The Headline Said 3 Billion. The Real Number Was 134 Million Emails and 272 Million SSNs. The Company Went Bankrupt Either Way.
- 134 millionUnique email addresses leaked in the National Public Data breach, per Troy Hunt's August 13, 2024 analysis of the 642 GB / 1,000+ file corpus. The headline-grabbing ‘2.9 billion’ figure counted duplicate records across decades of address history.
- 272 millionUnique Social Security numbers exposed in the same dataset, per Constella Intelligence's analysis — roughly 60 percent of every SSN ever issued by the Social Security Administration. The largest SSN dark-web exposure in recorded history.
- $3,500,000Initial asking price the threat actor USDoD listed on BreachForums in April 2024. The actor was arrested in Brazil in October 2024. By August 2024 the full 277 GB dataset was released free by a different actor (“Fenice”).
- $46,000California Privacy Protection Agency's February 2025 fine against Jerico Pictures Inc. (NPD's parent company) for failure to register as a data broker by the January 31, 2024 deadline. This is the maximum penalty available under California's Delete Act.
- Chapter 11Jerico Pictures filed for bankruptcy in Florida on October 2, 2024. Assets declared: under $75,000. Net profit (2023): $865,149. Insurance carrier declined to cover the breach. Class-action victims face a near-zero recovery.
The headline number in August 2024 was 2.9 billion records. The reality was significantly different and significantly worse, depending on how you count. 134 million unique email addresses. 272 million unique Social Security numbers — roughly 60 percent of every SSN the Social Security Administration has ever issued. Average age of the subjects: 70 years old. Roughly two million records were for individuals already over 120 — that is, deceased. The breach was real. The scope was just different than the first wave of coverage suggested.
The company behind it is National Public Data, operating name of Jerico Pictures Inc., a Coral Springs, Florida data broker run by Salvatore “Sal” Verini Jr., a retired Broward County Sheriff's deputy and actor. Per Krebs on Security, Verini ran the operation out of a home office with two desktops, a laptop, and five Dell servers. 2023 net profit: $865,149. When the breach went public in August 2024, Verini's insurance carrier declined to cover it. By October 2 he had filed Chapter 11. By December the company had shut down.
That is the story's structural failure: the regulatory architecture was simply not built for a breach at this scale from a company this small. California's maximum fine under its Delete Act is $46,000; that is what NPD paid and that is what California had available to levy. The House Oversight probe (Reps. James Comer R-KY and Nancy Mace R-SC) demanded a briefing from Verini in August 2024 and no public conclusion has been issued. The class-action settlement remains pending; given the bankruptcy, victims face a near-zero realistic recovery.
On August 13, 2024 — about a week after the full 277 GB dataset leaked free of charge on a hacking forum — cybersecurity researcher Troy Hunt published his analysis at troyhunt.com. Hunt parsed the 642 GB corpus across more than 1,000 files and arrived at 134 million unique email addresses. He flagged something else: in a 100-million-record sample, only 31 percent contained unique SSNs. The 2.9 billion total record count was inflated by duplicate address histories spanning decades. The actual distinct-individuals count was closer to 899 million records covering ~300 million unique people— still a top-ten historical breach by any standard.
Constella Intelligence's separate analysis identified 272 million unique SSNsin the exposed corpus — the largest dark-web SSN exposure on record. That figure's significance is hard to overstate. Roughly 60 percent of all SSNs ever issued by the Social Security Administration sat in this dataset. The majority of affected subjects were born between 1950 and 1970; a significant subset were deceased. The data was sourced from employment-screening, landlord-background, and criminal-records aggregation feeds — the boring mechanics of the data broker industry, scaled up and dumped in one place.
“If you find yourself in this data breach via HaveIBeenPwned.com, there's no evidence your SSN was leaked.”
Troy Hunt · troyhunt.com · August 13, 2024
The first public listing of the dataset appeared on BreachForums on April 7-8, 2024, posted by an actor using the handle USDoD at an asking price of $3,500,000. USDoD was arrested by Brazilian authorities in October 2024 — an outcome documented by BleepingComputer in real time. Before that arrest, on August 6, 2024, a different actor using the handle Fenicereleased the full 277 GB corpus for free on Breached hacking forum, attributing the original breach to a third actor, “SXUL.” Once the dataset was free, the speed of public reporting accelerated; BleepingComputer published its first major analysis August 11, NPD acknowledged the breach in writing August 15-16, and Krebs published his deep look at the NPD operation on August 15 and the “NPD published its own passwords” sister-site exposure on August 19.
Krebs' second piece is worth flagging. NPD's sister site RecordsCheck.nethad a publicly accessible “Members.zip” archive containing plaintext administrator credentials and source code. The site's web development had been outsourced to a Pakistani firm. Default passwords were six characters. Constella Intelligence later confirmed exposed passwords in that archive matched prior breach data tied to Verini's own email accounts. In plain terms: the company holding 272 million SSNs published its own administrative passwords on the public internet for an extended period.
