About four months after a notorious hacking group claimed to have stolen an extraordinary amount of sensitive personal information from a major data broker, a member of the group has reportedly released most of it for free on an online marketplace for stolen personal data.

The breach, which includes Social Security numbers and other sensitive data, could power a raft of identity theft, fraud and other crimes, said Teresa Murray, consumer watchdog director for the U.S. Public Information Research Group.

“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning” than prior breaches, Murray said in an interview. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”

According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Fla., the hacking group USDoD claimed in April to have stolen personal records of 2.9 billion people from National Public Data, which offers personal information to employers, private investigators, staffing agencies and others doing background checks. The group offered in a forum for hackers to sell the data, which included records from the United States, Canada and the United Kingdom, for $3.5 million, a cybersecurity expert said in a post on X.

The lawsuit was reported by Bloomberg Law.

Last week, a purported member of USDoD identified only as Felice told the hacking forum that they were offering “the full NPD database,” according to a screenshot taken by BleepingComputer. The information consists of about 2.7 billion records, each of which includes a person’s full name, address, date of birth, Social Security number and phone number, along with alternate names and birth dates, Felice claimed.

National Public Data didn’t respond to a request for comment, nor has it formally notified people about the alleged breach. It has, however, been telling people who contacted it via email that “we are aware of certain third-party claims about consumer data and are investigating these issues.”

In that email, the company also said that it had “purged the entire database, as a whole, of any and all entries, essentially opting everyone out.” As a result, it said, it has deleted any “non-public personal information” about people, although it added, “We may be required to retain certain records to comply with legal obligations.”

Several news outlets that focus on cybersecurity have looked at portions of the data Felice offered and said they appear to be real people’s actual information. If the leaked material is it what it’s claimed to be, here are some of the risks posed and the steps you can take to protect yourself.

The threat of ID theft

The leak purports to provide much of the information that banks, insurance companies and service providers seek when creating accounts — and when granting a request to change the password on an existing account.

A few key pieces appeared to be missing from the hackers’ haul. One is email addresses, which many people use to log on to services. Another is driver’s license or passport photos, which some governmental agencies rely on to verify identities.

Still, Murray of PIRG said that bad actors could do “all kinds of things” with the leaked information, the most worrisome probably being to try to take over someone’s accounts — including those associated with their bank, investments, insurance policies and email. With your name, Social Security number, date of birth and mailing address, a fraudster could create fake accounts in your name or try to talk someone into resetting the password on one of your existing accounts.

“For somebody who’s really suave at it,” Murray said, “the possibilities are really endless.”

It’s also possible that criminals could use information from previous data breaches to add email addresses to the data from the reported National Public Data leak. Armed with all that, Murray said, “you can cause all kinds of chaos, commit all kinds of crimes, steal all kinds of money.”

How to protect yourself

Data breaches have been so common over the years, some security experts say sensitive information about you is almost certainly available in the dark corners of the internet. And there are a lot of people capable of finding it; VPNRanks, a website that rates virtual private network services, estimates that 5 million people a day will access the dark web through the anonymizing TOR browser, although only a portion of them will be up to no good.

If you suspect that your Social Security number or other important identifying information about you has been leaked, experts say you should put a freeze on your credit files at the three major credit bureaus, Experian, Equifax and TransUnion. You can do so for free, and it will prevent criminals from taking out loans, signing up for credit cards and opening financial accounts under your name. The catch is that you’ll need to remember to lift the freeze temporarily if you are obtaining or applying for something that requires a credit check.

Placing a freeze can be done online or by phone, working with each credit bureau individually. PIRG cautions never to do so in response to an unsolicited email or text purporting to be from one of the credit agencies — such a message is probably the work of a scammer trying to dupe you into revealing sensitive personal information.

For more details, check out PIRG’s step-by-step guide to credit freezes.

You can also sign up for a service that monitors your accounts and the dark web to guard against identity theft, typically for a fee. If your data is exposed in a breach, the company whose network was breached will often provide one of these services for free for a year or more.

As important as these steps are to stop people from opening new accounts in your name, they aren’t much help protecting your existing accounts. Oddly enough, those accounts are especially vulnerable to identity thieves if you haven’t signed up for online access to them, Murray said — that’s because it’s easier for thieves to create a login and password while pretending to be you than it is for them to crack your existing login and password.

