National Public Data Published Its Own Passwords Krebs on Security
pNew details are emerging about a breach at National Public Data NPD a consumer data broker that recently spilled hundreds of millions of Americans Social Security Numbers addresses and phone numbers online KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its backend database in a file that was freely available from its homepage until todayppppIn April a cybercriminal named USDoD began selling data stolen from NPD In July someone leaked what was taken including the names addresses phone numbers and in some cases email addresses for more than 272 million people including many who are now deceasedppNPD acknowledged the intrusion on Aug 12 saying it dates back to a security incident in December 2023 In an interview last week USDoD blamed the July data leak on another malicious hacker who also had access to the companys database which they claimed has been floating around the underground since December 2023ppFollowing last weeks story on the breadth of the NPD breach a reader alerted KrebsOnSecurity that a sister NPD property the background search service recordschecknet was hosting an archive that included the usernames and password for the sites administratorppA review of that archive which was available from the Records Check website until just before publication this morning August 19 shows it includes the source code and plain text usernames and passwords for different components of recordschecknet which is visually similar to nationalpublicdatacom and features identical login pagesppThe exposed archive which was named memberszip indicates RecordsCheck users were all initially assigned the same sixcharacter password and instructed to change it but many did notppAccording to the breach tracking service Constella Intelligence the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPDs founder an actor and retired sheriffs deputy from Florida named Salvatore Sal VerinippReached via email Mr Verini said the exposed archive a zip file containing recordschecknet credentials has been removed from the companys website and that the site is slated to cease operations in the next week or soppRegarding the zip it has been removed but was an old version of the site with nonworking code and passwords Verini told KrebsOnSecurity Regarding your question it is an active investigation in which we cannot comment on at this point But once we can we will be with you as we follow your blog Very informativeppThe leaked recordschecknet source code indicates the website was created by a web development firm based in Lahore Pakistan called creationnextcom which did not return messages seeking comment CreationNextcoms homepage features a positive testimonial from Sal VerinippA testimonial from Sal Verini on the homepage of CreationNext the Lahore Pakistanbased web development firm that apparently designed NPD and RecordsCheckppThere are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach One is npdbreachcom a lookup page erected by Atlas Data Privacy Corp Another lookup service is available at npdpentestercom Both sites show NPD had old and largely inaccurate data on Yours Truly ppThe best advice for those concerned about this breach is to freeze ones credit file at each of the major consumer reporting bureaus Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name and it limits who can view your credit informationppA freeze is a good idea because all of the information that ID thieves need to assume your identity is now broadly available from multiple sources thanks to the multiplicity of data breaches weve seen involving SSN data and other key static data points about peopleppScreenshots of a Telegrambased ID theft service that was selling background reports using hacked law enforcement accounts at USInfoSearchppThere are numerous cybercriminal services that offer detailed background checks on consumers including full SSNs These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials and some are now fully automated via Telegram instant message botsppIn November 2023 KrebsOnSecurity wrote about one such service which was being powered by hacked accounts at the US consumer data broker USInfoSearchcom This is notable because the leaked source code indicates Records Check pulled background reports on people by querying NPDs database and records at USInfoSearch KrebsOnSecurity sought comment from USInfoSearch and will update this story if they respondppThe point is if youre an American who hasnt frozen their credit files and you havent yet experienced some form of new account fraud the ID thieves probably just havent gotten around to you yetppAll Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus It used to be that consumers were allowed one free report from each of the bureaus annually but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for freeppIf you havent done this in a while now would be an excellent time to order your files To place a freeze youll need to create an account at each of the three major reporting bureaus Equifax Experian and TransUnion Once youve established an account you should be able to then view and freeze your credit file If you spot errors such as random addresses and phone numbers you dont recognize do not ignore them Dispute any inaccuracies you may findpp
This entry was posted on Monday 19th of August 2024 1223 PM
ppI thought a person could freeze access to their information through adding a PIN to their social security number directly Wouldnt this be a better optionppI think creating a PIN for your social security number with the government may be a better optionppIf you think your SSA online account has been compromised you can request SSA to Block Electronic Access
Block Electronic Access
If you know your Social Security information has
been compromised you can request to Block
Electronic Access This is done by calling our
National 800 number Toll Free 18007721213
or at our TTY number at 18003250778
Once requested any automated telephone and
electronic access to your Social Security record
is blocked No one including you will be able
to see or change your personal information on
the internet or through our automated telephone
