National Public Data Published Its Own Passwords (krebsonsecurity.com) 35
Security researcher Brian Krebs writes: New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today. In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased). NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company's database, which they claimed has been floating around the underground since December 2023.
Following last week's story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property -- the background search service recordscheck.net -- was hosting an archive that included the usernames and password for the site's administrator. A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages. The exposed archive, which was named "members.zip," indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not. According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD's founder, an actor and retired sheriff's deputy from Florida named Salvatore "Sal" Verini.
Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company's website, and that the site is slated to cease operations "in the next week or so." "Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords," Verini told KrebsOnSecurity. "Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative." The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com's homepage features a positive testimonial from Sal Verini.
Following last week's story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property -- the background search service recordscheck.net -- was hosting an archive that included the usernames and password for the site's administrator. A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages. The exposed archive, which was named "members.zip," indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not. According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD's founder, an actor and retired sheriff's deputy from Florida named Salvatore "Sal" Verini.
Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company's website, and that the site is slated to cease operations "in the next week or so." "Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords," Verini told KrebsOnSecurity. "Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative." The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com's homepage features a positive testimonial from Sal Verini.
Satanism at work. (Score:3, Funny)
This is what happens when you hand over all your authority to children.
Re: (Score:2)
Make it illegal, for any computer system to hold our SS numbers unless it is directly related to Social Security benefits type business.
Anything not directly SS related....you cannot store that number.
There is NO need to hold this number unless it is SS related.
I mean, why do most power companies want it? I didn't give it to mine, and after raising a bit of a stink. they gave me my account without it....so, too many people have it that have absolutely no reaso
Re: (Score:2, Insightful)
The problem is not that to many people have it; its that it was never designed to be a secret. Its an identity, not an authentication token.
What we really legislation that -
Places ALL liability for fraud abuse or any other damage resulting form the use of an SSN for an authentication decisions on the party using it for authentication. That is individuals should be being asked for evidence proving an SSN belongs to them NOT being ask for an SSN to prove any other identifier belongs to them.
The Public never
Re: (Score:2)
Some nations have a national ID number that the person should secure, and then they can use that number to generate numbers they can share. Seems like a decent concept.
Re: Satanism at work. (Score:2)
Americans are somewhat resistant to a national ID system. Even the SSN is just an account number used to track your payments and benefits for what is essentiall a national pension.
Re: (Score:2)
NO THANK YOU.
As another poster mentioned, many, if not most of us in the US do not want a national ID and think it is a BAD idea.
SS number is bad enough.....and I hate the Real ID drivers licenses they've finally forced through....
Re: (Score:2)
many, if not most of us in the US do not want a national ID and think it is a BAD idea
Well, too bad. We de facto have a national ID (SSNs) and we're all worse off because it was never designed to be used for that purpose. Let's not bury our heads in the sand, and instead try to come up with something better.
Re: (Score:2)
Basically this. The SSN is a national ID, and while I'm not a fan of having such a thing, claiming we don't and then going lalalalala won't make it go away. Far more practical to just admit we have it and make it as good as possible. Having a crap system is the worst of both worlds.
Re: (Score:2)
Actually, it is not...and it is a BAD number to count on to be unique.
First of all, they have been reused since inception.
You cannot count on everyone having one....and even before the mass illegal influx of people, they were
Re: (Score:2)
So, it is a VERY poor national ID
Yeah that's pretty much what I said. Thanks.
Re: (Score:2)
> I mean, why do most power companies want it? I didn't give it to mine, and after raising a bit of a stink
Yup, it is bullshit. I've done the same and when they raise a ruckus about it I always say:
"Is there a law that REQUIRES me to have one? No so put down 000-00-0000."
Re: (Score:2)
It's probably time we found a different way to identify people for the purpose of determining credit-worthiness.
Slashdot's favorite password (Score:2)
The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.
1-2-3-4-5? That's the same combination as my luggage!
Prison? (Score:3)
Can someone finally go to jail for gross negligence instead of them paying $50 and immediately moving to Go?
Might be a challenge (Score:2)
Re:Prison? (Score:5, Insightful)
Corporations are people until it comes to punishments.
Dave Chappelle nailed this 20 years ago with normal people justice and rich people justice. https://youtu.be/HeOVbeh2yr0?s... [youtu.be]
Re: (Score:3)
Can someone finally go to jail for gross negligence instead of them paying $50 and immediately moving to Go?
How would rewriting the web site in Go help?
Not "National Private Data" (Score:4, Insightful)
I guess this is why they're National *Public* Data - all the national data gets made public.
Aside from the negligence of this company leaking all this private data, it's a bit scary that they have it to begin with
Re: (Score:2)
It sees you when your sleeping.
It knows when you're awake.
It knows when you've been doing the approved good.
It knows when you're a waste.
With very high probability, you are among the carbon that will get reduced.
This takes a special kind of stupid (Score:3)
One can argue cockup before conspiracy all one wants -- but, if this isn't deliberate it is breathtakingly stupid.
On the par with those who tape their passwords under their keyboards. And yes, I've seen that for real. This is much worse, though.
That file should have a trail of who / what left it there. Question is, reprimand the perpetrator, or reward them?
Re: (Score:2)
On the par with those who tape their passwords under their keyboards. And yes, I've seen that for real.
That's (marginally) better than the clowns that keep passwords on a post-it note stuck to their monitor.
123456 (Score:4, Funny)
Oh, no, now I'm going to have to change the password on my luggage!
can we each small claims court them? (Score:1)
Re: (Score:2)
Who is 'them'? The bankrupt corporation?
Re: can we each small claims court them? (Score:1)
Was it "123456" or "verini"? (Score:2)
Re: (Score:2)
I'll have to go with 'monkey'. Nobody will ever guess that!
Need stronger sensitive data handling regulations (Score:2)
Re: (Score:2)
There are regulations and it's even illegal for some places to keep a lot of this data except for the purposes which it was designed for, but it's become simply too convenient to use SSN for a unique identifier that everyone does it.
Stop the planet, I want to get off (Score:3)
It's a sick world when hoarding this information is a business. It's a dumb world when people failing to hide sensitive information, are allowed to walk down the street. There's no point blaming the criminal, there's always an arsehole around: The problem is the other arseholes pretending nothing bad will happen. It's frightening how many of them have money and/or authority over people.
Re: (Score:2)
I'd rather this than NPD selling my data (Score:2)
I mean, I don't really see the difference between what USDoD and NPD were doing. Both of them were selling my data, certainly without my knowledge, and likely without my permission. World's smallest violin for NPD on this one.
"including many who are deceased" (Score:2)
...these being a gold mine for anyone wishing to assume their identity for nefarious purposes like fraudulent voter registration. Lets hope the Federal Election Commission is going to be extra vigilant this November in screening out those with expired franchises.