Of course, having strong passwords that are different for every service and changed periodically helps. Password manager apps offer a simple way to create and keep track of passwords by storing them in the cloud, essentially requiring you to remember one master password instead of dozens of long and unpronounceable ones. These are available both for free (such as Apple’s iCloud Keychain) and for a fee.

Beyond that, experts say it’s extremely important to sign up for two-factor authentication. That adds another layer of security on top of your login and password. The second factor is usually something sent or linked to your phone, such as a text message; a more secure approach is to use an authenticator app, which will keep you secure even if your phone number is hijacked by scammers.

Yes, scammers can hijack your phone number through techniques called SIM swaps and port-out fraud, causing more identity-theft nightmares. To protect you on that front, AT&T allows you to create a passcode restricting access to your account; T-Mobile offers optional protection against your phone number being switched to a new device, and Verizon automatically blocks SIM swaps by shutting down both the new device and the existing one until the account holder weighs in with the existing device.

Your worst enemy may be you

As much or more than hacked data, scammers also rely on people to reveal sensitive information about themselves. One common tactic is to pose as your bank, employer, phone company or other service provider with whom you’ve done business and then try to hook you with a text or email message.

Banks, for example, routinely tell customers that they will not ask for their account information by phone. Nevertheless, scammers have coaxed victims into providing their account numbers, logins and passwords by posing as bank security officers trying to stop an unauthorized withdrawal or some other supposedly urgent threat.

People may even get an official-looking email purportedly from National Public Data, offering to help them deal with the reported leak, Murray said. “It’s not going to be NPD trying to help. It’s going to be some bad guy overseas” trying to con them out of sensitive information, she said.

It’s a good rule of thumb never to click on a link or call a phone number in an unsolicited text or email. If the message warns about fraud on your account and you don’t want to simply ignore it, look up the phone number for that company’s fraud department (it’s on the back of your debit and credit cards) and call for guidance.

“These bad guys, this is what they do for a living,” Murray said. They might send out tens of thousands of queries and get only one response, but that response could net them $10,000 from an unwitting victim. “Ten thousand dollars in one day for having one hit with one victim, that’s a pretty good return on investment,” she said. “That’s what motivates them.”

LL Flooring, the flooring retailer formerly known as Lumber Liquidators, has filed for Chapter 11 bankruptcy protection and will close about a quarter of its locations nationwide, the company announced Sunday.

Eleven of the 94 locations marked for closure are in California, including stores in Torrance, Rancho Cucamonga and Fresno. The company said stores being shuttered will remain open throughout the closing process.

A major retailer in home improvement, LL Flooring offers customers a wide range of flooring products and advertises a seamless shopping experience and expert guidance. The company was founded in 1993 as Lumber Liquidators Holdings Inc. but changed its name in 2022.

In an open letter to customers, LL Flooring said it is seeking a buyer for its remaining stores and anticipates a sale of the business will be completed by the end of September. The company said it has been marketing its business to potential buyers for more than a year.

About 300 locations across the country and LL Flooring’s online platform will remain open as the company continues to search for a buyer.

The retailer, which is carrying nearly $110 million in long-term debt, said consumer spending on home improvement projects declined during the COVID-19 pandemic as home sales dropped and interest rates rose.

“After comprehensive efforts to enhance our liquidity position in a challenging macro environment, a determination was made that initiating this Chapter 11 process is the best path forward for the company,” Chief Executive and President Charles Tyson said.

“Today’s step is intended to provide LL Flooring with additional time and financial flexibility as we reduce our physical footprint and close certain stores while pursuing a going-concern sale of the rest of our business,” he said.

The company has received $130 million in financing from a group of existing bank lenders led by Bank of America, which it will use to fund its operations during bankruptcy.

Bloomberg contributed to this report

Let’s play a parlor game titled “What’s the dumbest thing Elon Musk has ever done?”

Is it promoting tweets from outspoken antisemites and racists on X, formerly Twitter, the social media platform he owns? Embracing antisemitic tweets himself?

Or was it, telling some of the largest corporations in the world to, um, perform a sexual act on themselves because they stopped advertising on the platform? (Warning: Link not safe for work.)

