Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security

National Public Data Published Its Own Passwords (krebsonsecurity.com) 35

Security researcher Brian Krebs writes: New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today. In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased). NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company's database, which they claimed has been floating around the underground since December 2023.

Following last week's story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property -- the background search service recordscheck.net -- was hosting an archive that included the usernames and password for the site's administrator. A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages. The exposed archive, which was named "members.zip," indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not. According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD's founder, an actor and retired sheriff's deputy from Florida named Salvatore "Sal" Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company's website, and that the site is slated to cease operations "in the next week or so." "Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords," Verini told KrebsOnSecurity. "Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative." The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com's homepage features a positive testimonial from Sal Verini.

This discussion has been archived. No new comments can be posted.

National Public Data Published Its Own Passwords

Comments Filter:
  • by Narcocide ( 102829 ) on Monday August 19, 2024 @08:39PM (#64719738) Homepage

    This is what happens when you hand over all your authority to children.

    • Why don't we push the feds for ONE law here.

      Make it illegal, for any computer system to hold our SS numbers unless it is directly related to Social Security benefits type business.

      Anything not directly SS related....you cannot store that number.

      There is NO need to hold this number unless it is SS related.

      I mean, why do most power companies want it? I didn't give it to mine, and after raising a bit of a stink. they gave me my account without it....so, too many people have it that have absolutely no reaso

      • Re: (Score:2, Insightful)

        by DarkOx ( 621550 )

        The problem is not that to many people have it; its that it was never designed to be a secret. Its an identity, not an authentication token.

        What we really legislation that -
        Places ALL liability for fraud abuse or any other damage resulting form the use of an SSN for an authentication decisions on the party using it for authentication. That is individuals should be being asked for evidence proving an SSN belongs to them NOT being ask for an SSN to prove any other identifier belongs to them.

        The Public never

      • Some nations have a national ID number that the person should secure, and then they can use that number to generate numbers they can share. Seems like a decent concept.

        • Americans are somewhat resistant to a national ID system. Even the SSN is just an account number used to track your payments and benefits for what is essentiall a national pension.

        • Some nations have a national ID number that the person should secure, and then they can use that number to generate numbers they can share. Seems like a decent concept.

          NO THANK YOU.

          As another poster mentioned, many, if not most of us in the US do not want a national ID and think it is a BAD idea.

          SS number is bad enough.....and I hate the Real ID drivers licenses they've finally forced through....

          • many, if not most of us in the US do not want a national ID and think it is a BAD idea

            Well, too bad. We de facto have a national ID (SSNs) and we're all worse off because it was never designed to be used for that purpose. Let's not bury our heads in the sand, and instead try to come up with something better.

            • Basically this. The SSN is a national ID, and while I'm not a fan of having such a thing, claiming we don't and then going lalalalala won't make it go away. Far more practical to just admit we have it and make it as good as possible. Having a crap system is the worst of both worlds.

              • Basically this. The SSN is a national ID, and while I'm not a fan of having such a thing, claiming we don't and then going lalalalala won't make it go away. Far more practical to just admit we have it and make it as good as possible. Having a crap system is the worst of both worlds.

                Actually, it is not...and it is a BAD number to count on to be unique.

                First of all, they have been reused since inception.

                You cannot count on everyone having one....and even before the mass illegal influx of people, they were

      • > I mean, why do most power companies want it? I didn't give it to mine, and after raising a bit of a stink

        Yup, it is bullshit. I've done the same and when they raise a ruckus about it I always say:

        "Is there a law that REQUIRES me to have one? No so put down 000-00-0000."

    • Don't insult children.

      It's probably time we found a different way to identify people for the purpose of determining credit-worthiness.
  • The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.

    1-2-3-4-5? That's the same combination as my luggage!

  • by wgoodman ( 1109297 ) on Monday August 19, 2024 @09:09PM (#64719790)

    Can someone finally go to jail for gross negligence instead of them paying $50 and immediately moving to Go?

  • by Ksevio ( 865461 ) on Monday August 19, 2024 @09:19PM (#64719794) Homepage

    I guess this is why they're National *Public* Data - all the national data gets made public.

    Aside from the negligence of this company leaking all this private data, it's a bit scary that they have it to begin with

    • Big Data is like Santa

      It sees you when your sleeping.
      It knows when you're awake.
      It knows when you've been doing the approved good.
      It knows when you're a waste.

      With very high probability, you are among the carbon that will get reduced.
  • by TigerPlish ( 174064 ) on Monday August 19, 2024 @09:52PM (#64719830)

    One can argue cockup before conspiracy all one wants -- but, if this isn't deliberate it is breathtakingly stupid.

    On the par with those who tape their passwords under their keyboards. And yes, I've seen that for real. This is much worse, though.

    That file should have a trail of who / what left it there. Question is, reprimand the perpetrator, or reward them?

    • by GoTeam ( 5042081 )

      On the par with those who tape their passwords under their keyboards. And yes, I've seen that for real.

      That's (marginally) better than the clowns that keep passwords on a post-it note stuck to their monitor.

  • 123456 (Score:4, Funny)

    by Tony Isaac ( 1301187 ) on Monday August 19, 2024 @10:42PM (#64719878) Homepage

    Oh, no, now I'm going to have to change the password on my luggage!

  • wondering if there's claim to be made
  • 6 character password of an actor with last name Verini. Hmmmm.... what are the odds it's 123456 or verini?
  • We need regulations about collecting and handling sensitive data like this. It should mirror regulations of handling other sensitive materials, like poisons, nuclear materials, narcotics, etc. If you are the company that collects it, buys it, stores it, it must pass stringent tests, and it is held responsible for what happens to the data, including if they sold it to some ACME Inc company (they can get indemnification from ACME, but if ACME goes under, the responsibility falls onto whoever sold ACME the dat
    • by CAIMLAS ( 41445 )

      There are regulations and it's even illegal for some places to keep a lot of this data except for the purposes which it was designed for, but it's become simply too convenient to use SSN for a unique identifier that everyone does it.

  • by NotEmmanuelGoldstein ( 6423622 ) on Tuesday August 20, 2024 @04:32AM (#64720220)

    ... plain text usernames and passwords ...

    It's a sick world when hoarding this information is a business. It's a dumb world when people failing to hide sensitive information, are allowed to walk down the street. There's no point blaming the criminal, there's always an arsehole around: The problem is the other arseholes pretending nothing bad will happen. It's frightening how many of them have money and/or authority over people.

  • Comment removed based on user account deletion
  • I mean, I don't really see the difference between what USDoD and NPD were doing. Both of them were selling my data, certainly without my knowledge, and likely without my permission. World's smallest violin for NPD on this one.

  • ...these being a gold mine for anyone wishing to assume their identity for nefarious purposes like fraudulent voter registration. Lets hope the Federal Election Commission is going to be extra vigilant this November in screening out those with expired franchises.

If you didn't have to work so hard, you'd have more time to be depressed.

Working...