Finger on digital touch screen choosing people showing data breach of background check services

Data Breach on Instant Checkmate and Truthfinder Background Check Services Leaked 20 Million Records

Background check services operator PeopleConnect confirmed a data breach that leaked over 20 million user records online. The incident affected users of TruthFinder and Instant Checkmate and exposed records from accounts created between 2011 and 2019.

PeopleConnect scrapes public data from multiple sources, such as federal, state, and court records, marriage, divorce, and criminal registries, social media content, and other sources. The subscription-based services assist users in verifying other people’s background information before making important decisions such as dating, marrying, or leasing property.

PeopleConnect Holdings Inc., the owners of Classmates and Intellius information services, merged with PubRec LLC., which owned Instant Checkmate and TruthFinder background check services, in January 2020. The merger helped the companies strengthen their collective position in the personal information market.

Instant Checkmate and TruthFinder background check services breached

On January 21, a hacker on the Breached hacking forum published a treasure trove reportedly obtained from PeopleConnect’s background check services.

The 2.9 GB CSV file had 11.9 million records from Instant Checkmate, 8.2 million from Truthfinder, 46,625 from TruthFinderInternational, and 98 from other background check services.

Data leaked includes names, email addresses, phone numbers, and in some cases, hashed passwords and expired password reset tokens. However, the data breach did not expose TruthFinder and Instant Checkmate user activity, such as individual searches, or payment data, such as credit card numbers or bank account information.

Background check services operator PeopleConnect confirms a data breach

PeopleConnect discovered the data breach after a threat actor published the stolen information on a hacking forum. Subsequently, the company launched an investigation with third-party cyber experts and confirmed that the data breach originated from TruthFinder and Instant Checkmate background check services.

“We have confirmed that the list was created several years ago and appears to include all customer accounts created between 2011 and 2019. The published list originated inside our company.”

However, the  background check services operator found no evidence that the threat actor breached PeopleConnect’s networks, thus concluding that the incident was an “inadvertent leak or theft of a particular list.” Likely, the threat actors accessed old data backups stored on unsecured and internet-exposed servers.

“This highlights the importance of knowing where all data resides (including backups) and adhering to sound data retention policies as well as applicable regulations,” said Tim Morris, Chief Security Advisor, AMER at Tanium.

PeopleConnect’s investigation did not disclose the number of customers impacted by the data breach as the incident was still under observation.

“We are moving as quickly as we can to fully understand and correctly handle the situation,” PeopleConnect said, promising to provide more information.

Meanwhile, PeopleConnect advised its users to remain vigilant for potential phishing attacks by threat actors attempting to impersonate the company’s staff to steal sensitive information.

Additionally, the company advised customers to ignore suspicious communication, adding that its staff would never request account login credentials, social security numbers, or payment information via telephone or email.

Previous data breaches have taught us that many initial probes are hardly conclusive, and the magnitude of the breach usually becomes apparent weeks after the incident. Therefore, users should always assume the worst and take additional measures out of an abundance of caution.

Possible mitigations include frequently changing their passwords, enabling two-factor authentication (2FA), using strong passwords, and avoiding password reuse.

“The data compromised in this breach includes hashed passwords, which are considered sensitive,” Morris added. “For those impacted, it serves as an unfortunate reminder to avoid using the same passwords across sites, which can be helped by using a reliable password manager.”

Similarly, they should monitor their financial statements for suspicious activity and utilize credit monitoring services to prevent identity theft.

“I think that if you have been in enough breaches where you have free credit monitoring for life, organizations should start paying out the retail value to the customer instead of just another service,” said David Maynor, Senior Director of Threat Intelligence at Cybrary.

According to Maynor, credit monitoring services are not the solution because providers are too eager to correct inconsistencies, making the data “more valuable to sell to advertisers or other data brokers.”