August 19, 2024

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.

In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).

NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.

Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.

A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.

The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.

According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD’s founder, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company’s website, and that the site is slated to cease operations “in the next week or so.”

“Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative.”

The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com’s homepage features a positive testimonial from Sal Verini.

A testimonial from Sal Verini on the homepage of CreationNext, the Lahore, Pakistan-based web development firm that apparently designed NPD and RecordsCheck.

There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly.

The best advice for those concerned about this breach is to freeze one’s credit file at each of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.

A freeze is a good idea because all of the information that ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people.

Screenshots of a Telegram-based ID theft service that was selling background reports using hacked law enforcement accounts at USInfoSearch.

There are numerous cybercriminal services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials, and some are now fully automated via Telegram instant message bots.

In November 2023, KrebsOnSecurity wrote about one such service, which was being powered by hacked accounts at the U.S. consumer data broker USInfoSearch.com. This is notable because the leaked source code indicates Records Check pulled background reports on people by querying NPD’s database and records at USInfoSearch. KrebsOnSecurity sought comment from USInfoSearch and will update this story if they respond.

The point is, if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.

All Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus. It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for free.

If you haven’t done this in a while, now would be an excellent time to order your files. To place a freeze, you’ll need to create an account at each of the three major reporting bureaus, EquifaxExperian and TransUnion. Once you’ve established an account, you should be able to then view and freeze your credit file. If you spot errors, such as random addresses and phone numbers you don’t recognize, do not ignore them. Dispute any inaccuracies you may find.


127 thoughts on “National Public Data Published Its Own Passwords

  1. Norio

    Both Experian and TransUnion indicate that I can use a free account to enable a credit freeze. However EQUIFAX wants me to pay a minimum of $10/month to set up an account. Is this right? Are they being opportunists and drooling over the fact they can squeeze money out of the millions of people who just realized they need to freeze their credit? Or is there a hidden page or link to a free account I can use for a credit freeze.

    1. Matt Conlon

      No, it is likewise free. There is a paid service and a free service. Use the term freeze in the search bar on their website. Credit freezes are free if done through the free link.

    2. Finneas

      You’re looking in the wrong place. I was able to freeze all three bureaus last week. There was no cost involved. There’s a page on nerdwallet[.]com that has links. All three bureaus seem to be getting hammered due to this story going mainstream.

    3. Hadid

      Report them to the TC and Consumer Protection Bureau. Use social media.
      I am glad you shared this because our city was breached and over 400,000 citizens will be needing this service.

    4. Sherry

      @Norio, the problem you identified on the Equifax website is called a “dark pattern”.

      From Wikipedia: ‘dark pattern (also known as a “deceptive design pattern”) is “a user interface that has been carefully crafted to trick users into doing things, such as buying overpriced insurance with their purchase or signing up for recurring bills’

  2. D. Greg Scott

    No amount of freezing or anything else we do individually will make one iota of difference over time. Brian, you said it yourself in your earlier NPD article. Our credit reporting system is fundamentally broken. SSNs are lousy authenticators.

    Way back in 2017, I made videos about how to fix our broken SSN authentication system. It would have solved this problem. See https://www.dgregscott.com/143-million-reasons-credit-reporting-industry-reform-part-2/

    I wish I had a louder voice to persuade the public to care.

    1. Dmitri Kozlovski

      Well, now that every member of the Congress had their SSN compromised, MAYBE we can get some movement on the national Personal Information Protection laws?

  3. Carina Karlsson

    Hej.
    Jag bor i sverige.mennjagbhar blivit hackad med. Jag hade en hög risk på min F- security
    Så hur ska jag göra nu ??
    Tacksam för hjälp
    Mvh
    Carina Karlsson

  4. Jojo

    In 2024, WHY does the government allow THREE separate credit reporting services to exist? WHY do we have to deal individually with each one and s and WHY do we have to execute a freeze order separately to each one? At least they could do is make it easy for the consumer by allowing us to make one submission that would cover all three bureaus,

  5. Sheri

    What’s involved with freezing and unfreezing and does that affect your credit? I am mad beyond words that our information is do free and loose and everything has to be online so there is no escape.

    1. Matthew Conlon

      It does not affect your credit but it does prevent others from opening accounts in your name where a credit check js required because it blocks their access to be able to get a credit report pulled for a loan. Freezeing does not stop identity theft but it will prevent someone from opening new accounts where a credit check is required. It isnjust 1 layer of protection. Active credit monitoring should be a regular thing going forward for anyone concerned.

      We do not even know the full impact of this and all the exploits available with this information upto and including estate and tax fraud.

      It takes 5 minutes to turn off and on. Just coordinate with whomever your lender is when applying for credit. They are going to have to scrap what we have and come up with something new.

