A huge data leak that emanated from National Public Data, impacting around 2.7 billion people, could be worse than initially feared.
The Florida-based data broker belatedly acknowledged the original security incident, posting a notice on its website to advise of “potential leaks of certain data in April 2024 and summer 2024”.
Names, addresses, online usernames, and even social security numbers were leaked in the breach at NPD. The data was put up for sale on the dark web in April this year by a hacker group known as ‘USDod’, for an asking price of $3.5 million.
Now, a report from KrebsOnSecurity has outlined a second NPD data broker, which uses the same consumer records, made a serious error in publishing the passwords to its back-end system in a file that was widely available on its site until yesterday (August 19).
Recordscheck.net – a sister entity which provides background search checks – was hosting an archive storing usernames and passwords for the site administrator, but the repository was left wide open to access.
Impacted Site Due to Be Taken Down Imminently
A closer look at the archive revealed the source code and plain text username and password credentials for more than one aspect of recordscheck, which has a similar appearance and purpose to NPD’s main site.
The vulnerable archive was named members.zip, providing a further giveaway to prying eyes.
KrebsOnSecurity relayed info from the breach tracking platform Constella Intelligence, which stated the passwords found in the source code were identical to those in the previous data breaches. NPD founder and former actor Sal Verini was also impacted with some of his email accounts included in the data leakage.
Verini is said to have indicated the exposed archive holding recordscheck credentials has been pulled and the site is due to be taken down “in the next week or so”.