New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.
In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).
NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.
Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.
A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.
The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.
According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD’s founder, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini.
Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company’s website, and that the site is slated to cease operations “in the next week or so.”
“Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative.”
The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com’s homepage features a positive testimonial from Sal Verini.
A testimonial from Sal Verini on the homepage of CreationNext, the Lahore, Pakistan-based web development firm that apparently designed NPD and RecordsCheck.
There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly.
The best advice for those concerned about this breach is to freeze one’s credit file at each of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.
A freeze is a good idea because all of the information that ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people.
Screenshots of a Telegram-based ID theft service that was selling background reports using hacked law enforcement accounts at USInfoSearch.
There are numerous cybercriminal services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials, and some are now fully automated via Telegram instant message bots.
In November 2023, KrebsOnSecurity wrote about one such service, which was being powered by hacked accounts at the U.S. consumer data broker USInfoSearch.com. This is notable because the leaked source code indicates Records Check pulled background reports on people by querying NPD’s database and records at USInfoSearch. KrebsOnSecurity sought comment from USInfoSearch and will update this story if they respond.
The point is, if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.
All Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus. It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for free.
If you haven’t done this in a while, now would be an excellent time to order your files. To place a freeze, you’ll need to create an account at each of the three major reporting bureaus, Equifax, Experian and TransUnion. Once you’ve established an account, you should be able to then view and freeze your credit file. If you spot errors, such as random addresses and phone numbers you don’t recognize, do not ignore them. Dispute any inaccuracies you may find.
So with the breadth of data now available to cyber criminals since these latest revelations (thanks again by the way Brian!); would/could they access and un-freeze credit bureau accounts?
I should have also asked, what would stop them from actually opening accounts at credit bureaus to then freeze them?
Also, is LexisNexis a viable freeze to mention?
I’ve never heard of them as a consumer CB in the common respect but a friend mentioned them: https://consumer.risk.lexisnexis.com/freeze
this time I’ll try and go ahead and actually file a freeze with the 3 biggest bureaus.
should I do the same for my spouse? and our 2 underage kids?
does that mean 3 bureaus x 4 people = 12 freeze actions in total?
or is there a better way? also, are there minor bureaus we should be aware of?
thank you for your reporting.
YES! You should absolutely freeze yours, your spouses and your children’s credit with all three bureaus. Make sure to enable 2 factor authentication as well.
When you freeze at one bureau it is supposed to be effective at the rest.
Sorry, Moira, but that only applies to a fraud alert, which is free to place anytime and lasts for 90 days. The thing with fraud alerts is while creditors are not supposed to pull your file when you have a fraud alert, many still will.
While we’re talking confusing terminology: make sure it’s freeze that you select, not lock. They are different products and locks are far less useful than freezes. Of course, you can only unlock a lock, and unfreeze but not thaw a freeze.
P, this is a rather exhaustive list of actions that you can take to defend your family against identity theft.TLDR: freezing your credit at the big 3 credit bureaux is not enough.
https://www.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/
I’m sorry but LOL WTF?
Sigh. When will data brokers be held accountable for this kind of thing? In a way that is actually impactful…
It’s absurd that we continue to tolerate lax security measures around confidential and sensitive data, especially when it comes to protecting personally identifiable information (PII). In an era where cyber threats are more sophisticated than ever, the failure to implement robust security protocols is not just negligent—it’s reckless. Our personal information is a valuable target, and the consequences of breaches are devastating. We must demand stronger protections and hold organizations accountable to ensure that our privacy is safeguarded. The time for complacency is over; decisive action is needed now to protect U.S. citizens’ personal information. Someone needs to be held accountable for this immediately. I think we all know who that is.
who?
who should be held accountable?
Brian
Why don’t they have a method of removing your data off the black web?
The challenge here is that the thieves have made offline copies of the datasets. Even if something existing gets removed online they’ll just make it available someplace else.
and what exactly do you suggest doing about that?
You used to list Innovis as the fourth reporting bureau that one needed to freeze their credit reports with. Are they still a consideration?
Thank you Brian for this excellent post. I’ve been ignoring this for way too long. I often read your posts but never as closely as I read this one! I’ll be setting up those freezes today.
Don’t forget to freeze it with “Innovis” too. Not as broadly used as the main three useless bureaus, but it should also be included.
A file with passwords on the public Internet? Proves you just can’t fix stupid.
Equifax – wants to only give you 6 reports per year “You still have 5 of 6 free Equifax credit reports available”
TransUnion – says “all consumers are entitled to one free disclosure every 12 months upon request from each nationwide credit bureau”
Experian – said “You can get a free credit report from each of the three credit bureaus (Experian, TransUnion, and Equifax) once a week at [AnnualCreditReport.com](https://www.annualcreditreport.com/index.action).
Additionally, you can check your Experian credit report for free anytime by creating an account on Experian’s website.”
Only 1 asked for 2FA and the place to get a weekly credit report is named “annual”creditreport.com?
What an unimpressive industry to be caring for our financial information.
Did you miss this sentence?
“It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for free.”
Source: https://consumer.ftc.gov/consumer-alerts/2023/10/you-now-have-permanent-access-free-weekly-credit-reports
How does an outfit like NPD “scrape” personally identifying information from nonpublic sources and what exactly are these “nonpublic sources”.
this doesn’t get the attention it needs until CEO’s start spending 30 days in the slammer for breech of duty.
I’d 30 days for each 100 individuals who’s information was comprised. With a base mandatory sentence of 20 years if more than 10% of the working age adults are affected. Plus the cost of reengineering the SSN system for the SSA. No-else gets it paid for by the perpetrators since they weren’t entitled to use the SSN for that purpose anyway. None of this to be discharged in bankruptcy.
