National Public Data (NPD), a background check company, admitted it exposed sensitive info like phone numbers, addresses, and Social Security Numbers to hackers. While the company hasn’t shared how big the breach is, it supposedly involves 2.7 billion records, likely including some data on almost every American.
It gets even worse — a new report revealed that another NPD data broker, which shares access to the same consumer records, published user passwords to its back-end database.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
What you need to know
KrebsOnSecurity reported that a sister NPD property, called recordscheck.net, was hosting an archive that included the usernames and passwords of the site’s administrator.
A review of the now-removed archive reveals that it contained the source code, along with plain text usernames and passwords, for various components of recordscheck.net. This site bears a striking resemblance to nationalpublicdata.com, with matching login pages.
The exposed archive, titled “members.zip,” suggests that all RecordsCheck users were initially given the same six-character password and advised to change it—though many didn’t.
According to KrebsOnSecurity, which referenced breach tracking service Constella Intelligence, the passwords found in the source code archive match those exposed in earlier data breaches. This suggests that millions of users may be affected in this case as well.
We reached out for a comment from RecordsCheck and they did not respond in time of publishing.
PHARMA GIANT’S DATA BREACH EXPOSES PATIENTS’ SENSITIVE INFORMATION
National Public Data’s response
Salvatore “Sal” Verini, the founder of NPD and a retired sheriff’s deputy from Florida, told KrebsOnSecurity that the exposed archive, a .zip file containing recordscheck.net credentials, has been removed from the company’s website. Verini also mentioned that the site is scheduled to shut down “in the next week or so.”
WORLD’S LARGEST STOLEN PASSWORD DATABASE UPLOADED TO CRIMINAL FORUM
Reminder to invest in identity theft protection
News of the NPD data breach surfaced after a California man filed a lawsuit against the company, as reported by Bloomberg. He discovered the breach through his identity theft protection service, which flagged his data in the leaked database. Since then, many people online have reported receiving similar alerts from their protection services, allowing them to take action before it was too late.
In 2024, an identity theft protection service is practically a must-have. If you’ve been keeping up with CyberGuy articles, you’ve probably seen frequent reports on data breaches, whether it’s the AT&T breach, Dell breach, or the Advance Auto Parts leak.
While there are many services that you can sign up for, my top recommendation is Identity Guard. It can monitor personal information like your Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account. It can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.
One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
CyberGuy’s Exclusive Offer: Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year.
See my tips and best picks on how to protect yourself from identity theft.
4 additional tips to protect yourself from data breaches
Identity theft protection is the first thing I recommend to everyone, but there are also steps you can take to protect yourself.
1) Be careful with passwords: The recordscheck.net leak exposed passwords, and as I discussed, many users didn’t change the auto assigned passwords. That’s a big mistake. Always create strong passwords for your accounts and devices, and avoid using the same password for multiple online accounts.
Consider using a password manager to securely store and generate complex passwords. It will help you to create unique and difficult-to-crack passwords that a hacker could never guess. Second, it also keeps track of all your passwords in one place and fills passwords in for you when you’re logging into an account so that you never have to remember them yourself.
One of the best password managers out there is 1Password. With no known security breaches or vulnerabilities, 1Password is a solid option as a paid password manager. It utilizes a well-designed interface, which features core components that are expected from premium, paid password managers. At the time of publishing, it starts at $2.99 a month, billed annually, for a total of $35.88/year, and you can save more with a family option which includes 5 family members for $60/year.
Get more details about my best expert-reviewed Password Managers of 2024 here.
2) Remove your personal information from the Internet: While no service can completely erase your data from the Internet, using a data removal service is a smart move, especially in light of recent data breaches like the NPD incident. These services aren’t cheap, but neither is your privacy.
They handle the heavy lifting by continuously monitoring and systematically removing your personal information from countless websites. This gives peace of mind and is one of the most effective ways to safeguard your data online. My top recommendation is Incogni, which has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 190+ data brokers. You can add up to 3 emails, 3 home addresses and 3 phone numbers (U.S. citizens only) and have them removed from data-broker databases. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
Get Incogni for your family (up to 4 people) here
3) Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
4) Routinely check your credit reports: Obtain a free copy of your credit report from each of the three credit reporting agencies mentioned earlier. Review the reports carefully for any suspicious or unauthorized activity. If you find any inaccuracies or signs of fraud, report them to the credit reporting agency immediately.
4.3 MILLION AMERICANS EXPOSED IN MASSIVE HEALTH SAVINGS ACCOUNT DATA BREACH
Kurt’s key takeaway
The NPD data breach and the security incident involving its sister website highlight the irresponsibility of these companies in handling sensitive public information. There is an urgent need for governments to step in and impose serious legal consequences, not just a slap on the wrist. Fines should be involved. Anyone dealing with sensitive data must ensure that the data is encrypted and take measures to prevent it from falling into the wrong hands.
Do you believe current regulations are sufficient for handling data breaches, or do they need to be more stringent? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
2 comments