{"id":25095,"date":"2024-08-21T05:10:32","date_gmt":"2024-08-21T13:10:32","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/08\/21\/news-18825\/"},"modified":"2024-08-21T05:10:32","modified_gmt":"2024-08-21T13:10:32","slug":"news-18825","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/08\/21\/news-18825\/","title":{"rendered":"National Public Data leaked passwords online"},"content":{"rendered":"\n

Earlier this month, a huge trove of data from scraping service National Public Data was posted online<\/a>. The dump made international headlines because it included data on hundreds of millions of people, and included Social Security Numbers.<\/p>\n

As if that wasn’t bad enough, KrebsOnSecurity<\/a> is now reporting on another National Public Data company found hosting a file online that included the usernames and passwords for the back-end of its website, including for the site\u2019s administrator.<\/p>\n

The website of this company, Records Check, is hosted at recordscheck.net, and is very similar to nationalpublicdata.com with identical login pages. The publicly-accessible file, which has now been taken offline, showed that all RecordsCheck users were given the same 6-character password with instructions to change that password. Which many failed to do.<\/p>\n

National Public Data\u2019s founder, Salvatore \u201cSal\u201d Verini told Krebs that the exposed file has been removed from the company\u2019s website, and that the entire site will cease operations \u201cin the next week or so.\u201d<\/p>\n

But that’s a bit too little too late. As bad as we feel about companies like these scraping our data, it’s even worse to see how carelessly they handle our personal information.<\/p>\n

Different<\/h2>\n

Back to the original NPD data dump, we now know a lot more now about this database.<\/p>\n

Allegedly, the 277 GB set of data contained Social Security numbers and other sensitive data of about 2.9 billion people. That seems a stretch, so we looked into that.<\/p>\n

The estimates from our researchers say that it contains 272 million unique social security numbers. That could mean that the majority of US citizens could be affected, although numerous people confirmed to BleepingComputer<\/a> that it also included information about deceased relatives.<\/p>\n

There are a few aspects in this case that make it very different from other data breaches.<\/p>\n

For one, the data was \u201cscraped,\u201d meaning it was pulled from various sources and combined in a large database. So that means the data was already \u201cout there.\u201d Combining data sets often leads to duplicate records, for example, the same person but living at a different address will be listed twice.<\/p>\n

However, combining the data in such a large database does allows those with access to amass a huge amount of data about each person.<\/p>\n

Second, because of the scraping, there is no direct link between the breached entity and the people whose data is in the leaked database. Normally, businesses will inform their affected customers about what happened, offer credit monitoring services, and let them know what exactly was stolen.<\/p>\n

Depending on the outcome of a complaint<\/a> filed in the US District Court for the Southern District of Florida some of this might still happen, but it\u2019s unlikely that it will be anywhere near what a company worried about it\u2019s customers might be willing to do.<\/p>\n

National Public Data has set up a website<\/a> (only accessible with a US IP address, so from outside the US you may need to use a VPN<\/a>) about the breach. According to that website:<\/p>\n

\n

\u201cThe information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).\u201d<\/p>\n<\/blockquote>\n

Protecting yourself after a data breach<\/h2>\n

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach<\/a>.<\/p>\n