Experts later clarified that while the "2.9 billion" figure likely included many duplicates and deceased individuals, the scale remained historic. Unlike the , which stemmed from a software vulnerability, the NPD incident is frequently cited as a cautionary tale about directory listing vulnerabilities and the dangers of storing sensitive backups on internet-facing servers.
: Usernames and passwords for their internal systems. index_breached.vc.zip
Following the leak, multiple class-action lawsuits were filed against Jerico Pictures Inc. for failing to secure the data. You can find technical post-mortems and security analysis of the breach on platforms like the Huntress Blog or specialized security news sites like Risky Business . Experts later clarified that while the "2
Once discovered, the data was reportedly scraped and posted to the dark web by a threat actor known as "USDoD." The hacker initially attempted to sell the database for , claiming it contained 2.9 billion records , including: Full names Social Security numbers (SSNs) Mailing addresses Phone numbers The Impact Once discovered, the data was reportedly scraped and
The breach wasn't necessarily a complex hack but a critical oversight. A security researcher discovered that NPD had left a zip file—often identified as index_breached.vc.zip or similar variants—publicly accessible on their website. This file contained: