Millions Exposed by New Identity Theft Scheme

Millions of Americans have had their most sensitive personal information exposed by hackers who bypassed the security of several major data companies.

The attacks were launched by hackers who ultimately sold the stolen data to a group called SSNDOB, which stands for Social Security Numbers, Dates of Birth.

The hackers infiltrated servers belonging to major data brokers, including LexisNexis, Kroll Background America, and Dun & Bradstreet.

Massive Databases Hacked Using Botnet

Together these firms maintain some of the world's largest databases of personal information.

LexisNexis specializes in legal and public records management; Dun & Bradstreet focuses on business and credit data; and Kroll's information is used for employment background checks and health screenings.

The hackers reportedly carried out their attacks using a custom botnet that bypassed brokers' security and planted a program on targeted servers. That program then collected personal information related to an estimated four million customers.

Security expert Brian Krebs says the botnet is extremely efficient and hard to detect. In fact, not one of the 46 top-rated antimalware programs on the market right now could find and eliminate it. (Source: krebsonsecurity.com)

Krebs, who has been investigating SSNDOB's activity for some time, says the group emerged in 2012. He says he believes SSNDOB has sold roughly 1 million social security numbers since then.

Personal Data Cheap to Buy

So, how much does it cost to acquire this kind of information from SSNDOB?

Krebs says it's surprisingly cheap -- from 50 cents to $2.50 for social security numbers and date of birth records and between $5 and $15 for credit information. These purchases are made using unregulated currencies like Bitcoin and WebMoney. (Source: cnet.com)

The Federal Bureau of Investigation is reportedly pursuing the matter, though details relating to the investigation remain sparse.

"All three victim companies said they are working with federal authorities and third-party forensics firms in the early stages of determining how far the breaches extend," Krebs said.