service If you have requested that we block
access to your record and later change your mind
you can contact us and ask to have the block
removed You will need to prove your identity
when you call
httpswwwgooglecomurlsatsourcewebrctjopi89978449urlhttpswwwssagovpubsEN0510220pdfved2ahUKEwih1IXy54yIAxXoDTQIHf6KBOwQFnoECBkQAwusgAOvVaw1bgOdqzK2yWecZ8raefbppI just checked my status on pentester along with that of my parents and sibling None of the birthdates listed for myself are correct nor are they correct for my parents my sibling is not so lucky Not only are the birthdates for myself and my parents wrong one of the incorrect birthdates attributed to me is also incorrectly attributed to one of my parents
Anyone have any idea what is going on here Is pentester returning accurate data to my searches If the thieves have entirely incorrect birthdates for myself and my parents I feel a tiny bit of relief That will at least make it a teensy bit harder to exploit the data But what are the odds that the original National Public Data records would have such accurate details otherwise yet be completely off in terms of birthdates
Any ideas or info appreciatedppwho says pentestercom is legit pphttpswwwwhoiscomwhoispentestercomppWho says they are notppRight until someone can definitively prove that it is not legit you should assume it is legit and give it all your personal information Your dear Nigerian PrinceppWhat I want to know is why the email address that was exposed in my case is a ProtonMail account that I use exclusively for my bank accounts and nowhere else This means NPD acquired my data from one of my banks who should have my data locked down but are obviously selling it to 3rd parties This needs to stop Our elected officials need to work a lot harder than they presently doppExactly THIS Ive posted below that nobody seems to be questioning the LEGALITY of NPD possessing everyones SSN or even HOW they acquired them Given the fact that people only share their SSN with a small number of entities suggests to me that NPD has either acquired SSNs from OTHER data breaches or they have acquired them through other illegal means Either way the people who are responsible for acquiring this data should be prosecuted and made to give up their sources But of course that will never happenppIt could be someone internally in the bank is in on it You need to contact your bank so they can investigate too but maybe ask the popo firstppGood advice Mike
Also remember that virtually all banks allow customers to access their accounts via their automated telephone banking system Dont confuse this with your mobile banking app Its a different system Access codes for automated telephone banking always default to your SSN Even if you exclusively bank online your account is accessible via your banks automated telephone banking so change the access code to a self selected number Note Some banks require you to speak to an agent to set it up With other banks its all automated If yours is a joint account make sure to set a unique access code for each account holder If you bank at multiple banks use a different code at each bank just as you would use a different password for online accounts What you can do via automated telephone banking varies by bank but at a minimum all banks will provide account balances and details of all recent transactions Equipped with that information a person might be able to call your bank and impersonate you since banks often pick a random transaction from your account and use that as an additional authenticator
And while youre at it call your bank and ask to set a verbal password to be used to authenticate you when you call them Once this is done banks will use all the typical authenticators SSN DOB address etc but in addition will ask for your verbal password This helps reduce the risk of someone calling your bank and impersonating you Again use a different verbal password for each account holder and at each bank Be sure to write these passwords down If you cant remember your verbal password some banks that are scrupulous about security will require you to go to the bank in person to reauthenticate yourself and set a new verbal passwordppThank you Liz
I just set up a verbal password with my bank for phone calls from me They are looking into the automated banking system access codes for me I have never used it
I feel like Im trying to close all the windows and doors to my personal informationppI would like to be able to change my legal name every time my SSN gets exposedppThe most ridiculous part besides how the data was protected is how utterly useless our government is when it comes to protecting the peoples data Nobody will be held accountable for the breach or collecting the data all that will happen will be an email out of abundance of caution we are letting you know that you are fucked and the idiots continue with their activities
On the other hand this company was SELLING that exact data so technically the only difference seems to be that this time they dont get any money for distributing the datappOne reckless person is responsible for this disaster and the onus is on us to mop up his mess We need robust federal protection from these shady creepsppMy mother recently passed away As I was her financial POA I had placed a credit freeze with 2 of the 3 bureaus a couple years ago the 3rd acted like it couldnt find hercredit history so it wasnt successful For probate Ill be the appointed next of kindexecutor Wondering if I should do anything else Im thinking creating a new SSA logingov is a waste of time since she wont receive it anymore I just wonder how much nefariousness can be done on something who is now deceasedppYou should look into SSA there may be survivor benefitsppWhy the heck is everyone concerned with criminals Have you ever heard of an outfit called Wells Fargo With all the criminal schemes they have been involved with surely the phrase fox guarding the hen house fits ppI was commenting on Wells Fargo at a meeting and my client who was formerly a banker replied If you think Wells Fargo is the only bank pulling all this crap you are crazy There was a local case where a not Wells Fargo banker was the one applying for the fake loans and accountsppI guess we should think about it the same way my daughter talks to her children She doesnt warn them about bad people She warns them about bad activity acknowledging that much abuse comes from family membersppI have seen some bank account agreements that state if your credentials were used you acknowledge that you are liable for the loss They cant seem to accept that I am just as concerned about the banks people as I am with outside criminals I didnt sign the agreementppThe R E A S O N why this nation US is 1 step from Uncivil War is because WE do not work a lot harder STOP expecting persons who are suppose to be PUBLIC SERVANTS to do all
