Major 'National Public Data' Leak Worse Than Expected With Passwords Stored in Plain Text

[MacRumors]

Earlier this month, data broker National Public Data (NPD) announced that there had been a major data breach that saw hackers obtain millions of names, email addresses, phone numbers, social security numbers, and mailing addresses stored in its database. NPD is a company that does employee background checks, aggregating public data from numerous sources and selling it.

NPD's security was clearly lacking to allow for the breach in the first place, but a new report from KrebsOnSecurity suggests that an NPD sister site made an even more grievous error, hosting an easily accessible plaintext archive with usernames and passwords.

RecordsCheck.net, a site affiliated with NPD that hosts much of the same information, had a "members.zip" file that was downloadable until yesterday. It had source code and plain text usernames and passwords for RecordsCheck users, including logins belonging to NPD's founder, Salvatore Verini. The logins that were made available through RecordsCheck allowed access to the same data that was available via NPD.

After being alerted by KrebsOnSecurity, RecordsCheck removed the file, and NPD is shutting down the site, according to Verini. He told the KrebsOnSecurity that the file had an "old version of the site with non-working code and passwords."

There are websites that are available to see if your information was leaked in the NPD breach, and it is advisable to lock down your credit.

The NPD leak included decades of information, including data from people who are now deceased. 137 million email addresses were leaked, as were 272 million social security numbers. A lawsuit has since been filed against NPD.

Article Link: Major 'National Public Data' Leak Worse Than Expected With Passwords Stored in Plain Text

 

[ThailandToo]

This is why the USA needs laws for protection like the EU has…

 

[now i see it]

Is anyone surprised in 2024?
This sort of thing is pretty much expected everywhere. Anything connected to the internet is a sieve

 

[F23]

Save us Tim, you're our only hope.

 

[DMG35]

These companies need to be held accountable when things like this happen. They should be fined millions, and all leadership should be replaced immediately.

 

[icanhazmac]

These companies need to be held accountable when things like this happen. They should be fined millions, and all leadership should be replaced criminally charged immediately.

I made your comment better... at least in my opinion.

 

[PhantomStar]

The DOJ should be pursuing criminal charges if not financial as well, to send a message to other data brokers on their relaxed security. In addition proper legislation needs to be enacted to prevent such mass collection without any proper protocols enforced which currently does not exist.

 

[gregmac19]

This is why the USA needs laws for protection like the EU has…

Gosh, Yes!. The USA doesn’t have any laws to protect us. /sarc

 

[mcfrazieriv]

Amazing how often our data is stolen and yet no one is ever really held accountable to the full degree of the pain it inflicts on the victims. Free ID protection (for 6 months) and "How to not have my identity stolen" classes don't cut it. The companies responsible for this should have never been able to keep any of the data to begin with. Whether it's SSN and medical data or usernames and passwords, all stolen... something's gotta replace all this and IF there's ever a breech, those responsible for storing the data need to be held accountable.

 

[techno-Zen]

We're all pwn3d on the dark web anyways.

-Use passkeys
-Lock your credit on all 3 credit bureau's
-???
-Profit

 

[HBX]

I've been saying it for years, data brokers should be abolished and shut down. Imagine if this would've happened to LexisNexis which is has an even larger data set, it's a huge slippery slope. Then the solutions are on the consumer to deal with, in this case putting in a credit freeze, those 2.9 billion peoples records should have an automatic credit freeze put in place, people shouldn't have to go around requesting for one.

 

[applebro]

This is the most American news I've seen in a hot minute lmao

 

[jz0309]

I made your comment better... at least in my opinion.

I agree with you, criminal charges got to be filed for this

 

[goobot]

Until ceos and board members get sued to an oblivion for this crap they won’t care.

 

[nikon1]

These companies need to be held accountable when things like this happen. They should be fined millions, and all leadership should be replaced immediately.

Replaced — No. JAILED — Absolutely! No slap on the wrist and a fine that does nothing directly for the people affected.

 

[spazzcat]

These companies need to be held accountable when things like this happen. They should be fined millions, and all leadership should be replaced immediately.

They will and they will pay the fine and move on, fines don't work.

 

[antiprotest]

I don't understand this. I thought 2.9 BILLION records were leaked (I understand that duplicates or multiple records referring to the same people make up this number)? Doesn't this report only tell us how the data was hacked, but doesn't make it WORSE?

I probably misunderstood something. Can somebody explain?

 

[spazzcat]

This is why the USA needs laws for protection like the EU has…

We need to change how we share and store information. Giving companies a fine does nothing and it stupid that we are still using SS numbers for stuff. There also needs to be change on how long companies can keep any PII.

 

[sw1tcher]

These companies need to be held accountable when things like this happen. They should be fined millions, and all leadership should be replaced immediately.

These data companies just have to grease the right hands and someone will introduce a bill to cap damages. I'd like to see them be fined billions. Make it hurt. Only then will they take security seriously.

Will Congress limit consumers' ability to fix false credit reports?

