New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.
In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).
NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.
Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.
A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.
The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.
According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD’s founder, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini.
Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company’s website, and that the site is slated to cease operations “in the next week or so.”
“Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative.”
The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com’s homepage features a positive testimonial from Sal Verini.
A testimonial from Sal Verini on the homepage of CreationNext, the Lahore, Pakistan-based web development firm that apparently designed NPD and RecordsCheck.
There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly.
The best advice for those concerned about this breach is to freeze one’s credit file at each of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.
A freeze is a good idea because all of the information that ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people.
Screenshots of a Telegram-based ID theft service that was selling background reports using hacked law enforcement accounts at USInfoSearch.
There are numerous cybercriminal services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials, and some are now fully automated via Telegram instant message bots.
In November 2023, KrebsOnSecurity wrote about one such service, which was being powered by hacked accounts at the U.S. consumer data broker USInfoSearch.com. This is notable because the leaked source code indicates Records Check pulled background reports on people by querying NPD’s database and records at USInfoSearch. KrebsOnSecurity sought comment from USInfoSearch and will update this story if they respond.
The point is, if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.
All Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus. It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for free.
If you haven’t done this in a while, now would be an excellent time to order your files. To place a freeze, you’ll need to create an account at each of the three major reporting bureaus, Equifax, Experian and TransUnion. Once you’ve established an account, you should be able to then view and freeze your credit file. If you spot errors, such as random addresses and phone numbers you don’t recognize, do not ignore them. Dispute any inaccuracies you may find.
So with the breadth of data now available to cyber criminals since these latest revelations (thanks again by the way Brian!); would/could they access and un-freeze credit bureau accounts?
I should have also asked, what would stop them from actually opening accounts at credit bureaus to then freeze them?
Also, is LexisNexis a viable freeze to mention?
I’ve never heard of them as a consumer CB in the common respect but a friend mentioned them: https://consumer.risk.lexisnexis.com/freeze
this time I’ll try and go ahead and actually file a freeze with the 3 biggest bureaus.
should I do the same for my spouse? and our 2 underage kids?
does that mean 3 bureaus x 4 people = 12 freeze actions in total?
or is there a better way? also, are there minor bureaus we should be aware of?
thank you for your reporting.
YES! You should absolutely freeze yours, your spouses and your children’s credit with all three bureaus. Make sure to enable 2 factor authentication as well.
When you freeze at one bureau it is supposed to be effective at the rest.
Sorry, Moira, but that only applies to a fraud alert, which is free to place anytime and lasts for 90 days. The thing with fraud alerts is while creditors are not supposed to pull your file when you have a fraud alert, many still will.
I’m sorry but LOL WTF?
Sigh. When will data brokers be held accountable for this kind of thing? In a way that is actually impactful…
It’s absurd that we continue to tolerate lax security measures around confidential and sensitive data, especially when it comes to protecting personally identifiable information (PII). In an era where cyber threats are more sophisticated than ever, the failure to implement robust security protocols is not just negligent—it’s reckless. Our personal information is a valuable target, and the consequences of breaches are devastating. We must demand stronger protections and hold organizations accountable to ensure that our privacy is safeguarded. The time for complacency is over; decisive action is needed now to protect U.S. citizens’ personal information. Someone needs to be held accountable for this immediately. I think we all know who that is.
who?
who should be held accountable?
Why don’t they have a method of removing your data off the black web?
You used to list Innovis as the fourth reporting bureau that one needed to freeze their credit reports with. Are they still a consideration?
Thank you Brian for this excellent post. I’ve been ignoring this for way too long. I often read your posts but never as closely as I read this one! I’ll be setting up those freezes today.
Don’t forget to freeze it with “Innovis” too. Not as broadly used as the main three useless bureaus, but it should also be included.
A file with passwords on the public Internet? Proves you just can’t fix stupid.
Equifax – wants to only give you 6 reports per year “You still have 5 of 6 free Equifax credit reports available”
TransUnion – says “all consumers are entitled to one free disclosure every 12 months upon request from each nationwide credit bureau”
Experian – said “You can get a free credit report from each of the three credit bureaus (Experian, TransUnion, and Equifax) once a week at [AnnualCreditReport.com](https://www.annualcreditreport.com/index.action).
Additionally, you can check your Experian credit report for free anytime by creating an account on Experian’s website.”
Only 1 asked for 2FA and the place to get a weekly credit report is named “annual”creditreport.com?
What an unimpressive industry to be caring for our financial information.
How does an outfit like NPD “scrape” personally identifying information from nonpublic sources and what exactly are these “nonpublic sources”.
this doesn’t get the attention it needs until CEO’s start spending 30 days in the slammer for breech of duty.
The idea of feeding data to a credit reporting service just rubs me wrong. The last thing I want them to know is a real email address or a real phone number for me and my family members. They’ve proven they cannot be trusted with any data and the only reason my family needs them is because certain insurance pricing is based on credit – which should be illegal, but isn’t. We don’t need any loans. We don’t need a mortgage. We don’t **need** a credit card, though they are used only for convenience.
My state is anti-consumer. All attempts to get them to be pro-privacy have failed. Citizens of the state cannot even place items onto the ballot, regardless of how many signatures we get – only 2/3 vote of both sides of the state legislature can do that. Anyway, it means all our privacy laws are controlled by people who care more about campaign funding from businesses than actually representing voters. That should be illegal too.
I’m tired of having data leaked by people I never gave written approval to have my data. I’m just tired.
Mike you are spot on!
We need a national law to change this nonsense
How is this data broker able to obtain social security numbers w/out consent? Seems like that should be illegal…if anyone actually cared about consumer privacy
Why is there no real accountability for the companies that play so loose with information that can hurt millions of us?
In my previous post I meant to write ” I then received a voice message”.
There is no accountibility from these companies that allow hackers to steal from us or cost us time and money to eradicate the issue. Seems jail time for company officials who allowed this thievery to happen would be fitting.