MC2 Data leak allegedly exposes millions: check if you’re affected and learn if you need to act

A misconfigured database at MC2 Data, a major data provider company, reportedly exposed sensitive information of nearly one-third of the U.S. population. On August 7, 2024, Cybernews experts discovered the passwordless 2.2 TB database with more than 106 million records accessible to anyone who knew where to look.

Since then, security researchers, privacy advocates, and law firms have been analyzing what exactly was exposed, who is at risk, and what affected individuals can do to protect themselves.

This guide summarizes what is known about the MC2 Data leak, how it unfolded, what data was exposed, what the legal fallout is, and what steps you can take to reduce your risk, including opting out of MC2 Data-related people-search sites and other data brokers.

What is MC2 Data?

MC2 Data aggregates data from a wide range of sources and operates several well-known data broker websites. These websites collect and sell personal information, including names, contact details, family connections, criminal records, employment history, property data, financial records and so much more. Some of the data broker sites owned by the MC2 Data include:

• PrivateRecords.net
• PrivateReports
• PeopleSearcher
• ThePeopleSearchers
• PeopleSearchUSA

These sites typically state that they are not Fair Credit Reporting Act (FCRA)-compliant, meaning they are not supposed to be used for formal employment, tenant, or credit screening. However, the depth of data they store still makes them highly sensitive targets for cybercriminals.

What happened in the MC2 Data leak?

Timeline and cause

• August 7, 2024: Researchers at Cybernews discovered that MC2 Data had left a database containing roughly 2.2 TB of data exposed on the internet without any password protection.
• The exposed database contained 106,316,633 records, and estimates suggest at least 100 million individuals were affected.
• The exposure appears to be the result of human error rather than a traditional hack or ransomware attack.
• After Cybernews notified MC2 Data, access to the database was eventually secured; however, it is unknown who else may have accessed or downloaded the data before it was locked down.

As of the latest updates from Cybernews and multiple law-firm investigations, MC2 Data has not publicly confirmed detailed findings about the leak. 

What data was exposed in the MC2 Data leak?

Multiple analyses show that the leaked data falls into two major categories: user account data for MC2 Data customers and extremely detailed background records about people who were searched through MC2 Data-powered services.

1. Compromised user account data (MC2 Data customers)

This data includes:

• Full name
• Email address
• Phone number
• IP address
• Device and browser information (user agent)
• Hashed passwords and password salts
• Partial payment information (such as truncated credit card numbers)
• Internal account details (account IDs, account status, which MC2 Data service was used, etc.)
  

In total, data for about 2.3 million MC2 Data subscribers (individuals and organizations) appears to have been exposed.

2. Exposed public records / background data (people searched via MC2 Data)

The second major component appears to hold highly detailed background data on individuals whose information was queried through MC2 Data’s services, including many people who never directly interacted with the company.

This data reportedly contains:

Core identity & contact data

• Full names and aliases
• Email addresses
• Phone numbers
• Current and historical home addresses
• Dates of birth
• Partial Social Security numbers (for some individuals)

Extensive background information

Reports indicate that, on average, each record in this table contained tens of thousands of lines of nested JSON with data from many categories, such as:

• Eviction and foreclosure records
• Bankruptcy records
• Criminal history (including misdemeanors)
• Marriage, divorce, and death records
• Property records and assessor information
• Business ownership and professional licenses
• Income and approximate net-worth estimations
• Employment history
• Domain registration and online business records
• Information on family members, neighbors, and associates, including their names, phone numbers, and email addresses

In many cases, this data is not limited to the person being searched; it also includes related individuals, creating a web of interconnected PII that can be further abused.  

Legal developments and and class action lawsuits

Since the leak became public, several legal investigations and lawsuits have emerged:

ClassAction.org investigation (now complete)
Attorneys collected information from individuals who received MC2 Data leak notifications to evaluate class action potential (claims related to privacy harm, time lost, and out-of-pocket costs).

Jones v. MC2 Data, LLC (0:24-cv-61978)
A class-action complaint was filed in the U.S. District Court for the Southern District of Florida on October 22, 2024, alleging breach of contract and related claims stemming from the data leak.