Maybe the top prize goes to his reinstating thousands of accounts of Nazis, white supremacists and disinformation purveyors that had been banned from Twitter by its previous management?

Actually, my vote goes to the federal lawsuit X filed on Aug. 6 accusing big advertisers of colluding in a boycott of the platform, ostensibly because they disapprove of its content.

The filing was announced in a video tweet by Linda Yaccarino, the chief executive of X. Yaccarino’s hostage-like affect and her theatrical hand-wavings in the video are so eerie that some viewers speculated, also on X, that the video is an AI-generated deepfake. And why not? Musk himself promoted on X a deepfake fabricating a purported speech by Kamala Harris with the words, “This is amazing.”

The lawsuit targets the World Federation of Advertisers, a networking organization for big advertisers. It specifically names WFA and four companies — the Danish energy company Ørsted, CVS Health and the consumer companies Unilever and Mars. Why it singles out those companies isn’t entirely clear, though it’s notable that they are members or have leadership positions in the Global Alliance for Responsible Media.

GARM, as the lawsuit asserts, was founded to establish brand safety standards for advertisers on X and other social media platforms. In other words, standards to help advertisers keep their messages from showing up alongside posts and accounts promoting hate speech and other noxious messages.

The lawsuit and Yaccarino’s video assert that the advertisers colluded through GARM to boycott X, depriving it of its lifeblood, advertising revenue. “That puts your global town square, the one place that you can express yourself freely and openly, at long-term risk,” Yaccarino said.

Leaving aside this rather inflated and anachronistic description of X — its status as a “global town square” hasn’t survived Musk’s acquisition of the platform in 2022 — the idea that you can sue corporations for deciding not to advertise with you is beyond absurd.

A couple of points about all this:

First, the lawsuit piggybacks on a report issued last month by the Republican staff of the House Judiciary Committee, which is chaired by that outstanding blowhard, Rep. Jim Jordan of Ohio. One in an ever-lengthening line of useless, conspiracy-addled reports from the GOP House caucus — see, for example, its ignorantly anti-scientific screeds about the origins of COVID — this one was oh-so-cleverly titled “GARM’s Harm” and claimed that GARM members colluded to put X out of business.

“I was shocked by the evidence uncovered by the House Judiciary Committee that a group of companies organized a systematic illegal boycott against X,” Yaccarino says, ludicrously.

More to the point, this lawsuit reflects Musk’s habit of blaming X’s financial ills on everyone but himself. Over the last year or so, X has sued the watchdog organizations Media Matters for America and the Center for Countering Digital Hate for trying to “censor” X by asserting — inaccurately, X says — that the platform has become a haven for pro-Nazi content and other hate speech.

Musk also threatened to sue the Anti-Defamation League for purportedly pressuring companies to stop advertising on X because of the apparent rise in hate speech. That lawsuit never materialized. The Media Matters lawsuit is pending. The case against CCDH was thrown out by U.S. Judge Charles R. Breyer of San Francisco in March. More on that in a moment.

Put it all together, and it appears that Musk doesn’t realize that X needs advertisers more than they need X. The platform was generally an also-ran as an advertising medium online, trailing Meta and Google. Under Musk, it may have fallen further behind.

The first hint of the cynicism attending this lawsuit comes from where it was filed. As X notes in its complaint, among the defendants the World Federation of Advertisers is headquartered in Belgium, Ørsted in Denmark, Unilever in London, Mars in Virginia and CVS Health in Rhode Island. X itself is headquartered in San Francisco.

So of course Musk filed the lawsuit in Wichita Falls, a North Texas community with a population of 102,000, which makes it the 39th-largest city — in Texas. What Wichita Falls does offer litigants of a certain ideological slant, however, is a one-judge federal court.

That judge is Reed O’Connor, a right-wing George W. Bush appointee whose hit parade includes rulings invalidating government anti-discrimination laws protecting transgender rights, blocking a COVID vaccine mandate for Navy SEALs and declaring the entire Affordable Care Act unconstitutional. (That last ruling was overturned by the Supreme Court, 7 to 2.)

O’Connor, by the way, is also presiding over the lawsuit against Media Matters. A year ago he reported owning shares worth $15,001 to $50,000 in Tesla, the electric vehicle company Musk controls.

