breach Package

The breach, initially linked and recently attributed to the data provider National Public Data, was orchestrated by the cybercriminal group USDoD, who allegedly tried to sell the stolen data on the dark web for $3.5 million. This incident underscores the significant risks associated with unauthorized data collection and highlights the critical need for enhanced data protection measures, particularly for individuals in sensitive positions.

The breach first came to light on July 22, 2024, when a malicious actor known as Petrovic an 80GB partial dataset on BreachForums. While this initial leak was considerable, it was merely the tip of the iceberg, revealing only a glimpse of the total compromised data. 

national public data breach

By August 6, another hacker named Fenice released the complete dataset, totaling 277GB and 2.69B lines, making this one of the largest data breaches in history.

public data breach

Versions and Additions. What’s included in our Analysis

On top of the main data, there are additional files with dumps, including a criminal list with 2.8 million criminal records and another one with 2.1 million arrest records.

Some versions of the dump seem to have aggregated other 3rd party leak packages – Troy Hunt reports finding an Acuity directory with 100 million unique emails.

None of them include SSNs, and we won’t include those in this analysis, which will be focused on the core NPD database.