Am I at risk of identity theft?

Q: Was my Social Security number in the 2024 NPD breach?

Almost certainly. The 2024 National Public Data breach exposed roughly 2.9 billion records covering the majority of US adults plus people in the UK and Canada. Breached records included Social Security numbers, full names, addresses, and family relationships. NPD filed for bankruptcy in October 2024.

In short

If your personal data is on broker sites or in past breaches, yes — measurably. The FTC logged 1.1 million identity-theft reports in 2024 alone, with $12.5 billion in total fraud losses.
The 2024 National Public Data breach exposed roughly 2.9 billion records, including Social Security numbers covering most US adults. NPD filed for bankruptcy in October 2024.
A free Delist scan tells you what's exposed and where — name, address, phone, email, breach history. No card needed.

6 min read Last reviewed May 2026 Free scan available

What identity theft cost Americans in 2024

The Federal Trade Commission published its Consumer Sentinel Network Data Book for 2024 in early 2025. Three numbers worth memorizing:

$12.5 billion in total fraud losses, up roughly 25% from 2023.
6.5 million total consumer reports across all fraud categories.
1.1 million identity-theft reports specifically — among the highest single-year volumes the FTC has logged.

The categories that grew fastest were impersonation scams (people pretending to be government agencies, banks, or known businesses) and investment fraud (especially crypto-themed). Both rely on the attacker knowing enough about you — name, address, family, employer — to seem credible.

That knowledge has to come from somewhere. Increasingly, it comes from a data broker or a breach.

How brokers and breaches feed identity theft

Identity theft used to require effort. A stolen wallet. A phishing email written by a human. A dumpster-dived utility bill. Today it requires a search.

Three pipelines feed the modern identity-theft market:

Data brokers — people-search companies publish your name, address, phone, age, relatives, and previous addresses on the open web. Anyone can search. Some make it free; others charge a few dollars per lookup. See how brokers operate.
Data breaches — when a company gets hacked, the data leaks. The 2024 National Public Data breach exposed 2.9 billion records including Social Security numbers, addresses, and family relationships, covering most living US adults. NPD filed for bankruptcy in October 2024 rather than face victim restitution.
Dark-web aggregators — collected from past breaches, broker scrapes, and credential-stuffing dumps. Known leak databases now catalog billions of compromised accounts across roughly a thousand publicly disclosed breaches.

An identity thief doesn't pick a person and then research them. They search for a name with matching exposure and work with whoever turns up. The less of your data is exposed, the less you stand out — and that's something you can change.

Find out what an identity thief would find. Free scan, no card needed.

Run my free exposure scan →

The five categories of identity theft

"Identity theft" is a single label for very different attacks. The FTC's 2024 Consumer Sentinel breakdown:

Credit-card fraud. Opening new lines or charging existing ones. The largest single category in 2024. Recovery is usually fast: file a fraud report, the bank reverses the charge.
Loan or lease fraud. Personal loans, auto loans, or apartment leases opened in your name. Recovery is slower. You may not know until a debt collector calls.
Government-benefits fraud. Unemployment, tax refunds, and Social Security filings in your name. The IRS reported over a million suspicious tax returns flagged in 2024.
Medical identity theft. Using your insurance to obtain treatment or prescriptions. Recovery is the slowest. Your medical records get co-mingled with the thief's. Insurers limit how often you can correct this.
Synthetic identity fraud. Combining real data (often a child's Social Security number) with fabricated data to create a new identity that passes credit checks. Children are the fastest-growing target group because they don't check credit until 18.

What to do if you've been hit

Recovery is procedural, not improvisational. The FTC publishes a free recovery plan at IdentityTheft.gov. The general sequence:

Same day. Call the company where the fraud happened. File a fraud report. Freeze the affected account.
Same day. Place a free fraud alert with Equifax, Experian, or TransUnion (one notifies the other two automatically). Lasts one year.
Within 24 hours. Report at IdentityTheft.gov. The FTC issues a recovery plan and a sworn affidavit you can give to creditors.
Within a week. Pull your free credit reports from annualcreditreport.com. Look for accounts you didn't open.
Within 30 days. Consider a credit freeze. Free, permanent until you lift it. Stops new credit accounts from being opened in your name.
Ongoing. File a police report if local law allows it. Some jurisdictions require this for certain types of restitution.

Why the credit freeze isn't enough

A credit freeze stops new credit. It does not stop:

Existing-account fraud. A thief can still charge cards you already have.
Medical fraud. Credit freezes don't affect medical providers.
Government-benefits fraud. The IRS doesn't pull credit reports.
Social engineering. Call centers, customer-support reps, and family members can still be convinced you're not you (or that the thief is). They don't pull credit reports either.

The freeze closes one door. The rest stay open as long as your name, address, birthday, employer, and family are on the open web. Removing the exposure is what closes the rest of the doors.

How Delist reduces your attack surface

Identity theft is downstream of exposure. The fewer sources a thief can use to confirm "this is the right person," the less likely the attack works.

Delist does three things that move the identity-theft needle:

Files removals across data brokers. The broker sites that publish your name, address, phone, and relatives. Cuts the raw material social-engineering attacks rely on.
Watches for breach exposures. Cross-references your email and identifiers against known breach sources and alerts on new leaks. You can act before fraud lands.
Detects re-listings. Brokers re-add you within 30 to 90 days. Delist catches it and re-submits removal automatically.

It does not make you bulletproof. Nothing does. It makes you a less profitable target, and that is most of the game.

Frequently asked questions

Can I tell if my identity is already stolen?

Check three things. Your free credit reports at annualcreditreport.com for accounts you didn't open. Your IRS tax transcript at IRS.gov for returns filed in your name that you didn't file. Your medical-insurance EOBs for treatments you didn't receive. If any of those show something unfamiliar, file at IdentityTheft.gov immediately.

Is freezing my credit free?

Yes. Federal law since 2018 requires Equifax, Experian, and TransUnion to offer credit freezes and unfreezes at no cost. You can freeze and unfreeze as many times as needed. Each bureau is separate, so freeze all three.

Was my Social Security number in the 2024 NPD breach?

Almost certainly. The breach exposed roughly 2.9 billion records covering most US adults plus people in the UK and Canada. The records included Social Security numbers, full names, addresses, and family relationships. NPD filed for bankruptcy in October 2024. Run a free SSN exposure check to confirm whether your number is in the leaked corpus.

Does identity-theft insurance actually pay out?

The FTC has warned that most identity-theft insurance covers recovery costs and lost time, not the actual stolen funds. Banks generally reverse fraudulent charges under federal law anyway. The valuable part of most policies is the case-management service, not the coverage. Read the policy before buying.

How long does identity-theft recovery take?

The FTC says straightforward credit-card fraud takes 1 to 7 days. Loan, lease, and government-benefits fraud takes weeks to months. Medical and synthetic-identity fraud can take years. Speed of detection matters most. The longer it sits, the more damage compounds.