Public Servants now act like they are our masters BE your own master take action now
I have to say when it comes to internet security skimmers and much more Brian Krebs is one of the few I would trust for much more than TEN YEARS not to be confused with the Brian Krebs who worked in US executive branch under trump Having anything to do with credit companies is the last thing I have ever wanted to do NOW I must I truly want to REJECT the thought of speaking my SS number over the phone ppBrian
which way do you feel is safest in freezing credit reports
By phone By Mail By internet
it all sucksppOur useless congress cant even pass any legislation to protect EVERY US Citizen from these endless breaches In addition they wont do anything to supersede Social Security numbers as a primary identifier for US citizens WTF Come ON Enough is enoughppLast week I got a fraud alert from my bank for suspicious transactions from someone in India using Meta Pay I dont use Facebook or Meta Pay Racking my brain to try and figure out how my bank was compromised and hit a dead end every time All three credit reports are locked or frozen But this news of the massive hack for these two companies is giving me a good assumption that either this data hack was how someone got my bank info or my bank sold my personal info to another company I had to go and get a new debit card as my other one was closed My bank did help me dispute the charges with Facebook Meta and I got my money back ppI am getting TIRED of doing all I can to protect my info and my credit reports and it happens more and more it doesnt matter if you are vigilant the companies entrusted to keep our info safe are either not upgrading their security measures to protect US or enriching themselves by selling our info Right now I am also dealing with another company that was compromisedppThe thing thats driving me crazy about all of this is that nobody seems to be questioning HOW NPD acquired SSNs and other highly sensitive personal data that typically the only third party that has access to is credit bureaus SSNs are usually only shared by people with a small number of entities like medical educational financial and employers So how then could NPD have legitimately acquired this data In my opinion real crimes subject to incarceration would have had to been committed in order for NPD to have amassed so much sensitive data of so many people Yet all of the outrage seems to be directed at NPDs leaking of the data RATHER than the fact that they had the data in the FIRST place ppIf there EVER was a legitimate occasion for a Congressional Inquiry THIS is itppHaving this information is extremely important because it gives you real life examples to look at that coincide with an attack that may be in your email currently It allows you to be more aware of threats and look out for similar attacks 10ppHaving searched the breached database from National Public Data I saw personal information about myself dating back to when I was 16 years old Much of it clearly linked back to my credit reports Several of the records included my personal employee ID number for a company I worked at where we were issued a company credit card with our employee ID number attached to it ppWhy do the companies who tell us whether or not our data was breached openly offer all our personal information freely on the internet to anyone who searches for it I got my own and many other peoples full name full address full phone number partial DOB and the last 2 digits of their and my SSN This seems like a tremendous breach in and of itself Outrageous to publish this data online for anyone and everyone to accessppFreezing our credit is entirely inadequate There are many fraudulent uses of our personal information that do not involve new account creation which is the only use thats impacted by a credit freezeppCriminals can still participate in accounttakeover intercepting an existing account using it for fraud possibly changing the addressphone numberpassword and locking you out of the account ppTheres using someones personal info for employment their wages illegally being attributed to the innocent victim ppThere is medical identity theftusing someones personal info to run up costly medical bills ppThere is hijacking the title to someones home transferring it into their own name and selling the home ppGood luck with stopping these crimes Freezing our credit will have no impact Even just having our online accounts get hacked will be possible with the data that has been exposed ppHow do we get these background check companies to delete our info or at least the obsolete incorrect data They show all my personal info going back 40 years The addresses and phone numbers are wrong We dont want people contacting these incorrect places sending junk mail credit applications or other material to former locations We should have the right to correct their databases but we dont even have access to do so This is completely outrageous and infuriatingppComments are closedppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Monday 19th of August 2024 1223 PM
ppI thought a person could freeze access to their information through adding a PIN to their social security number directly Wouldnt this be a better optionppI think creating a PIN for your social security number with the government may be a better optionppIf you think your SSA online account has been compromised you can request SSA to Block Electronic Access
Block Electronic Access