    2. Jason

      Brian did an article about credit freezes back in 2018. The story is here: https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/

      Freezing your credit does not hurt your credit score in any way. It will prevent companies from being able to run a credit check on you, so you’ll have to unfreeze one or more of them before you apply for anything where a credit check is needed.

      The unfortunate thing is that NPD is just one of many data brokers that likely have your information and anyone can do a search for it if they want to find yours. If you do a google search for “find anyone online” you’ll likely see a bunch of sites run by data brokers offering up your data for free or a small monthly fee to anyone who wants it.

    3. Judy

      It doesn’t negatively effect your credit if you freeze it. It just means that when you try to open a new account it will bounce back as locked. So you have to go in, unfreeze it, then the new account can be opened. You make accounts with the big three, confirm your identity, then freeze them. It’s really easy.

  6. Jason "DeVoiD"

    How is a PRIVATE (or public traded) company that has records on every person in three countries allowed to exist in the first place! That is the kind of data only the government should have – whether we know about it or not -. Its DISGUSTING this is allowed to happen, and that kind of sensitive data is allowed to be stored ANYWHERE. Then again EVERYTHING is on the internet… have you ever asked where your car’s data is stored? whether you have a p[aid satellite service or not, your car is leaking data all the time back to the manufacturer.. you get emails about tire pressure right? so how much more data to they get? GPS, routes, time based routines!? yeah, and WHERE are those servers located? how secure are they? who supports those servers, are they qualified, what type of server/system are used for storage? SO much of us is stored its disgusting. If I had a wish or two, it would be that the Internet never existed and never would.

    1. christy

      Also, they shouldn’t allow the credit bureaus to advertise and manage people’s credit cards!!!

    2. JoeC

      You think the government is any better at computer security? Just ask anyone affected by the OPM breach in 2015.

    3. Jermand Hagan

      Perhaps because they are shell / government aided entities. It’s mandated that the biggest credit information holders share the data with these credit agencies. Some / most without any privacy notice to the information owners themselves.. Just think about how do they get all this data and why nobody remembers saying it’s oaky to share?

  7. Been there, done that

    Each of the three major credit agencies has a website from which you can freeze your credit there. You have to do each separately. There is no cost involved. The last paragraph of this story goes into detail.

    Freezing your credit doesn’t impact your credit rating. However, if you plan to apply for new credit (or possibly a credit limit increase) you will need to temporarily unfreeze your credit at the agency the credit grantor uses.

    1. Adam Lang

      You can; however, creating an account on at least one of the services involves signing an arbitration agreement that is truly heinous.

      Of course, doing it by phone can take hours, or even days when they are slammed. Pick your poison.

  8. Why Oh Why

    Is there any additional benefit to adding a fraud alert to the security freeze? I’ve had security freeze for years but now really concerned.
    Also concerned that the security freeze has lost the protections that were once meaningful. The use of the PIN system seems to not be required any more. The last time I did a lift over the phone, the PIN was not requested. Just info that was, now for sure, publicly outed.
    Just find the whole situation so disgusting.

  9. Liz L.

    I called the IRS this week about a recent tax return. Totally unrelated to the NPD breach. Three guesses how the IRS agent authenticated me. Yup — name, SSN, address and DOB. I was able to chat with the agent in detail about the contents of my return. Mind you, the agent was very nice and helpful but it proves anyone with that set of personal data can pose as the taxpayer. I thought the agent would at least ask for a security PIN or, absent that, the adjusted gross income reported on the return.
    Reminds me of my call to Equifax right after their massive breach in 2017. Same story. I even prompted them urging that they ask for more verification info since all the data they used to authenticate me during that call had just been leaked by them. They declined and proceeded to provide me with all the information I needed from my credit record.
    Take home message for me is: Yes. Let’s use the tools we have to protect ourselves and be vigilant but don’t let that lull us into a false sense of security. Technology based security systems may work (or not, depending on the website) but there are many opportunities for human error to creep in and upset the apple cart. Until we fundamentally change the way our identity is authenticated and used, AND enact/enforce strong privacy laws including reining in data aggregators (such as the credit bureaus as well as your local and state governments that sell your info for a buck), our efforts will continue to be largely an exercise in futility.
    As Einstein said, “Insanity is doing the same thing over and over and expecting different results.”

  10. Magaret Bartley

    I can’t wait for biometric ID to be part of our personal identification data.
    You can get a new credit card. You can even get a new SS# if needs be.
    Can’t get a new iris scan.
    And digital money?
    They think we are fools.
    Wait. maybe we are.

    1. Pam

      thanks but no thanks. i don’t want criminals putting my head or any other body part in a vise in order to use that body part to access my finances

  11. Michael Buckham

    It’s beyond time that companies that require our personal info are required to safely store it. And I mean criminal charges for owners and executives of the company if they do not adhere to safe storage practices. Yes it’s too late for everyone living. Our info has been “stolen” so many times allready. But let’s get our politicians to look out for individuals not these companies.

