New Background Check Service Data Breach Exposes Information of Over 100M US Citizens

• A massive data breach exposed the sensitive information of more than 100 million Americans.
• MC2 Data left their database unprotected online, which contained 2.2TB of personal details.
• The background check service security incident also exposed the individuals who used their websites.

MC2 Data, a background check service, has reportedly left a massive database unprotected online. The exposed dataset amounts to a staggering 2.2TB of sensitive information on over 100 million US individuals—approximately one in three Americans, according to research conducted by Cybernews.

The security researchers discovered that MC2 Data's database was left without password protection, rendering it easily accessible to anyone on the Internet. What was likely a human error exposed private details about US citizens, raising serious concerns about privacy and safety. 

This critical oversight allowed unauthorized access to an extensive array of personal information collected from various online sources, which MC2 Data utilizes to inform decision-makers on matters such as housing rental approvals, employment, and loan applications.

The unguarded database contained 106,316,633 records with intricate personal details, including names, emails, encrypted passwords, home addresses, dates of birth, phone numbers, and familial, relative, and neighbor information.

IP addresses, user agents, partial payment information, property records, legal records, and employment history were also exposed.

Furthermore, the breach affected 2,319,873 individuals who had subscribed to MC2 Data services, adding another layer of vulnerability to those trusting this service.

The list of websites operated by MC2 Data includes PrivateRecords.net, PrivateReports, PeopleSearcher, ThePeopleSearchers, and PeopleSearchUSA.

On August 6, background check company Jerico Pictures Inc., trading as National Public Data (NPD), suffered a data breach that leaked on a hacker forum. However, it turns out another NPD data broker with shared access accidentally published the passwords to its backend database.