If you know your Social Security information has
been compromised you can request to Block
Electronic Access This is done by calling our
National 800 number Toll Free 18007721213
or at our TTY number at 18003250778
Once requested any automated telephone and
electronic access to your Social Security record
is blocked No one including you will be able
to see or change your personal information on
the internet or through our automated telephone
service If you have requested that we block
access to your record and later change your mind
you can contact us and ask to have the block
removed You will need to prove your identity
when you call
httpswwwgooglecomurlsatsourcewebrctjopi89978449urlhttpswwwssagovpubsEN0510220pdfved2ahUKEwih1IXy54yIAxXoDTQIHf6KBOwQFnoECBkQAwusgAOvVaw1bgOdqzK2yWecZ8raefbppI just checked my status on pentester along with that of my parents and sibling None of the birthdates listed for myself are correct nor are they correct for my parents my sibling is not so lucky Not only are the birthdates for myself and my parents wrong one of the incorrect birthdates attributed to me is also incorrectly attributed to one of my parents
Anyone have any idea what is going on here Is pentester returning accurate data to my searches If the thieves have entirely incorrect birthdates for myself and my parents I feel a tiny bit of relief That will at least make it a teensy bit harder to exploit the data But what are the odds that the original National Public Data records would have such accurate details otherwise yet be completely off in terms of birthdates
Any ideas or info appreciatedppwho says pentestercom is legit pphttpswwwwhoiscomwhoispentestercomppWho says they are notppRight until someone can definitively prove that it is not legit you should assume it is legit and give it all your personal information Your dear Nigerian PrinceppWhat I want to know is why the email address that was exposed in my case is a ProtonMail account that I use exclusively for my bank accounts and nowhere else This means NPD acquired my data from one of my banks who should have my data locked down but are obviously selling it to 3rd parties This needs to stop Our elected officials need to work a lot harder than they presently doppExactly THIS Ive posted below that nobody seems to be questioning the LEGALITY of NPD possessing everyones SSN or even HOW they acquired them Given the fact that people only share their SSN with a small number of entities suggests to me that NPD has either acquired SSNs from OTHER data breaches or they have acquired them through other illegal means Either way the people who are responsible for acquiring this data should be prosecuted and made to give up their sources But of course that will never happenppIt could be someone internally in the bank is in on it You need to contact your bank so they can investigate too but maybe ask the popo firstppGood advice Mike
Also remember that virtually all banks allow customers to access their accounts via their automated telephone banking system Dont confuse this with your mobile banking app Its a different system Access codes for automated telephone banking always default to your SSN Even if you exclusively bank online your account is accessible via your banks automated telephone banking so change the access code to a self selected number Note Some banks require you to speak to an agent to set it up With other banks its all automated If yours is a joint account make sure to set a unique access code for each account holder If you bank at multiple banks use a different code at each bank just as you would use a different password for online accounts What you can do via automated telephone banking varies by bank but at a minimum all banks will provide account balances and details of all recent transactions Equipped with that information a person might be able to call your bank and impersonate you since banks often pick a random transaction from your account and use that as an additional authenticator
And while youre at it call your bank and ask to set a verbal password to be used to authenticate you when you call them Once this is done banks will use all the typical authenticators SSN DOB address etc but in addition will ask for your verbal password This helps reduce the risk of someone calling your bank and impersonating you Again use a different verbal password for each account holder and at each bank Be sure to write these passwords down If you cant remember your verbal password some banks that are scrupulous about security will require you to go to the bank in person to reauthenticate yourself and set a new verbal passwordppThank you Liz
I just set up a verbal password with my bank for phone calls from me They are looking into the automated banking system access codes for me I have never used it
I feel like Im trying to close all the windows and doors to my personal informationppI would like to be able to change my legal name every time my SSN gets exposedppThe most ridiculous part besides how the data was protected is how utterly useless our government is when it comes to protecting the peoples data Nobody will be held accountable for the breach or collecting the data all that will happen will be an email out of abundance of caution we are letting you know that you are fucked and the idiots continue with their activities