Unsurprisingly, none of these lawsuits alludes, even in passing, to the possibility that the steep decline in revenues or advertising from major consumer firms at X might have something to do with Musk’s policies and behavior.

The lawsuits generally describe their goal as the protection of free speech and open debate online, and present X as the innocent target of one cabal or another.

Judge Breyer in San Francisco made short of that claim in his dismissal of the lawsuit against CCDH; indeed, he found that the shoe was on the other foot. “This case is about punishing the Defendants for their speech,” he ruled. (My emphasis.) He rejected X’s assertion that it had lost “at least tens of millions of dollars” because of CCDH’s reports of the presence of hate speech on X, finding that the platform couldn’t document that its losses were traceable to CCDH reporting or that the money could be recovered even if it could do so.

“X Corp.’s motivation in bringing this case is evident,” Breyer ruled. “X Corp. has brought this case in order to punish CCDH for CCDH publications that criticized X Corp. — and perhaps to dissuade others who might wish to engage in such criticism.” X’s demand for tens of millions of dollars in compensation, he found, seemed designed to “torpedo the operations of a small nonprofit … because of the views expressed in the nonprofit’s publication.”

That brings us to the new lawsuit, against the World Federation of Advertisers and the four corporations. These are defendants that might not blanch at the cost of defending what might be a frivolous lawsuit, but at some level it seems to have made them nervous: The federation said last week that it is “discontinuing” the Global Alliance for Responsible Media.

Musk and his peanut gallery crowed that this represented a victory, but it’s hardly that. The four corporate defendants — like any members of the federation or GARM — always have the right to make their own decisions about where to place their ads. Indeed, it’s inconceivable that a $60-billion multinational such as Unilever would cede those decisions on its hundreds of brands, which include Ben & Jerry’s, Dove beauty products and Hellmann’s mayonnaise, to outsiders.

It’s true that GARM developed standards to help members assess whether they wanted their ads to appear on social media platforms and methods to ensure that the platforms understood the brands’ concerns. It’s also true that advertisers expressed concerns after Musk’s acquisition, and his firing of most of the staff responsible for trust and safety at X, that the chances their ads would end up cheek by jowl with posts from malodorous tweeters would rise.

But the GOP report acknowledges that GARM offered advice, not mandates, and that its advice was typically solicited by the advertisers themselves. What may have irked the Republicans and Musk is that most of the content that scared advertisers away tended to come from the right-wing fever swamp, which no self-respecting corporation would want to be seen endorsing.

One variety of content involved claims that evidence found on a laptop purportedly belonging to Hunter Biden, the president’s son, suggested Hunter was involved in wrongdoing. “Unilever, through GARM, … expressed issues with Mr. Musk exposing the truth about how Twitter, prior to Mr. Musk’s acquisition, censored the Hunter Biden laptop story,” the GOP report says.

The Biden allegations are cherished by the Republican right wing even though no connection to President Biden has ever been established. The GOP report says claims that “incriminating evidence about the Biden family’s influence peddling was found on Hunter Biden’s laptop … have since been authenticated,” which is untrue; that only underscores that the GOP report was a partisan smear, and not something on which X should rest its legal case.

In any event, the GOP report acknowledges that Unilever is “free to unilaterally stop spending its advertising money on [X],” which apparently has happened. Shed a tear for Musk, if you’re so inclined.

Musk may have turned into the biggest obstacle to the survival of X. Directing a profane insult at big advertisers and treating their refusal to spend their ad dollars at his hobbyhorse as “blackmail,” as he did in November, is hardly a way to cozy up to them.

Musk tried a charm offensive this summer at the Cannes Lion Festival, which brings together international advertisers, telling them they “have a right to appear next to content that they think fits with their brand.” But whatever goodwill he might have generated then evaporated last week with his lawsuit. “We tried peace for 2 years, now it’s war,” he said in announcing the lawsuit.

Meanwhile, Musk’s behavior gets worse. Just last week, the CCDH, freed from the financial burden of defending itself against his lawsuit, reported that his “false or misleading claims about the U.S. elections” have been viewed nearly 1.2 billion times on X, “with no fact checks” such as the “community notes” that often debunk disinformation from other accounts.

Why would any advertisers hoping to attract and keep customers want their ads to be seen on a platform that has become a source of informational sewage? To ask the question is to answer it.