Experts later clarified that while the "2.9 billion" figure likely included many duplicates and deceased individuals, the scale remained historic. Unlike the , which stemmed from a software vulnerability, the NPD incident is frequently cited as a cautionary tale about directory listing vulnerabilities and the dangers of storing sensitive backups on internet-facing servers.
Once discovered, the data was reportedly scraped and posted to the dark web by a threat actor known as "USDoD." The hacker initially attempted to sell the database for , claiming it contained 2.9 billion records , including: Full names Social Security numbers (SSNs) Mailing addresses Phone numbers The Impact index_breached.vc.zip
: Direct access to the company's proprietary software. Experts later clarified that while the "2
: Usernames and passwords for their internal systems. : Usernames and passwords for their internal systems
The file index_breached.vc.zip is a notorious archive linked to a massive data breach involving , a background check company owned by Jerico Pictures Inc..
The breach wasn't necessarily a complex hack but a critical oversight. A security researcher discovered that NPD had left a zip file—often identified as index_breached.vc.zip or similar variants—publicly accessible on their website. This file contained:
