Data broker blunders as millions are exposed with public passwords

Background check company National Public Data admitted it exposed information like phone numbers, addresses and Social Security numbers to hackers.

Aug 22, 2024 - 00:00
Data broker blunders as millions are exposed with public passwords

National Public Data (NPD), a background check company, admitted it exposed sensitive info like phone numbers, addresses and Social Security numbers to hackers

While the company hasn’t shared how big the breach is, it supposedly involves 2.7 billion records, likely including some data on almost every American.

It gets even worse. A new report revealed that another NPD data broker, which shares access to the same consumer records, published user passwords to its back-end database.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

KrebsOnSecurity reported that a sister NPD property, called recordscheck.net, was hosting an archive that included the usernames and passwords of the site's administrator.

A review of the now-removed archive reveals that it contained the source code, along with plain text usernames and passwords, for various components of recordscheck.net. This site bears a striking resemblance to nationalpublicdata.com, with matching login pages.

The exposed archive, titled "members.zip," suggests that all RecordsCheck users were initially given the same six-character password and advised to change it, though many didn’t.

According to KrebsOnSecurity, which referenced breach tracking service Constella Intelligence, the passwords found in the source code archive match those exposed in earlier data breaches. This suggests that millions of users may be affected in this case as well.

We reached out for a comment from RecordsCheck but did not hear back before our deadline.

PHARMA GIANT’S DATA BREACH EXPOSES PATIENTS’ SENSITIVE INFORMATION

Salvatore "Sal" Verini, the founder of NPD and a retired sheriff's deputy from Florida, told KrebsOnSecurity that the exposed archive, a .zip file containing recordscheck.net credentials, has been removed from the company’s website. Verini also mentioned that the site is scheduled to shut down "in the next week or so."

"Regarding the zip, it has been removed, but it was an old version of the site with non-working code and passwords," Verini said. He declined to offer additional information, stating that the issue is under active investigation and he cannot comment further.

WORLD’S LARGEST STOLEN PASSWORD DATABASE UPLOADED TO CRIMINAL FORUM

News of the NPD data breach surfaced after a California man filed a lawsuit against the company, as reported by Bloomberg. He discovered the breach through his identity theft protection service, which flagged his data in the leaked database. Since then, many people online have reported receiving similar alerts from their protection services, allowing them to take action before it was too late.

In 2024, an identity theft protection service is practically a must-have. If you’ve been keeping up with CyberGuy articles, you’ve probably seen frequent reports on data breaches, whether it’s the AT&T breach, Dell breach or the Advance Auto Parts leak.

One of the best parts of using identity theft protection is that they might include identity theft insurance of up to $1 million to cover losses and legal fees and a white-glove fraud resolution team where a U.S.-based case manager helps you recover any losses. See my tips and best picks on how to protect yourself from identity theft.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

Identity theft protection is the first thing I recommend to everyone, but there are also steps you can take to protect yourself.

1. Be careful with passwords: The recordscheck.net leak exposed passwords, and as I discussed, many users didn’t change the auto-assigned passwords. That’s a big mistake. Always create strong passwords for your accounts and devices and avoid using the same password for multiple online accounts.

Consider using a password manager to securely store and generate complex passwords. It will help you to create unique and difficult-to-crack passwords that a hacker could never guess. Second, it also keeps track of all your passwords in one place and fills passwords in for you when you’re logging into an account so that you never have to remember them yourself. Get more details about my best expert-reviewed Password Managers of 2024 here.

2. Remove your personal information from the Internet: While no service can completely erase your data from the Internet, using a data removal service is a smart move, especially in light of recent data breaches like the NPD incident. These services aren’t cheap, but neither is your privacy.

CLICK HERE FOR MORE US NEWS

They handle the heavy lifting by continuously monitoring and systematically removing your personal information from countless websites. This gives peace of mind and is one of the most effective ways to safeguard your data online. Check out my top picks for data removal services here.

3. Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions and security alerts.

4. Routinely check your credit reports: Obtain a free copy of your credit report from each of the three credit reporting agencies mentioned earlier. Review the reports carefully for any suspicious or unauthorized activity. If you find any inaccuracies or signs of fraud, report them to the credit reporting agency immediately.

4.3 MILLION AMERICANS EXPOSED IN MASSIVE HEALTH SAVINGS ACCOUNT DATA BREACH

The NPD data breach and the security incident involving its sister website highlight the irresponsibility of these companies in handling sensitive public information. There is an urgent need for governments to step in and impose serious legal consequences, not just a slap on the wrist. Fines should be involved. Anyone dealing with sensitive data must ensure that the data is encrypted and take measures to prevent it from falling into the wrong hands.

Do you believe current regulations are sufficient for handling data breaches or do they need to be more stringent? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you'd like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.