Cybercrime: Hackers sell Social Security info

Thomas Samson | AFP | Getty Images

Three large providers of online personal data confirmed to CNBC that they were victims of security breaches on Thursday. Cybersecurity expert Brian Krebs revealed the results of his seven-month investigation earlier in September, on his blog, KrebsonSecurity. He found that potential identity thieves purchased more than a million Social Security Numbers from a site he believes is responsible for the hacks.

Hackers targeted LexisNexis, Kroll Background America and Dun & Bradstreet.

LexisNexis, a provider of identity verifications and background checks, issued a statement confirming that it "identified an intrusion targeting our data." Altegrity's Kroll Background America, which provides employment background checks, said in its statement that its "web-hosting servers were infected with a malicious software program," or so-called malware. Similarly, D&B spokeswoman Michele Caselnova wrote in an email, "I can confirm that D&B was one of several victims of a cyberattack." D&B provides commercial and business information.

While the three data brokers confirmed the breaches, none would confirm that personal information was taken. LexisNexis, for its part, said in its statement that there was "no evidence that customer or consumer data were reached or retrieved." Kroll said in its statement that it is investigating the impact of the malware, and D&B would not comment on whether personal data was accessed.

Hack attacks like those that affected the three data brokers cost the United States at least $70 billion a year, according to a study by McAfee and the Center for Strategic and International Studies. Companies spent almost $1 billion in 2012 on insurance to cover their risks, according to the study.

The FBI confirmed that it is investigating the breaches. All three companies said they are working with authorities.

(Read more: US charges six in biggest credit card hack on record)

The five legal loopholes hackers are slipping through

Krebs, a former Washington Post reporter, connected these breaches to, referred to as SSNDOB. This website sold personal information, including Social Security numbers and dates of birth. SSNDOB was known for its reliability on identity theft forums, according to Krebs.

According to Krebs, unknown hackers attacked SSNBOD this summer, and published its data logs. Krebs analyzed the logs to find where SSNDOB was getting its information, finding two hacked servers at LexisNexis, two compromised systems at D&B and one compromised system at Kroll. Compromised systems are part of a company's network that has been breached by hackers.

CNBC has been unable to contact SSNDOB for comment because the site is down.

These hacks fueled SSNDOB, where anyone, including cybercriminals, was able to purchase Social Security numbers, birth dates and credit checks, among other personal information. The data were sold at prices ranging from 50 cents to $15. SSNDOB even took cybercurrency, such as bitcoin and WebMoney. All together, the site raised $50,000 to $70,000 a month, according to Krebs.

While Krebs could not pinpoint the exact number of people affected, he did find that SSNDOB sold 1.02 million unique Social Security numbers and almost 3.1 million dates of births since early 2012.

The three companies shut down the breaches with 48 hours of Krebs notifying them. However, Krebs believes there may be other systems compromised at these data brokers.

Furthermore, while SSNDOB is currently shut down, it may relaunch. "They are probably in the process of seeing how they got hacked and making sure it doesn't happen again," Krebs said.

(Read more: CNBC's Special Report: Hacking America)

—By Jennifer Schlesinger, CNBC.