Encountering Plain Text Passwords in the NPD Security Breach

Monday, 19 August 2024, 14:58
Plain text passwords have potentially compromised the National Public Data (NPD), leading to a significant data breach. The breach, dating back to December, involved an extensive database of sensitive information. Notably, hackers have surfaced a near-identical website, revealing further risks to consumer security. Read more for crucial insights into the implications of these breaches.
The Verge
Encountering Plain Text Passwords in the NPD Security Breach

Repercussions of the NPD Data Breach

National Public Data (NPD) confirmed last week that it suffered a security breach dating back to December last year. An alleged stolen NPD database containing 2.9 billion lines of data, including Social Security numbers, was advertised on the dark web in April by a hacker group known as USDoD for $3.5 million. The stolen data has since been posted publicly in various locations.

Discovery of Plain Text Passwords

Krebs On Security reports a roughly identical website to NPD called recordscheck.net was found to be hosting an archive containing site logins as well as source code for some of the site's tools in plaintext. That would’ve been enough information to access the same consumer records as NPD. The now-removed file contained email data belonging to NPD founder Salvatore Verini, an actor and retired sheriff’s deputy from Florida.

Official Response and Next Steps

In an email exchange with Krebs On Security, Verini wrote that the file contained an old website version with “non-working code,” and that the site will cease operations “in the next week or so.” Verini did not comment further, citing an “active investigation.” Krebs On Security also found that Verini wrote a positive testimonial for Creation Next, a web developer company mentioned in the archived source code.

Consumer Protection Measures

Since the leak on the hacker forum last month, several websites like npdbreach.com, from Atlas Data Privacy Corp, and npd.pentester.com have popped up, claiming to offer searches to find out if your information is included in the leak. Using these services, of course, means you need to put your name, birth year, and perhaps your SSN into someone’s form. As Krebs notes, given the many leaks that have already revealed similar information, the best course of action may be to put a freeze on your credit report with the major bureaus (Equifax, Experian, and TransUnion) and take advantage of the free weekly credit reports you are entitled to.

This article was prepared using information from open sources in accordance with the principles of Ethical Policy. The editorial team is not responsible for absolute accuracy, as it relies on data from the sources referenced.

Related posts

Newsletter

Get the most reliable and up-to-date financial news with our curated selections. Subscribe to our newsletter for convenient access and enhance your analytical work effortlessly.

Subscribe