Historic data breach of nearly 3 BILLION people including American's social security numbers leaks to the dark web - here's what to do if you were exposed

One of the worst data breaches in history has left private details of an estimated 2.9 billion people, including Americans' social security numbers, out on the dark web.

A Florida-based background-check company's database was raided and then posted for sale this past April 8, offered up to any cybercriminals willing to pay $3.5 million.

The company has yet to confirm the breach with its own figures, but if true, the scope of the hack rivals the record-setting 2013 hack of Yahoo! which exposed the data of three billion people worldwide.

The cybercriminal group selling the data, which is believed to be based in Latin America and goes by the ironic moniker 'USDoD,' after the US Department of Defense, shared the file with one cybersecurity expert to confirm its legitimacy.

Most Americans — and even many of their dead relatives — are likely to have private data at risk from the breach, unless they have regularly paid for 'opt-out' services.

This sprawling, stolen database contains address histories, relatives' names and more on hundreds of millions of US citizens, including many who have been dead for decades, new court filings show. 

Attorneys for the victim who was first alerted to the breach by his own identity-theft protection service are now pursuing a class action suit against the database firm.

According to that lawsuit filed Thursday, background-check company Jerico Pictures, doing business under the name National Public Data, failed to 'effectively secure hardware containing protected PII [personal identifiable information].'

The suit also accuses the firm of having 'scraped' its billions of files on private individuals from other databases without those individuals' 'consent or knowledge.'

'Defendant's conduct amounts at least to negligence,' the attorneys, led by the Kopelowitz Ostrow Firm, argued in their proposed class action complaint.

A cursory scan of the three-billion individuals files contained in the leak —according to the proprietors of the cybersecurity and malware education website VX-Underground — 'immediately found' any individual who 'did not use data opt-out services and resided in the United States.'

The files typically contained their first and last name, current address, last three home addresses, their social security number, and a host of data on their families.

'It also allowed us to find their parents, and nearest siblings,' the cybersecurity writer continued. 'We were able to identify someone's parents, deceased relatives, uncles, aunts, and cousins.' 

'Some individuals located had been deceased for nearly 2 decades,' they reported.

National Public Data, which is based in Coral Springs an hour north of Miami, Florida, has not yet disclosed when or how the breach of their databases occurred. 

The company has not yet responded to requests for comment by DailyMail.com.  

Worse, the firm has yet to alert or issue warnings to hundreds of millions of affected individuals inside the US, nor apparently to those abroad who may also be at risk. 

Current estimates from the US Census Bureau place the total US population at 336.8 million people — or just 11.2 percent of those caught in this massive data breach.

Most Americans, in other words, including many of their late relatives, are likely to be victims of the hack and thus prospective plaintiffs in the class-action.

But as VX-Underground, who reviewed the entire 277.1 gigabyte file obtained from the hackers, noted: 'The database DOES NOT contain information from individuals who use data opt-out services.'

'Every person who used some sort of data opt-out service was not present,' VX-Underground reported in a post to the social media site X this past June.

Data opt-out services charge up to $499 per year to do the tedious task of demanding data brokers remove your personal data from their lists.

But for those looking for a more cost-effective method, the nonprofit Consumer Reports offers a similar service via its Permission Slip app.

USDoD, who first gained infamy under the name 'NatSec,' has claimed credit for a wave of hacks this year including a raid on CrowdStrike, the cybersecurity firm whose faulty update grounded airlines and caused chaos across the world this July.

This July, USDoD also claimed it had leaked CrowdStrike's 'entire threat actor list.' its 'entire IOC [indicators of compromise] list,' and databases from both '[an] oil company and a pharmacy industry (not from USA),' according to a company report.

USDoD had originally been portrayed as a Pro-Russian hacking enterprise, in part because of the group's early successes with its '#RaidAgainstTheUS campaign,' which targeted the US Army and major Pentagon's defense contractors.

The hacker group has also probed domestic US agencies, posing as the CEO of a financial company to lift the FBI's 80,000-member InfraGard database — which is designed to securely share national security and cybersecurity intelligence.

InfraGard members include government employees, as well as members of the private sector whose work is deemed critical to maintaining US infrastructure.

A report by cybersecurity journalist Brian Krebs had accused USDoD of making a political statement by releasing sensitive employee data stolen from the Pentagon aerospace contractor Airbus on the 2023 anniversary of the 9/11 terrorist attacks.

But USDoD denied the claim, asserting that the group's actions were neither political nor acts of terrorism, merely cybercriminal business as usual — with a few caveats.

'I won't attack Russia, China, South and North Korea, Israel, and Iran,' USDoD said following Krebs' reporting. 'The rest, I don't care.'