New details are emerging about the breach National Public Data (NPD), a consumer data vendor that recently released hundreds of millions of US Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data vendor that shares access to the same consumer records unknowingly published passwords to its backend database in a file that was freely available on the home page until today.
In April, a hacker named USDoD started selling stolen data from NPD. In July, the names, addresses, phone numbers and email addresses of more than 272 million people (including many who are no longer alive) were leaked.
The NPD acknowledged the intrusion on August 12, saying it began with a security incident in December 2023. In an interview last week, the USDoD blamed the July data breach on another malicious hacker who also gained access to the company’s database, which they say they still have. has been floating underground since December 2023.
Following last week’s story about the scope of the NPD breach, a reader informed KrebsOnSecurity that NPD’s sister site – a background search service. recordscheck.net — held an archive that included the site administrator’s usernames and passwords.
A review of that archive, which was available on the RecordsCheck website until just before publication this morning (August 19), shows that it includes source code and plain text usernames and passwords for various parts of recordscheck.net, which look similar to nationalpublicdata.com and include similar login pages.
The featured archive, named “members.zip,” indicates that all RecordCheck users were initially given a six-character password and instructed to change it, but many did not.
According to breach-tracking service Constella Intelligence, the passwords included in the source code archive match details exposed in previous data breaches involving the email accounts of the NPD founder, an actor and a retired Florida sheriff’s deputy. Salvatore “Sal” Verini.
Received by email, Mr. Verini said the leaked archive (.zip file) containing recordscheck.net information has been removed from the company’s website, and that the site is expected to go down “in the next week or so.”
“As for the zip, it was removed but it was an old version of the site with invalid code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an active investigation, which we cannot comment on at this time. But when we know it, we will [be] and you, as we follow your blog. It is very educational.”
The leaked source code of recordscheck.net shows that the website was built by a web development company based in Lahore, Pakistan called. creativenext.comwhich did not return messages that require comment. The home page of CreationNext.com has a great testimonial from Sal Verini.
Testimony from Sal Verini on the homepage of CreationNext, a web development company in Lahore, Pakistan that apparently designed NPD and RecordsCheck.
There are now several websites set up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a search page created by Atlas Data Privacy Corp. Another lookup resource is available at npd.pentester.com. Both sites indicated that NPD had outdated and very inaccurate data on Yours Truly.
The best advice for those affected by this violation is to file a credit file with each of the major consumer reporting agencies. Having a freeze on your files makes it more difficult for identity thieves to create new accounts in your name, and limits who can view your credit information.
Stopping is a good idea because all the information ID thieves need to guess who you are is now widely available from multiple sources, thanks to the number of data breaches we’ve seen involving SSN data and other important static data points about people.
Screenshots of a Telegram-based ID theft service that was selling background reports using hacked USInfoSearch law enforcement accounts.
There are many cybercrime services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers catering to private investigators and law enforcement officials, and some are now fully automated with instant messaging Telegram bots.
In November 2023, KrebsOnSecurity wrote about one such service, which was powered by hacked accounts at US consumer data vendor USInfoSearch.com. This is notable because the leaked source code shows background Check Records reports that direct people with queries to the NPD database and records to USInfoSearch. KrebsOnSecurity has sought comment from USInfoSearch and will update this story if they hear back.
The point is, if you’re an American who hasn’t falsified your credit files and hasn’t experienced some form of new account fraud, ID thieves probably haven’t gotten to you yet.
All Americans are also entitled to a free copy of their credit report every week from each of the three major credit bureaus. It used to be that consumers were allowed one free report from each agency per year, but in October 2023 Federal Trade Commission announced that the bureaus have indefinitely extended the program that allows you to check your credit report once a week for free.
If you haven’t done this in a while, now would be a great time to order your files. To set it up, you’ll need to create an account with the three major reporting bureaus, Equifax, Experian and TransUnion. Once you’ve created an account, you should be able to view and set up your credit file. If you see errors, such as random addresses and phone numbers you don’t recognize, don’t ignore them. Challenge any negatives you may find.
Source link