Smart v. MC2 Data LLC (0:24-cv-62006)
Another class-action case was filed in the same court on October 25, 2024, on behalf of additional affected individuals.

Consumer law-firm investigations
Firms including Morgan & Morgan have announced investigations and potential class actions on behalf of data-breach victims.

If you received a data breach notice from MC2 Data or a related site, you may be eligible to join one of these class actions or future lawsuits. This article does not provide legal advice; please consider speaking to a qualified attorney if you want to explore compensation and other remedies.

Are you in danger due to the MC2 Data leak?

Your risk level depends on which group above you’re in. 

You are (have been) an MC2 Data customer

If you’ve ever signed up for any of MC2 Data websites, your account data may have been compromised and your risks include:

• Account takeover on MC2 Data sites and other platforms and services where you’ve reused the compromised credentials.
• Targeted phishing (including vishing and smishing), social engineering scams, identity theft and other types of fraud that combine your specific exposed details with the data from other sources like data brokers. 

You’ve never been an MC2 Data customer

You may still be part of the one-third of the U.S. population whose background information was made even more accessible. Although a lot of this data had already been available on people-search sites, it stayed behind paywalls, making it harder to access. When this dataset with millions of records was left passwordless, cybercriminals could get access to the information enabling large-scale phishing campaigns, SSN scams, credential stuffing, spear phishing, doxxing, and other malicious activities.

Can you do anything to limit your risks from MC2 Data leak?

 Here are some steps you can take to protect yourself after the MC2 Data leak:

1. Check if your information was exposed in MC2 Data breach

• Visit MC2 Data’s official website for updates on the breach and instructions on how to check if your data was affected. 
• Run Onerep’s free scan to see if your information is listed on MC2 Data-operated sites. 
• Sign up for Onerep to start monitoring for breached emails, passwords and other sensitive details exposed in data breaches. The tool will keep you updated with our data breach alerts so you can act fast and take steps to protect yourself asap. 

Full disclosure: I am the CEO of Onerep that offers these services.

2.  Determine the scope of the leak

There’s no way to know what exact data points were compromised for each individual affected in this breach, so it’s a good idea to contact MC2 Data’s customer support to find out what was stolen. Inquire about financial data, Social Security Numbers, email addresses and similar details to understand the potential risks. 

3. Secure your accounts by changing your passwords and enabling two-factor authentication

Change to new, strong and unique passwords immediately and set up two-factor or multifactor authentication on all important accounts if you haven’t done so previously. 

4. Remove your information from public data broker sites
You have two options:

Do it manually using these free removal guides
However, such removals are often time-consuming, vary from site to site and can be re-listed when sites refresh their data.

Use an automated service to handle removals at scale.
Onerep does this in 3 steps:

• Scans 240+ data brokers and people-search sites, including MC2 Data-related platforms. 
• Automatically submits and tracking opt-outs to remove your records from these sites.
• Re-scans and re-removes your information when it reappears due to data refreshes or new data-broker feeds.

👉 Sign up for free

5. Watch for targeted phishing and scams 

After high-profile data leaks, scammers often:

• Pose as the breached company, regulators, or banks.
• Reference real details about you (address, last four digits of a card, employer, relatives) to appear credible.

Be suspicious of:

• Unsolicited emails or texts about the MC2 Data breach asking you to click a link, log in, or share verification codes.
• Calls demanding urgent action about “fraud on your account” or “verification of your background check”.

When in doubt, hang up or ignore the message and contact the organization using a number or website you look up yourself.

6. Talk to vulnerable family members

Because the MC2 Data dataset includes information on relatives and associates, not just the primary person searched, it’s wise to:

• Warn elderly parents or less tech-savvy relatives about common scams (tech support scams, fake IRS calls, “grandparent” or military romance scams, etc.)
• Encourage them to verify any money requests with a trusted family member before acting
• Help them set up safer defaults: call screening, bank alerts, and strong account security.
  

7. Choose your services wisely
Always vet the platforms you use. Before creating an account, evaluate whether the company adheres to data security protocols. While even secure companies can experience data breaches, those that invest in robust cybersecurity measures are generally less vulnerable.