LexisNexis and Dun & Bradstreet were infiltrated by hackers who sold personal data on as many a 4 million US citizens online, according to a report by security researcher Brian Krebs.
According to Krebs's report, personal data of US citizens including social security numbers and credit ratings has available for sale on a website called ssndob.ms for the last two years. Identity thieves could buy records for 50 cents up to $15.
It was not known how the site's operators got their hands on the data until the website was itself hacked. Krebs got hold of a copy of the database, which reveals that the site had made hundreds of millions of dollars selling personal data.
And by analysing network activity of the site and the log-in credential of its administrators, Krebs says he was able to establish that the data is extracted by a "small but very potent botnet".
This botent has access to five infected servers, Krebs reports. Two of these are owned by LexisNexis and another two by Dun&Bradstreet.
These companies provide customer data to businesses for insurance, lending and marketing. LexisNexis claims that it provides coverage of "more than 500 million unique consumer identities".
The fifth server belongs Altegrity, the parent company of security software vendor Kroll Ontrack. The company provides an employee screening service called HireRight.
Dun&Bradstreet and Altegrity have said they are investigating the claims. LexisNexis said that it has found no evidence of data theft.
Krebs's report demonstrates how personal data is valuable and saleable commodity. Criminals are willing to pay for data online in order steal from or defraud their targets, or to launch their own security attacks.