Skip to main content

Scoop: New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available for download from its homepage until today.

https://krebsonsecurity.com/2024/08/national-public-data-published-its-own-passwords/

National Public Data Published Its Own Passwords

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online.
krebsonsecurity.com
in reply to BrianKrebs

BrianKrebs
BrianKrebs
Expecting data brokers to care about securing the data they so casually collect, buy, collate and otherwise acquire is pointless. None of them really do, and almost every breach involving a data broker shows this. By definition, their businesses largely rely on collecting records that they already view as public and that this entitles them to collect, resell, etc said data. If that is the fundamental organizing idea of your business model, how much are you going to care about protecting it from mass theft?
This entry was edited (1 month ago)
in reply to BrianKrebs

noplasticshower
noplasticshower

surveillance capitalism for the win

Data do have value though...so that effect runs counter to the don't secure it perspective.

https://www.lawfaremedia.org/article/why-the-data-ocean-is-being-sectioned-off


Why the Data Ocean Is Being Sectioned Off

Bigger is better approaches in AI create an inexhaustible appetite for users’ data, leading to a rise in user data expropriation, sectioning off of the internet, and “data feudalism.”
Default
This entry was edited (1 month ago)
in reply to noplasticshower

BrianKrebs
BrianKrebs
@noplasticshower I agree it has value, but even that is diminishing (and somewhat torpedoed by this latest breach). I guess I'm saying attitudes about data matter, and in these cases that attitude clearly shows in their lack of clue or care for all this stuff.
@noplasticshower
in reply to BrianKrebs

noplasticshower
noplasticshower
in my view, the value of data (as a limited commodity like land) is going to increase under ML fueled demand. So maybe even these hoarders and repackagers will start to secure it for selfish reasons (not for privacy reasons or gods forbid because it happens to be about you).
in reply to noplasticshower

Σ(i³) = (Σi)²
Σ(i³) = (Σi)²
@noplasticshower This data is the product that earns them money in the same way oil and gas are the products that earn Shell and BP money. And guess who keeps spilling that product all over the place all the time...
@noplasticshower
in reply to Σ(i³) = (Σi)²

BrianKrebs
BrianKrebs
@SvenGeier @noplasticshower Exactly. I made this point in my last story about these knuckleheads. Breaches like this are very much like oil tankers that run aground: The cleanup and fallout has ripple effects for years, and the data feeds into an ocean of scammers who are already equipped to do ID fraud at scale.
@noplasticshower @Σ(i³) = (Σi)²
in reply to BrianKrebs

Shadow06
Shadow06

People don't like blaming incentives, but they drive everything.

Unfortunately it removes the boogey man and makes the problem harder, but it's more realistic.

Change the incentives.

in reply to BrianKrebs

Magenta Rocks
Magenta Rocks
Maybe make data brokers illegal? Or, enact laws that require them to have 'gold standard security' for our data? And, if they are breached, fine them out of existence.
in reply to BrianKrebs

Adam Shostack :donor: :rebelverified:
Adam Shostack :donor: :rebelverified:
It's worse than that -- credit bureaus have a liability shield in the Fair Credit Reporting Act.
in reply to BrianKrebs

Swalsh
Swalsh
well, to the extent that they want to charge for access to this data, they will need to either protect it, or protect access to whatever value they add to it.
in reply to BrianKrebs

NosirrahSec 🏴‍☠️
NosirrahSec 🏴‍☠️

They'll start caring when we start putting them in jail for life. (I can't say what should really happen to them.)

They're some of the worst humans alive and they deserve no respect as a human.

in reply to BrianKrebs

Darwin Woodka
Darwin Woodka
WE NEED TO OWN OUR OWN DATA AND THEY SHOULD BE PAYING US TO ACCESS IT
in reply to BrianKrebs

Djembro
Djembro
My SSN is not public data but National Public Data (NPD) had it, presumably because some other entity gave it to them, and now it’s on the dark web, due to the NPD hack, along with other information about me like address(es) and email address(es), but since I never gave NPD any info, I have no idea which addresses they have, and I have no idea how to get it out of them. Even my monitoring service is useless in that regard. They’re the ones that spotted my SSN, but they won’t tell me the rest of the info. It’s maddening. I’ve been so careful, so diligent, but there’s stuff totally beyond my control and that sucks.
in reply to Djembro

BrianKrebs
BrianKrebs

@djembro I mentioned two different sites that you can use to check if your data is in there.

"There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly."

@Djembro
in reply to BrianKrebs

VessOnSecurity
VessOnSecurity

I used one of the links in your article to check my aunt in California - and, sure enough, her data has been leaked.

