National Public Data Breach Exposed: Passwords Leaked, Data at Risk

New details have emerged regarding the National Public Data (NPD) data breach. A company affiliated with NPD, which had access to the same databases, accidentally published passwords to these databases directly on its website.

The incident came to light in April 2024, when a hacker known as USDoD began selling stolen NPD data. By July, information on more than 272 million individuals, including names, SSNs, addresses, and phone numbers, had leaked online. Following reports on the scale of the breach, a reader of KrebsOnSecurity disclosed that a service associated with NPD, recordscheck[.]net, had inadvertently posted an archive containing usernames and administrator passwords on its website. The archive remained accessible until August 19.

The archive contained plaintext passwords for various components of the recordscheck website, which bears a resemblance in appearance and functionality to National Public Data. Evidence within the archive also suggested that users were initially assigned the same six-digit password, which many never changed.

Moreover, these passwords matched those compromised in previous breaches related to the accounts of NPD’s founder, Salvatore Verini. Verini confirmed that the archive had been removed and that recordscheck would soon cease operations. He also clarified that the archive contained an outdated version of the website with non-functional code and passwords, and that the investigation into the incident is still ongoing.

The website was developed by a Pakistani company, Creation Next, which has yet to provide any comments.

Several websites have already appeared online, allowing users to check whether their personal information was compromised in the breach. One such site is npdbreach[.]com, while another is npd[.]pentester[.]com. Both platforms indicated that NPD’s data is outdated and contains numerous inaccuracies.

Users whose data may have been compromised are strongly advised to freeze their accounts to prevent potential fraud. It is also important to regularly monitor accounts and immediately dispute any suspicious activity.

National Public Data is a company that collects and processes vast amounts of personal information to provide various services. Its activities include checking records from the U.S. criminal database, generating personal history reports, and selling data to mobile applications and background check websites. Experts warn that the breach affected not only living individuals but also the deceased, further complicating the situation.