ldstephens

Re: National Public Data Published Its Own Passwords

Brian Krebs

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.

[…]

The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.

Hey friends, I don’t know about you, but I’m fed up with companies exposing our personal data because of their shitty security practices. There’s no real consequence for these lapses, so why would they take security seriously? A six-character password? Are you fucking kidding me? And sure, you told users to change it, but did you bother to check if they actually did? Of course not.

There needs to be a significant penalty, especially for companies handling our personal and private data. These companies should be held to the same security standards as banks. Until we see some perp-walks, this will keep happening.

There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly.

The best advice for those concerned about this breach is to freeze one’s credit fileateach of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.