A Florida firm has all but confirmed that millions of people’s sensitive personal info was stolen from it by cybercriminals and publicly leaked.

That information, totaling billions of records, includes the names, Social Security numbers, physical and email addresses, and phone numbers of folks in the United States, UK, and Canada. It’s the sort of records data brokers regularly buy and sell.

And it is now available via the dark web for anyone to download and use for fraud.

Back in April, crooks using the online handle USDoD wrote on a cyber-crime forum that they were selling for $3.5 million what was alleged to be 2.9 billion records, across multiple files in a 277GB archive, on US, Canadian, and British citizens, including their aforementioned names and phone and Social Security numbers where relevant, as well as their address histories going back 30 years and details of their parents and relatives.

That silo of personal info was stolen from an outfit called National Public Data, or NPD, a small information broker based in Coral Springs that offers API lookups to other companies for things like background checks. According to USDoD, the stolen data was collected by NPD between 2019 and 2024. The firm likely sourced that info at least from public records at the local, state, and federal level.

A cyber-thief using the handle SXUL pilfered the information and passed it to USDoD to sell, which sparked a lawsuit against NPD at the start of this month.

Some of the stolen information had been leaking out via the dark web in bits and pieces, though last week, someone using the handle Fenice dumped what’s claimed to be 2.7 billion records from that collection onto the internet for anyone to download for free if they know where to look. Note that it is a database with billions of rows, not billions of individuals; there are a lot of inaccuracies in the data, as well as a lot of dead people, and duplication.

After weeks of silence, and countless people starting to get alerts from privacy and anti-fraud services that their personal info has been leaked, NPD has, in cagey language, confirmed it was compromised and that its data was stolen and shared. According to the biz, it was ransacked in December, and the leaks started in April, leading up to now.

[…]

Source: Florida data broker says it was ransacked by cyber-thieves • The Register

[…] New research suggests that certain brands of bike parts have vulnerabilities that could allow them to be remotely compromised during competitions.

The research was unveiled this week at the Usenix Workshop on Offensive Technologies by researchers from Northeastern University and UC San Diego. In their paper, researchers note that, much like modern cars, today’s bicycles are “cyber-physical systems that contain embedded computers and wireless links to enable new types of telemetry and control.” One of the more common cyber-connected systems is the wireless gear shifter, which uses electronic switches instead of traditional control levers to allow bikers shift gears.

Researchers tested shifters sold by Shimano, a Japanese company that is one of the larger cycling parts sellers in the world. Unfortunately, researchers found that Shimano’s shifters are vulnerable to simple “replay attacks” of the sort that are frequently targeted at car fobs. Such attacks, which utilize a radio signal manipulation, allow attackers to capture and weaponize data wirelessly exchanged by hardware parts. In this case, attackers could use such an attack to “unexpectedly shift gears or to jam its shifters and lock the bike into the wrong gear,” Wired writes. Radio hardware necessary to carry out such an attack is relatively inexpensive.

“Security vulnerabilities in wireless gear-shifting systems can critically impact rider safety and performance, particularly in professional bike races,” researchers’ paper notes. “In these races, attackers could exploit these weaknesses to gain an unfair advantage, potentially causing crashes or injuries by manipulating gear shifts or jamming the shifting operation.”

Obviously cheating is common in athletic competitions, so a hackable bicycle would definitely be something to worry about for competitive racers. Researchers highlight this point: “The history of professional cycling’s struggles with illegal performance-enhancing drugs underscores the appeal of such undetectable attacks, which could similarly compromise the sport’s integrity,” they write. “Given these risks, it is essential to adopt an adversary’s viewpoint and ensure that this technology can withstand motivated attackers in the highly competitive environment of professional cycling.”

Gizmodo reached out to Shimano for comment. Last year, the company was the victim of a ransomware attack and, after refusing to pay, had several terabytes of its corporate data spilled onto the internet by the hackers.

[…]

Source: Bicycles Can Be Hacked Now