Some of the largest data brokers in the US may need to carry out a security audit, after an investigation found that they had been hacked by an identity theft service.
Dun & Bradstreet, LexisNexis and Altegrity were all affected by the breach, leaving sensitive information such as social security numbers at the hands of cyber criminals.
A seven-month investigation by KrebsOnSecurity uncovered the malicious activity, with personal records found to be up for sale on the website ssndob.ms, or SSNDOB.
For a payment of between 50 cents and $2.50, customers can pay to see data relating to any US resident – the website does not make clear where the information has been sourced from.
SSNDOB administrators are believed to have been operating a small botnet that was directly communicating with computers inside the data brokers.
Two of the hacked servers were in LexisNexis based in Atlanta, Georgia – the company has confirmed to KrebsOnSecurity that two systems listed in the botnet interface were public-facing web servers.
Two systems belonging to Dun & Bradstreet in Short Hills, New Jersey, were also found to have been compromised, while the fifth was found at an internet address assigned to Kroll Background America.
All of the victims were aware of the attacks and confirmed that they were working alongside federal authorities and third-party forensics firms to ascertain how far the breaches extended.
Efforts are also underway to determine whether any sensitive data was accessed and removed from their networks – and to what extent it might have been used once obtained by the hackers.
Elliot Glazer, chief technology officer at Dun & Bradstreet, told KrebsOnSecurity that the company was glad of the information it had received.
He commented: "We are aggressively investigating the matter, take it very seriously and are in touch with the appropriate authorities.
"Data security is a company priority, and I can assure you that we are devoting all resources necessary to ensure that security."
Altegrity, on the other hand, did not confirm or deny the apparent breaches but expressed that maintaining the safety and security of its systems remained a number one priority.
Spokesman Ray Howell emphasised that "significant information security resources" have been allocated to the cause and teams both inside and outside the company are working tirelessly to prevent breaches.