On the other hand this company was SELLING that exact data so technically the only difference seems to be that this time they dont get any money for distributing the datappOne reckless person is responsible for this disaster and the onus is on us to mop up his mess We need robust federal protection from these shady creepsppMy mother recently passed away As I was her financial POA I had placed a credit freeze with 2 of the 3 bureaus a couple years ago the 3rd acted like it couldnt find hercredit history so it wasnt successful For probate Ill be the appointed next of kindexecutor Wondering if I should do anything else Im thinking creating a new SSA logingov is a waste of time since she wont receive it anymore I just wonder how much nefariousness can be done on something who is now deceasedppYou should look into SSA there may be survivor benefitsppWhy the heck is everyone concerned with criminals Have you ever heard of an outfit called Wells Fargo With all the criminal schemes they have been involved with surely the phrase fox guarding the hen house fits ppI was commenting on Wells Fargo at a meeting and my client who was formerly a banker replied If you think Wells Fargo is the only bank pulling all this crap you are crazy There was a local case where a not Wells Fargo banker was the one applying for the fake loans and accountsppI guess we should think about it the same way my daughter talks to her children She doesnt warn them about bad people She warns them about bad activity acknowledging that much abuse comes from family membersppI have seen some bank account agreements that state if your credentials were used you acknowledge that you are liable for the loss They cant seem to accept that I am just as concerned about the banks people as I am with outside criminals I didnt sign the agreementppThe R E A S O N why this nation US is 1 step from Uncivil War is because WE do not work a lot harder STOP expecting persons who are suppose to be PUBLIC SERVANTS to do all
Public Servants now act like they are our masters BE your own master take action now
I have to say when it comes to internet security skimmers and much more Brian Krebs is one of the few I would trust for much more than TEN YEARS not to be confused with the Brian Krebs who worked in US executive branch under trump Having anything to do with credit companies is the last thing I have ever wanted to do NOW I must I truly want to REJECT the thought of speaking my SS number over the phone ppBrian
which way do you feel is safest in freezing credit reports
By phone By Mail By internet
it all sucksppOur useless congress cant even pass any legislation to protect EVERY US Citizen from these endless breaches In addition they wont do anything to supersede Social Security numbers as a primary identifier for US citizens WTF Come ON Enough is enoughppLast week I got a fraud alert from my bank for suspicious transactions from someone in India using Meta Pay I dont use Facebook or Meta Pay Racking my brain to try and figure out how my bank was compromised and hit a dead end every time All three credit reports are locked or frozen But this news of the massive hack for these two companies is giving me a good assumption that either this data hack was how someone got my bank info or my bank sold my personal info to another company I had to go and get a new debit card as my other one was closed My bank did help me dispute the charges with Facebook Meta and I got my money back ppI am getting TIRED of doing all I can to protect my info and my credit reports and it happens more and more it doesnt matter if you are vigilant the companies entrusted to keep our info safe are either not upgrading their security measures to protect US or enriching themselves by selling our info Right now I am also dealing with another company that was compromisedppThe thing thats driving me crazy about all of this is that nobody seems to be questioning HOW NPD acquired SSNs and other highly sensitive personal data that typically the only third party that has access to is credit bureaus SSNs are usually only shared by people with a small number of entities like medical educational financial and employers So how then could NPD have legitimately acquired this data In my opinion real crimes subject to incarceration would have had to been committed in order for NPD to have amassed so much sensitive data of so many people Yet all of the outrage seems to be directed at NPDs leaking of the data RATHER than the fact that they had the data in the FIRST place ppIf there EVER was a legitimate occasion for a Congressional Inquiry THIS is itppHaving this information is extremely important because it gives you real life examples to look at that coincide with an attack that may be in your email currently It allows you to be more aware of threats and look out for similar attacks 10ppHaving searched the breached database from National Public Data I saw personal information about myself dating back to when I was 16 years old Much of it clearly linked back to my credit reports Several of the records included my personal employee ID number for a company I worked at where we were issued a company credit card with our employee ID number attached to it ppWhy do the companies who tell us whether or not our data was breached openly offer all our personal information freely on the internet to anyone who searches for it I got my own and many other peoples full name full address full phone number partial DOB and the last 2 digits of their and my SSN This seems like a tremendous breach in and of itself Outrageous to publish this data online for anyone and everyone to accessppFreezing our credit is entirely inadequate There are many fraudulent uses of our personal information that do not involve new account creation which is the only use thats impacted by a credit freezeppCriminals can still participate in accounttakeover intercepting an existing account using it for fraud possibly changing the addressphone numberpassword and locking you out of the account ppTheres using someones personal info for employment their wages illegally being attributed to the innocent victim ppThere is medical identity theftusing someones personal info to run up costly medical bills ppThere is hijacking the title to someones home transferring it into their own name and selling the home ppGood luck with stopping these crimes Freezing our credit will have no impact Even just having our online accounts get hacked will be possible with the data that has been exposed ppHow do we get these background check companies to delete our info or at least the obsolete incorrect data They show all my personal info going back 40 years The addresses and phone numbers are wrong We dont want people contacting these incorrect places sending junk mail credit applications or other material to former locations We should have the right to correct their databases but we dont even have access to do so This is completely outrageous and infuriatingppComments are closedppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