I called her to tell her the bad news but she was pretty cool about it. Turns out, her data had already been stolen a couple of years ago from some University and the University has given her some free credit monitoring service which still hasn't expired. 😀

in reply to BrianKrebs

StuartB
StuartB
They should care. If they put in the effort to collect it they don't want to give it away for free.
in reply to BrianKrebs

ZephyrXero
ZephyrXero
data brokerages need to be made illegal, along with any other 3rd party data sharing of PII
in reply to BrianKrebs

Bruce Heerssen
Bruce Heerssen
All of that data is public and has been for some time. Largely thanks to companies like these that view security as a cost and not an investment.
in reply to BrianKrebs

David W. Jones
David W. Jones
Well, I'd think that if their business model is "Collect data and sell access to it," they'd want access to it locked down as tight as possible. Every leak like this is money straight from their pockets. So I think they'd have plenty of reason to spend money locking it down!
in reply to BrianKrebs

Dr. Todd A. Jacobs
Dr. Todd A. Jacobs

The best way to prevent #dataexfiltration when breached is not to collect or store unnecessary data in the first place. That makes many of the current spate of #databreaches avoidable, self-inflicted incidents for which large companies are never held accountable in any truly meaningful way.

You're spot on when you say that #databrokers rely on large #datalakes of sensitive data they don't need directly. They also rely on large data sets where any typical datum may be harmless in itself, but often becomes sensitive or dangerous when aggregated, and often exponentially more so when connected to intrinsically sensitive data such as #PII, #PHI, or identity.

Setting aside the financial incentives and lack of accountability for the data brokers, how do #businessleaders, #regulatoryagencies, and #electedpoliticians justify this state of affairs to you? It's not like the public and private sectors don't also have data they want to protect, so why allow this shadow industry to prosper? This seems even more mystifying when it's so clearly a double-edged sword even for the brokerages' paying customers!

#pii #dataexfiltration #databreaches #databrokers #datalakes #phi #businessleaders #regulatoryagencies #electedpoliticians
in reply to BrianKrebs

Ariaflame
Ariaflame
Truly it seems to be a lot of work gone into being incompetent.
in reply to BrianKrebs

Magenta Rocks
Magenta Rocks

IMO...

The punishment should be for NPD to spend the time putting a credit freeze - at all credit bureaus - on every single SSN in their system. Ya know, so we don't have to do it ourselves.

Also, the SSA should now be required to develop a means for encrypting SSN's everywhere in every system that requires it. And, offer a new form of encrypted ID that can replace the SSN. All this should be funded using fines paid by companies who were hacked.

in reply to BrianKrebs

BrianKrebs
BrianKrebs

The various portions of Recordscheck and NPD that have logins all have the same generic (placeholder?) copyright text, "Company Inc" and look like phishing pages. Btw, this site does not force https.

Overall, it feels like an extremely dated Coldfusion site that was stood up in a day or two more than a decade ago and modified very little ever since.

in reply to BrianKrebs

Trillion Byter
Trillion Byter
OMG Coldfusion. That brought back so many memories. 🤣
in reply to BrianKrebs

stony kark
stony kark
maybe it’s time IT became a regulated industry. Doesn’t seem like we have any idea what we’re doing
in reply to BrianKrebs

Avoid the Hack! :donor:
Avoid the Hack! :donor:
lol. Data brokers are APTs... primarily due to carelessness.
This entry was edited (1 month ago)
in reply to BrianKrebs

Robbie Coleman :verified:
Robbie Coleman :verified:
Really living up to the PUBLIC in NPD.
This entry was edited (1 month ago)
in reply to BrianKrebs

Dr. Todd A. Jacobs
Dr. Todd A. Jacobs

Ultimately, the problem is that we (as a society) allow data brokers and credit reporting agencies to exist att all. That we allow them to exist for profit just ensures that there will eventually be problems.

It's not like the US government doesn't have access to all the same data. Based on how they've handled the no-fly list and similar "no disclosure or remediation" systems in the past, I'm defiitely not saying this should be a government function. However, most government agencies have some level of transparency and/or regulatory oversight, but as the Equifax and other similar breaches like this one have shown, there are few real consequence for the "big three" and none for shadow brokers.

I genuinely wish there was more informed public conversation about this problem. I'm grateful to you for continuing to highlight these breaches. Without reporters like you, the silence would be deafening!

in reply to BrianKrebs

SpaceLifeForm
SpaceLifeForm
When will people learn to keep their passwords offline and on paper when they can not remember them?
in reply to BrianKrebs

Tom Halasz
Tom Halasz
I've seen a LOT of articles telling me how to protect myself after this event. Odd how I have seen NO articles about any consequences for this company or the Board of Directors. If a single person stole my ID and committed fraud, they would be subject to arrest. But, a company stealing billions of people's data and mishandling it is not?
in reply to BrianKrebs

Aaron Rainbolt
Aaron Rainbolt
Wow. Just wow. How in the world do you even accidentally publish a cleartext password database like that to a downloadable location that prominent? That's insanity.