NPD remains one of the most interesting breaches of 2024 — not because of the headline numbers, but because of what the deep analysis revealed about how data brokers actually aggregate identity. The 'unique emails' framing is the honest one.
USDoD hacker behind National Public Data breach arrested in Brazil. The arrest does not change the exposure of the 134 million emails and 272 million SSNs that have been circulating freely since Fenice released the dataset in August.
Jerico Pictures Inc., d/b/a National Public Data, was a two-person operation in Coral Springs, Florida. Owner Salvatore Verini Jr.— identified by Krebs on Security as a retired Broward County Sheriff's deputy and an actor — ran the company alongside a small support staff out of a home office. The hardware footprint, per Krebs: two desktop computers, a laptop, and five Dell servers. Net profit: $475,526 in 2022, $865,149 in 2023. Annual revenue was higher, but Verini's compensation took the bulk of it. Verini also owned related entities including National Criminal Data LLC, Twisted History LLC, and RecordsCheck.net — the password-spilled sister site.
On October 2, 2024, Verini filed Chapter 11 bankruptcy in Florida court. Declared assets were under $75,000. Per TechCrunch's October 14 reporting, NPD's insurance carrier declined to cover the breach — specifically because the anticipated liability for credit monitoring alone (for hundreds of millions of impacted individuals) exceeded any policy structure the carrier was willing to honor. The company shut down public-facing operations in December 2024. The website displayed a closure notice through early 2025.
California's Delete Act — the strongest state-level data-broker registration statute on the books — caps fines at $46,000 for registration failures. That is the maximum the California Privacy Protection Agency could impose against Jerico, and it did so in February 2025. The FTC under Chair Lina Khan (D) had the agency examining data brokers broadly but no specific NPD enforcement action materialized; FTC Chair Andrew Ferguson (R) issued PADFAA-compliance reminders to 13 brokers in February 2026 but again no specific NPD action. The 20+ states' civil-penalty investigations are working through the bankruptcy court. The gap between available legal tools and the scale of harm here is the actual story.
“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
National Public Data official statement · via BleepingComputer · August 16, 2024
House Oversight Chair James Comer (R-KY) and Rep. Nancy Mace (R-SC) opened a formal probe in late August 2024 demanding an immediate briefing from Verini. The probe's public output as of May 2026 is limited to the launch press release. Separately, Sens. Elizabeth Warren (D-MA), Ron Wyden (D-OR), Bernie Sanders (I-VT), and Sheldon Whitehouse (D-RI) reintroduced the Health and Location Data Protection Act of 2024 citing NPD-style aggregation as the threat model. The bill proposes a federal data-broker registry and consumer opt-out rights. It has not advanced.
The data-broker accountability problem is structurally bipartisan and structurally unresolved. Conservative-leaning members (Comer, Mace) and progressive-leaning members (Warren, Wyden, Sanders) are aligned that something must be done. They are not yet aligned on what. The federal legislative track has produced no enacted statute. The executive enforcement track has produced one $46,000 state fine. The judicial track is processing a bankruptcy that already declared assets under $75,000.
This breach exposed the personal data of potentially hundreds of millions of Americans. National Public Data owes Congress and the American public an immediate explanation of how this happened, what data was affected, and what is being done to prevent recurrence.
Paraphrased commentary · not a verbatim post
Paraphrased from House Oversight Committee's public probe launch. The committee has not published findings as of May 2026.
The data-broker industry sits in a regulatory hole. There is no federal data-broker registration statute. There is no federal breach-notification floor that applies uniformly across data brokers. There is no liability framework that scales with the size of the data hoard rather than the size of the operating company. The California Delete Act is the most aggressive state-level statute on the books and its maximum fine is one ten-thousandth of one percent of the credit-monitoring liability TechCrunch estimated NPD would face if forced to indemnify victims.
The structural lesson of NPD is not that one bad broker existed. It is that the entire industry can produce an NPD at any time, that the criminal-liability ceiling for the owner is bounded by the assets of a thinly capitalized shell, and that the regulatory ceiling on financial penalty is bounded by Delete-Act-class statutes capped in the tens of thousands of dollars. Until federal legislation closes either of those gaps — the operating-shell shield or the fine cap — the next NPD is simply waiting on the next ransomware or credential dump.
National Public Data, a two-person Florida shop owned by an actor and retired sheriff's deputy, lost 134 million unique email addresses and 272 million unique SSNs— the largest dark-web SSN exposure on record — through a breach the company did not fix and a sister site that published its own admin passwords. The company went bankrupt with under $75K in assets. The maximum state fine available was $46,000. The federal legislative response did not advance. The class-action victims face near-zero recovery. The architecture is the story.