The idea of feeding data to a credit reporting service just rubs me wrong. The last thing I want them to know is a real email address or a real phone number for me and my family members. They’ve proven they cannot be trusted with any data and the only reason my family needs them is because certain insurance pricing is based on credit – which should be illegal, but isn’t. We don’t need any loans. We don’t need a mortgage. We don’t **need** a credit card, though they are used only for convenience.
My state is anti-consumer. All attempts to get them to be pro-privacy have failed. Citizens of the state cannot even place items onto the ballot, regardless of how many signatures we get – only 2/3 vote of both sides of the state legislature can do that. Anyway, it means all our privacy laws are controlled by people who care more about campaign funding from businesses than actually representing voters. That should be illegal too.
I’m tired of having data leaked by people I never gave written approval to have my data. I’m just tired.
Mike you are spot on!
We need a national law to change this nonsense
How is this data broker able to obtain social security numbers w/out consent? Seems like that should be illegal…if anyone actually cared about consumer privacy
I just successfully froze my Experian and Equifax credit accounts using the links that Brian Krebs listed in a 2018 post. I am having problems freezing my TransUnion credit using his link. After logging in to TransUnion I receive a message that I can’t freeze my TransUnion credit online. I then called the TransUnion number provided in that post. After keying in my personal information I receive a voice message that I can’t freeze my credit and then their system just terminates the call.
I have submitted a complaint with the Consumer Financial Protection Board.
Why is there no real accountability for the companies that play so loose with information that can hurt millions of us?
In my previous post I meant to write ” I then received a voice message”.
There is no accountibility from these companies that allow hackers to steal from us or cost us time and money to eradicate the issue. Seems jail time for company officials who allowed this thievery to happen would be fitting.
P, this is a rather exhaustive list of actions that you can take to defend your family against identity theft.TLDR: freezing your credit at the big 3 credit bureaux is not enough.
https://www.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/
Definitely hire a background check company that has their website developed in Pakistan! What could go wrong?
Why do we allow these companies to exist and profit off of everyone’s personal data in the first place? They should all be put out of business. And we clearly need a new system to replace SSNs now that everyone has been exposed
I looked up my name on the npd.pentester.com sute,
Interestingly enough, nothing showed up under my first name – last name, but there were several entries under my middle name – last name at various old addresses. Some of them were PO Boxes including two that I had forgotten I ever had.
That leads me to wonder whether having things under my middle name last name might make it more difficult for someone to open an account using my name.
One thing to be aware of with the npdbreach.com site for checking your info is that it might lead to a false sense of security. I looked for my info using name and zip and did not find it so I thought I was safe. Then I looked at pentester.com and found a record for me with the right address and SSN digits but the zip code was wrong. I know that I could have looked at npbbreach using SSN but not knowing if it was out there already I was not going to willingly give it to a site that I only learned of today.
My question is ….. Why did this company have my SS# at all? I never even knew they existed AND MY SS# IS NOT PUBLIC INFORMATION. And they are going out of business ….. No way to sue them for having non public data I did not give to them.
I regularly get letters from various entities stating we’ve been hacked and your info was stolen…
I think at last count I have (at least) 4 different ‘credit monitoring services’ currently watching over me (/S) all free of charge.
I don’t even open the breach alert envelopes any more – unless it’s a medically related company. I mean all my/our PII is already out there – but its my personal medical records that keep me up at night…maladies, medications, med history (plus the usual PII to boot)…
One can also search out the wealth of that new breed of ambulance chasers (data breach law firms) get in on the latest class action suit!!! If you’re lucky in a few years you’ll get a check for $50-$100 and more free monitoring – sheesh
Salvatore “Sal” Verini for prison! Also, who else finds it ironic that Equifax is still suggested by anyone for credit protection and monitoring after they suffered one of the largest data breaches in history?
Since 2017 I’ve recommended people permanently freeze their credit with Equifax and NEVER unlock it. If any company denies your credit card, loan app, or whatever because they solely use Equifax should be passed on. I’ve kept mine frozen with Equifax since 2017 and have had had almost no issues. I think once Best Buy didn’t give me a credit card because they said they used Equifax and no one else, so I said “your loss” and walked away and went elsewhere. If everyone gets on board with this, maybe they’ll cease to exist too!
This company needs to disclose how they got peoples social security number. When I did a search I saw my father’s name who died before the internet was even a thing so how did they get this information? There needs to be a congressional investigation and they need to tell who they’re getting this data from and these people need to go to jail.
Honestly i gave up on hiring a online hacker due to the bad experienced i always encounter with them but this time i was really in urgent need for a legit one cos i needed to be sure what my partners plan is as he is avoiding me and always hiding hen making calls couple with his late night movement. i was so scared so i got a helping hand from a friend Hyung who introduced me with this expert hacker, i was scared and lost trust in him at first but after giving him a try in couple of hours i got access to my partner phone and saw his call recordings, hidden text messages, social accounts , hidden photos and more. Thank you [ Hacker11tech @ gm ail . c om ] for been legit.
Just an FYI. I entered https://npdpentester.com (no . between npd and pentester) by mistake and it took me to what I guess is a domain parked page with links. Immediately thought I was in the wrong place and bailed. The actual Pentester site worked well. They have you enter the state instead of the zip, which gets you more complete results, as was mentioned in another comment. Nothing found under my current zip, but several entries with past addresses.
Oh, that’s really scary…Wait,i am a Chinese
Oh, that’s really scary,Wait,i am a Chinese