  12. Aramis

    One of the sites listed above to check if your SSN was breached – npdbreach.com – is now being blocked by Norton for being a known dangerous/phishing site.

    1. BrianKrebs Post author

      AFAICT there is nothing wrong with that site. Security tools often flag sites as malicious if they only just popped up on the web, which this one did for obvious reasons.

  13. Kerri

    This is insane. So now because of this companies negligence, all of us have to work double time to freeze and monitor our credit harder than we normally do? We have to spend our morning freezing our credit and praying that they haven’t already done damage as it’s been MONTHS since the breach actually happened. The fact that it happened so long ago and we’re just finding out is absurd. I cannot believe a company with such sensitive information was so careless that they published the passwords on their website. Was no one monitored this? Like, that seems like something glaringly obvious that should not have gone unnoticed. I’m so angry.

  14. Tony G

    Safe.norton.com says npdbreach.com is a phising site. Why do you think it’s legit?

  15. Jim

    There is another credit bureau related to telecommunications. Cell phone companies access this data as well as utilities. You can see what they are about and freeze that as well. You can find it here. https://nctue.com/consumer/

    Here is their FAQ on freezing.

    “How can I place a security freeze on my NCTUE report?
    You may place, temporarily lift, or remove a security freeze on your NCTUE data file. A security freeze is designed to prevent the information in your NCTUE data file from being reported to others, such as service providers and other companies.

    To place, request a temporary lift, or remove a security freeze, please click here or call us at 1-866-349-5355.

    You may also mail your request to:

    Security Freeze
    Exchange Service Center – NCTUE
    P.O. Box 105561
    Atlanta, GA 30348
    1-866-349-5355”

  16. Mike

    I want in on the lawsuit. What is everyone’s PII worth?

    1. HackerHater

      It’s worth next to nothing to you, unless you’re an attorney for a direct plaintiff. They always make out like bandits and the rest of us get peanuts. The damages are such ridiculously tiny percentages of annual revenue as to be a complete farce.

  17. Donna M Brown

    What if my infomation showed up with an address from 40 yrs ago? Do I still need to proceed?

    1. Anna Nonyous

      I have this same question. All the addresses listed for us are at least 20 years old.

      1. Mr. Natural

        I have a similar question. Not only are my addresses at least 13 years old, I get hits using incorrect birth years(!)
        How seriously should I take this?

  18. ts

    WTF DID THEY NOT USE A USA COMPANY TO STORE ALL THIS DATA ON USA CITIZENS?
    Every website I have ever built has a way for me to get back into it and you choose Pakistan?
    These are not even us allies- ridiculous and an attempt to harm the US economy.
    If it looks like a duck people –

  19. Anna Nonyous

    I checked the pentester site. I found old addresses for myself and several family members. All of it was about 20 years old. There was a false phone number listed for me and one for a relative. The false phone numbers are for area codes in Denton, Texas. Is it safe to assume this phone number has been used to impersonate me?

    1. Liz L.

      It’s possible but not necessarily. Since the data that was breached was a compilation from multiple sources, it’s possible that another person’s phone number simply got conflated with your record by mistake. That’s another reason for checking your credit reports from all three bureaus periodically. If that phone number shows up in one of your credits reports, that would be cause for concern.
      By the way, the same advice for checking your medical records. My records at a hospital was populated with information of another patient with the same last name and DOB. It showed medications I never took and a doctor I didn’t know. It was a pain getting the incorrect information expunged from my records. Obviously it wasn’t a case of identify fraud but errors like that can have tragic health consequences.

  20. Liz L.

    I agree with D. Greg Scott’s post above. Our ability to stop these abuses is very limited. As consumers, we’re always operating in a crisis management mode and unless we become vocal, active and, above all, organized advocates demanding change, nothing will happen. Frankly, I’m tired of this. Aren’t you?
    Remember, businesses are counting on us to do nothing. They know we lead hectic lives and, unfortunately, get easily distracted. All the while they continue profiting from the mess they create. Credit bureaus sell our data they collect without our consent. They do an inadequate job of safeguarding the data. Then they turn around and sell us monitoring services to deal with identify fraud that they helped create. Industry lobbyists (whether financial, pharmaceutical, you name it) draft legislation which they “propose” to members of Congress.
    I spent part of the day looking for NGOs or other advocacy groups focused on consumer data protection. I’m still looking but came across two sites with information on the status of various state privacy legislation. The second site also had a list of 15 recommended measures that should be enacted. https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ https://www.security.org/resources/digital-privacy-legislation-by-state/
    We need to become a squeaky wheel and be heard. All I have to do is to point at the difference Brian has made in the area of cybersecurity. Simply amazing.
    If any of Brian’s followers knows of any advocacy group, please post the information. There’s strength in numbers. You have my thanks!

