Encountering Plain Text Passwords in the NPD Security Breach
Repercussions of the NPD Data Breach
National Public Data (NPD) confirmed last week that it suffered a security breach dating back to December last year. An alleged stolen NPD database containing 2.9 billion lines of data, including Social Security numbers, was advertised on the dark web in April by a hacker group known as USDoD for $3.5 million. The stolen data has since been posted publicly in various locations.
Discovery of Plain Text Passwords
Krebs On Security reports a roughly identical website to NPD called recordscheck.net was found to be hosting an archive containing site logins as well as source code for some of the site's tools in plaintext. That would’ve been enough information to access the same consumer records as NPD. The now-removed file contained email data belonging to NPD founder Salvatore Verini, an actor and retired sheriff’s deputy from Florida.
Official Response and Next Steps
In an email exchange with Krebs On Security, Verini wrote that the file contained an old website version with “non-working code,” and that the site will cease operations “in the next week or so.” Verini did not comment further, citing an “active investigation.” Krebs On Security also found that Verini wrote a positive testimonial for Creation Next, a web developer company mentioned in the archived source code.
Consumer Protection Measures
Since the leak on the hacker forum last month, several websites like npdbreach.com, from Atlas Data Privacy Corp, and npd.pentester.com have popped up, claiming to offer searches to find out if your information is included in the leak. Using these services, of course, means you need to put your name, birth year, and perhaps your SSN into someone’s form. As Krebs notes, given the many leaks that have already revealed similar information, the best course of action may be to put a freeze on your credit report with the major bureaus (Equifax, Experian, and TransUnion) and take advantage of the free weekly credit reports you are entitled to.
This article was prepared using information from open sources in accordance with the principles of Ethical Policy. The editorial team is not responsible for absolute accuracy, as it relies on data from the sources referenced.