On the same day Equifax announced its massive data breach, Congress held a hearing on a bill that would roll back regulations on the nation’s credit bureaus.

www.nbcnews.com

It’s hard to miss the irony. Last Thursday, on the same day Equifax announced its massive data breach, Congress held a hearing on a bill that would roll back regulations on the nation’s credit bureaus.

Republican members of the House are currently considering six proposals as part of their Legislative Proposals for a More Efficient Federal Financial Regulatory Regime. The FCRA Liability Harmonization Act (H.R. 2359) would reduce the penalties for credit bureaus when they harm consumers.

The bill, introduced by Rep. Barry Loudermilk (R-Georgia), would cap damage awards in class action lawsuits at $500,000 filed under the Fair Credit Reporting Act, and eliminate punitive damages entirely. A press release announcing the bill said it’s designed to “curb abuses in the court system” and bring consistency to our nation’s consumer financial protection laws.

Before the breach, Equifax sought to limit exposure to lawsuits

Hearing on proposed relief was held the day that credit agency revealed cyberattack.

www.washingtonpost.com

Before Equifax discovered a massive computer breach that exposed sensitive information about millions of Americans, the company lobbied Congress on legislation to limit how much it could be forced to pay if sued by consumers, and it pressed lawmakers to roll back the powers of its regulators.

Since at least 2015, the credit reporting agency has repeatedly lobbied lawmakers on issues related to “data security and breach notification,” according to federal disclosure forms.

The company's spending on lobbying peaked at $1.1 million last year, and Equifax has spent $500,000 already this year, according to data collected by the Center for Responsive Politics.

The industry’s efforts have come as the Trump administration has made loosening regulations a key priority and Republicans have pushed to pare the powers of one of the credit agencies’ key regulators, the Consumer Financial Protection Bureau.

The industry, including Atlanta-based Equifax, appeared to be making headway earlier this year when a Georgia congressman introduced legislation that would limit the damages companies could be forced to pay if sued.

The legislation would “strike a fair balance,” putting the penalties credit reporting agencies could face under the Fair Credit Reporting Act on par with what firms face under other laws, Republican Rep. Barry Loudermilk said at a Sept. 7 hearing on the proposal. He noted that the legislation had significant support from various groups, including the Consumer Data Industry Association, which represents the credit bureaus.

The timing of the hearing proved awkward: Equifax announced later that day that it had suffered a massive hack that put millions of people at risk of identity fraud. The company said that its security team first observed suspicious activity July 29 and that it hired a cybersecurity firm to conduct a forensic review on Aug. 2.

The legislation would have addressed one of the industry’s biggest issues. The number of class-action lawsuits filed under the Fair Credit Reporting Act has increased 1,700 percent over the past 20 years, according to the U.S. Chamber of Commerce, which also supported the bill. And the industry has faced some expensive court losses recently, including in June, when a jury awarded more than a dozen plaintiffs $60 million after finding that Chicago-based TransUnion didn’t take reasonable steps to prevent them from wrongly being identified as potential criminals or terrorists on their credit reports.

TransUnion called the jury’s award “grossly excessive” in court documents and said it would more than wipe out the profit it earned in the year of the alleged misconduct. It is fighting to reduce the award or win a retrial.

The NPD leak included decades of information, including data from people who are now deceased. 137 million email addresses were leaked, as were 272 million social security numbers. A lawsuit has since been filed against NPD.

272 million social security numbers leaked. A find of $2.72 billion means each person get's $10. At $100 per SS#, that's $27.2 billion fine.

 

[jz0309]

This is why the USA needs laws for protection like the EU has…

how have those laws in the EU prevented this:

Source:

Data Breaches and Cyber Attacks in Europe in December 2023 – 100,884,532 Records Breached - IT Governance Blog

This month, we found 204 publicly disclosed incidents in Europe, accounting for 15% of all incidents globally. In absolute terms, this is a substantial 47% increase on November 2023.

www.itgovernance.eu

 

[spazzcat]

I don't understand this. I thought 2.9 BILLION records were leaked (I understand that duplicates or multiple records referring to the same people make up this number)? Doesn't this report only tell us how the data was hacked, but doesn't make it WORSE?

I probably misunderstood something. Can somebody explain?

It explains it in the article.

Bleeping Computer reports that the hacked data involves 2.7 billion records, with individuals having multiple records in the database. In other words, one individual could have separate records for each address where they've lived, which means the number of impacted people may be far lower than the lawsuit claims, the site noted.

 

[Wags]

Until ceos and board members get sued to an oblivion for this crap they won’t care.

This happened in December. Better check all their financials. If they have known about this and hiding funds before shart hit the fan.

 

[whiteashsaturday]

"Members.zip" -- sounds like sabotage, and criminal negligence, find the employee who posted that file, you find the "fall guy".

 

[mannyvel]

We need privacy regulations that match HIPAA privacy rule regulations...including the part about fines.

These companies need to be held legally liable for their poor security practices.

 

[subjonas]

This is why I never have and never will use the internet.