  21. Jonathan Porridge

    Watch these SOCIAL-SECURITY Breaches. My pet monster-over-the-hill, is a biological pandemic which goes right ahead and dwarves the memory of CoVid19. Many people, many – many people die and their personal social-security data, business and state-benefits data, now public, go uncorrected for a long enough time for the smartest of all hackers Dr Know-all”, or whoever, to access & steal these monies.

    Working from home, for IT security, during the next lock-down, is not ideal territory for keeping on the heels of criminals, serious, dangerous criminals, the likes of whom, though they may work in plain-site, have not been detected by even the smartest of our spooks; – I fear?

    All this Bio-weapon scenario, and talk, is something I see as now inevitable, and which I predict for year 2029, Winter. It’s all terribly … well … criminal. It fits, doesn’t it. The Russians can even take the blame for Bio-Insecurities hosted elsewhere. Watch this stuff, somebody please. Krebs work is of course, first-class.

  22. Jose

    Infuriating. This wasn’t a leak or a hack it was a gift. All companies that shared data with NPD should be held accountable for lack of due diligence. The NPD owner should be facing criminal charges because he has single handedly caused more harm then many many criminals. Now we have our personal data to be used by Indian scammers, your local neighborhood gangsters, American drug cartels, hackers, foreign intelligent agencies looking for a useful idiot and the dum and dumber crowd.

  23. Matt

    I find this information extremely valuable, especially in today’s digital landscape where phishing attacks are becoming more sophisticated. The article not only raises awareness but also provides actionable advice on how to protect oneself. I would grade this article a 9 out of 10. Its practical relevance makes it useful for both individuals and organizations looking to enhance their cybersecurity measures. Personally, I would use this information to educate others on the importance of being cautious with emails and to review and strengthen my own security practices.

  24. GoFigure

    I informed Transunion over 24 years ago that they had bogus information in my account. They never removed it. I moved into a house after a person with a very similar name except I don’t have a middle initial. They got us mixed up so any mail that comes addressed with the middle initial goes straight to trash unopened because I know they bought the info from Transunion. Additionally it listed my address as living in a different town with my ex-wife and her new husband. They didn’t remove that either. What’s the sense in checking these credit reports when they won’t fix them?

    1. GoFigure

      After checking both the NPD Breach testing sites I found that the only data that was stolen was the incorrect data that Transunion has on me including wrong name and wrong birth date.

  25. DenDeb

    There is another Credit Reporting Company that many have not heard of.
    https://www.innovis.com/
    https://www.innovis.com/personal/securityFreeze
    Do you want to limit access to your Innovis Credit Report?

    A Security Freeze prevents your Innovis Credit Report from being accessed by most third parties in connection with an application for new credit. With a Security Freeze in place, you will need to take special steps when you wish to apply for any type of credit. Third parties that still have access to your Innovis Credit Report when a Security Freeze is in place include:

    Companies that have current accounts or relationships with you
    Collection agencies acting on behalf of companies that have a current account or existing relationship with you
    Credit monitoring companies
    State or local agencies including law enforcement or child support agencies
    Federal government agencies as permitted under the Fair Credit Reporting Act

    Innovis Security Freeze Options

    You can request a Security Freeze or manage an existing Security Freeze:

    Online: Submit the Security Freeze Request Online form.

    Phone: 1-866-712-4546

    Mail: Complete the Security Freeze Request by Mail form.

    A Security Freeze will be placed on your Innovis Credit Report after your request has been received and your identity has been verified. You will receive a confirmation letter by mail that contains a 10-digit Security Freeze PIN. You can request a replacement Security Freeze PIN or a lift PIN online, by phone, or by mail.

  26. Mr. Natural

    So, I searched both npdbreach.com and npd.pentester.com to see if I was affected. Pentester said yes, Npdbreach said no. What should I make of that?

    1. Mr. Natural

      OK, I figured out that I had to use an older Zip Code on Npdbreach to get hits. But not only am I getting inaccurate addresses, I get hits for incorrect birth years. How seriously should I take this?

  27. Mike

    Folks should also check their SSA login – someone I know had their account compromised.
    Might not have been directly related but the timing is certainly suspicious.

    Also, there is a new requirement to establish an account via “Login.gov” or “ID.me”
    in order to access your SSA information:

    https://www.ssa.gov/myaccount/account-transition-faqs.html

    If you haven’t done so already, now is the time to make the transition.
    I like it because they have a number of different methods for 2FA.

    Lastly, check all financial portal accounts and leverage 2FA if available.
    The fraudsters continue to aggregate information from past breaches, so be
    aware and implement appropriate safeguards.

    Mike

Comments are closed.