In 2024 a data-broker called National Public Data was breached. The file that emerged from the breach contained roughly 2.8 billion records — typically name, address history, phone number, date of birth, Social Security number, and often each person appearing 10 to
15 times across every address they have ever lived at.
The dataset is now circulating freely on the open internet. We can't take it down. But you can make the data useless to anyone trying to impersonate you. This page tells you exactly how, in under 10 minutes, for free.
How bad is this really
There are roughly 300 million Americans. The leak contains roughly
2.8 billion records. The math means most people are in the file multiple times — once for each address they've lived at since the data broker started aggregating.
Practical implication: if you've lived in the US in the last 25 years, you are almost certainly in this file. Including your SSN.
Your data is on as many computers as downloaded that breach. We cannot remove it from any of them. What we CAN do is make it useless to the people who downloaded it.
What to do today
Step 1 — Freeze your credit at all three bureaus (5 minutes)
This is the single highest-impact thing you can do, period. A credit freeze stops anyone from opening new accounts in your name. It is free, takes about 90 seconds per bureau, and does not affect your credit score.
- Equifax — https://www.equifax.com/personal/credit-report-services/credit-freeze/
- Experian — https://www.experian.com/freeze/center.html
- TransUnion — https://service.transunion.com/dss/orderStep1_form.page?sitePrefix=PC
When you yourself actually need credit (mortgage, car loan, new credit card), you log in to the bureau and unfreeze for as long as you need. The freeze costs nothing and inconveniences only you when you yourself want new credit. There is no downside.
Step 2 — Create an IRS IP PIN (3 minutes)
Stops anyone from filing a fraudulent tax return in your name. Free, takes a few minutes, prevents the most common "I never got my refund" scenario:
→ https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin
Step 3 — Claim your my Social Security account (3 minutes)
If you don't claim the account yourself, an attacker with your SSN will. Free, takes a few minutes:
→ https://www.ssa.gov/myaccount/
Step 4 — Opt out of pre-screened credit offers (2 minutes)
Stops the physical mail an identity thief uses to intercept pre- approved card applications:
→ https://www.optoutprescreen.com
That's it. About 10 minutes total. The freeze step alone makes the NPD breach functionally useless against you.
Want to check if you're in the leak
We do not host an NPD lookup — we don't want to redistribute the raw breach data ourselves. A trustworthy free check is run by Pentester:
→ https://npd.pentester.com
Type your name, get back whether you appear in the file. If you are (you almost certainly are), do the four steps above.
What about my children
The NPD file contains records on minors too. Children are a high-value target for identity thieves because nobody checks their credit until they apply for student loans — meaning a child's stolen identity can be used unchecked for a decade before anyone notices.
For each child under 16:
- Freeze their credit at all three bureaus — each bureau has a minor-credit-freeze page that requires their SSN plus birth certificate
- Don't post their full name, school name, and birthday together on social media — that's everything an attacker needs to apply for things in their name
- When they turn 16, walk them through this checklist with their own accounts
What freezing does NOT protect against
Important to be clear about what's outside the credit-freeze umbrella:
- Existing fraud on accounts you already have. Use transaction
alerts on every bank and credit card account — turn them on today.
- Medical-identity theft. Read your "Explanation of Benefits"
statements from your health insurance. Treatment you didn't receive showing up there is the sign.
- Tax-refund fraud. The IRS IP PIN above is the fix.
- Phone-port / SIM-swap attacks. Call your phone carrier and ask
for a Port Out PIN (every major carrier has this; not all enable it by default). Without that PIN nobody can port your number to a new device.
- Social engineering of your bank or utility. Call them and ask
to add a verbal-passcode-required note. Then anyone calling in pretending to be you will need that passcode to authenticate.
The bigger question — why is this even possible
The NPD breach was made possible because a single sheriff at a single sheriff's department had access to every American's Social Security number, and reused credentials for a demo project on his main system.
2.8 billion records, exposed, because one credential was reused.
The deeper issue is that the Social Security number was never designed to be a national identifier, much less a national authenticator. Treating a 9-digit number as both "this is who you are" and "this proves you are who you say you are" is the broken design. The fix at the system level is biometrics — phone-based passkeys, hardware security keys, eventual replacement of SSN-based identity verification. None of that is here yet.
In the meantime: freeze your credit. Claim your IRS PIN. Claim your SSA account. Opt out of pre-screened offers. Ten minutes. Free.
Related free tools on SafeCadence
- NPD Breach Awareness — the
10-minute checklist version of this page
generates a step-by-step plan for your specific situation
15-question posture audit
- Password Leak Checker — check any
password against HIBP without sending it
30 major brokers + opt-out templates
This page is educational, not legal or financial advice. For complex identity-theft situations, contact the FTC at 1-877-438-4338 or a qualified attorney.