Operators of an underground identity theft service have infiltrated three of the biggest providers of social security numbers, birth dates, and other consumer information, according to a published report. In total, the hackers were able to pilfer records belonging to more than four million people.

"The intrusions raise major questions about how these compromises may have aided identity thieves," KrebsOnSecurity reporter Brian Krebs wrote in the 2,100-word report published Wednesday. His seven-month investigation found that the illicit service, known as ssndob[dot]ms (readers shouldn't visit this site) served more than 1.02 million unique social security numbers to customers and almost 3.1 million date of birth records since its inception in early 2012. The data was appropriated after the operators of the service infiltrated Atlanta, Georgia-based LexisNexis, Short Hills, New Jersey-headquartered Dun & Bradstreet, and Kroll Background America, which is now a part of HireRight, he reported.

Krebs said his findings were based on a copy of the SSNDOB database that became available after the ID theft service was itself hacked. It showed that more than 1,300 customers spent hundreds of thousands of dollars looking up SSNs, birthdates, and driver license records and obtaining unauthorized credit and background reports. The operators of the service were the same hackers who in March published the SSNs and other sensitive details for dozens of celebrities and politicians, including Vice President Joe Biden, first lady Michelle Obama, and rap star Jay-Z.

Wednesday's report exposes serious risks in what banks, mortgage companies, and other financial services call "knowledge-based authentication." Representatives from these services frequently rely on a list of about 100 questions such as "What was your previous address?" or "Which company services your mortgage?" when trying to determine if the person on the phone or filling out an application is the individual he claims to be. Ready access to the data stored by the data aggregators can make the difference between a fraudulent application being approved or rejected. Krebs goes on to recount a story told by Gartner fraud analyst Avivah Litan about a fellow analyst who witnessed an identity thief in action.

“The woman on the phone was asking the applicant, 'Hey, what is the amount of your last mortgage payment?', and you could hear the guy on the other line saying hold on a minute… and you could hear him clicking through page after page for the right questions," Litan said.

Krebs said parts two and three of his series will follow.