Top background check services hit by data breach

Data Breach
(Image credit: Shutterstock)

Two of the biggest online background check services have suffered recent data breaches that saw sensitive data on millions of their users leaked online. 

News of the attack on TruthFinder and Instant Checkmate was confirmed by PeopleConnect, the company that owns both affected organizations.

Background checkers are services that allow people to do their due diligence on other people. Whether when looking to employ someone, or for any other reason, people can use these services which aggregate publicly available data which would otherwise take quite some time to gather: federal, state, or court records, criminal records, social media data, etc.

Hashed passwords taken

To use the services, they need to subscribe, and now hackers obtained the data belonging to these subscribers. In late January someone posted a thread on the Breached hacking forum, claiming to have obtained sensitive data on 20.22 million customers of the abovementioned firms, who used it by April 16, 2019.

Of that, almost 12 million were Instant Checkmate users, and 8.2 million were TruthFinder. Around 4.6K remaining accounts belong to other service providers. 

In the incident, the attackers stole identity data: people’s email addresses, hashed passwords, full names, and phone numbers. 

Soon after the post, PeopleConnect confirmed the breach.

"We learned recently that a list, including name, email, telephone number in some instances, as well as securely encrypted passwords and expired and inactive password reset tokens, of TruthFinder subscribers was being discussed and made available in an online forum," the company said. 

"We have confirmed that the list was created several years ago and appears to include all customer accounts created between 2011 and 2019. The published list originated inside our company."

PeopleConnect said it will know more once it concludes its investigation, but first reports indicate that this was either an "inadvertent leak or theft of a particular list."

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.