Scoop: New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available for download from its homepage until today.
https://krebsonsecurity.com/2024/08/national-public-data-published-its-own-passwords/
National Public Data Published Its Own Passwords
New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online.krebsonsecurity.com
This website is tracked using the Matomo analytics tool. If you do not want that your visits are logged in this way you can set a cookie to prevent Matomo / Piwik from tracking further visits of the site (opt-out).
BrianKrebs
in reply to BrianKrebs • • •noplasticshower
in reply to BrianKrebs • • •surveillance capitalism for the win
Data do have value though...so that effect runs counter to the don't secure it perspective.
https://www.lawfaremedia.org/article/why-the-data-ocean-is-being-sectioned-off
Why the Data Ocean Is Being Sectioned Off
DefaultBrianKrebs
in reply to noplasticshower • • •noplasticshower
in reply to BrianKrebs • • •Σ(i³) = (Σi)²
in reply to noplasticshower • • •BrianKrebs
in reply to Σ(i³) = (Σi)² • • •Shadow06
in reply to BrianKrebs • • •People don't like blaming incentives, but they drive everything.
Unfortunately it removes the boogey man and makes the problem harder, but it's more realistic.
Change the incentives.
Magenta Rocks
in reply to BrianKrebs • • •Adam Shostack :donor: :rebelverified:
in reply to BrianKrebs • • •Swalsh
in reply to BrianKrebs • • •NosirrahSec 🏴☠️
in reply to BrianKrebs • • •They'll start caring when we start putting them in jail for life. (I can't say what should really happen to them.)
They're some of the worst humans alive and they deserve no respect as a human.
Darwin Woodka
in reply to BrianKrebs • • •Djembro
in reply to BrianKrebs • • •BrianKrebs
in reply to Djembro • • •@djembro I mentioned two different sites that you can use to check if your data is in there.
"There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly."
DEDGirl
in reply to BrianKrebs • • •VessOnSecurity
in reply to BrianKrebs • • •I used one of the links in your article to check my aunt in California - and, sure enough, her data has been leaked.
I called her to tell her the bad news but she was pretty cool about it. Turns out, her data had already been stolen a couple of years ago from some University and the University has given her some free credit monitoring service which still hasn't expired. 😀
StuartB
in reply to BrianKrebs • • •ZephyrXero
in reply to BrianKrebs • • •Bruce Heerssen
in reply to BrianKrebs • • •Chris from Earth
in reply to BrianKrebs • • •David W. Jones
in reply to BrianKrebs • • •Dr. Todd A. Jacobs
in reply to BrianKrebs • • •The best way to prevent #dataexfiltration when breached is not to collect or store unnecessary data in the first place. That makes many of the current spate of #databreaches avoidable, self-inflicted incidents for which large companies are never held accountable in any truly meaningful way.
You're spot on when you say that #databrokers rely on large #datalakes of sensitive data they don't need directly. They also rely on large data sets where any typical datum may be harmless in itself, but often becomes sensitive or dangerous when aggregated, and often exponentially more so when connected to intrinsically sensitive data such as #PII, #PHI, or identity.
Setting aside the financial incentives and lack of accountability for the data brokers, how do #businessleaders, #regulatoryagencies, and #electedpoliticians justify this state of affairs to you? It's not like the public and private sectors don't also have data they want to protect, so why allow this shadow industry to prosper? This seems even more mystifying when it's so clearly a double-edged sword even for the brokerages' paying customers!
Ariaflame
in reply to BrianKrebs • • •Magenta Rocks
in reply to BrianKrebs • • •IMO...
The punishment should be for NPD to spend the time putting a credit freeze - at all credit bureaus - on every single SSN in their system. Ya know, so we don't have to do it ourselves.
Also, the SSA should now be required to develop a means for encrypting SSN's everywhere in every system that requires it. And, offer a new form of encrypted ID that can replace the SSN. All this should be funded using fines paid by companies who were hacked.
BrianKrebs
in reply to BrianKrebs • • •The various portions of Recordscheck and NPD that have logins all have the same generic (placeholder?) copyright text, "Company Inc" and look like phishing pages. Btw, this site does not force https.
Overall, it feels like an extremely dated Coldfusion site that was stood up in a day or two more than a decade ago and modified very little ever since.
Trillion Byter
in reply to BrianKrebs • • •stony kark
in reply to BrianKrebs • • •Avoid the Hack! :donor:
in reply to BrianKrebs • • •AlexanderMars
in reply to BrianKrebs • • •Richard Degenne
in reply to BrianKrebs • • •Robbie Coleman :verified:
in reply to BrianKrebs • • •Oregon Wine Woman
in reply to BrianKrebs • • •Dr. Todd A. Jacobs
in reply to BrianKrebs • • •Ultimately, the problem is that we (as a society) allow data brokers and credit reporting agencies to exist att all. That we allow them to exist for profit just ensures that there will eventually be problems.
It's not like the US government doesn't have access to all the same data. Based on how they've handled the no-fly list and similar "no disclosure or remediation" systems in the past, I'm defiitely not saying this should be a government function. However, most government agencies have some level of transparency and/or regulatory oversight, but as the Equifax and other similar breaches like this one have shown, there are few real consequence for the "big three" and none for shadow brokers.
I genuinely wish there was more informed public conversation about this problem. I'm grateful to you for continuing to highlight these breaches. Without reporters like you, the silence would be deafening!
Michael Halligan 🇺🇦🏳️🌈🏳️⚧️
in reply to BrianKrebs • • •SpaceLifeForm
in reply to BrianKrebs • • •Tom Halasz
in reply to BrianKrebs • • •Babs E. Blue Let's Go Kamala
in reply to BrianKrebs • • •Aaron Rainbolt
in reply to BrianKrebs • • •butterflyoffire ⏚ꝃ⌁
in reply to BrianKrebs • • •