National Public Data Published Its Own Passwords (2025)

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.

National Public Data Published Its Own Passwords (1)

In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).

NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.

Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.

A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.

The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.

According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD’s founder, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company’s website, and that the site is slated to cease operations “in the next week or so.”

“Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative.”

The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com’s homepage features a positive testimonial from Sal Verini.

National Public Data Published Its Own Passwords (2)

A testimonial from Sal Verini on the homepage of CreationNext, the Lahore, Pakistan-based web development firm that apparently designed NPD and RecordsCheck.

There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly.

The best advice for those concerned about this breach is to freeze one’s credit fileateach of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.

A freeze is a good idea because all of the information that ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people.

Screenshots of a Telegram-based ID theft service that was selling background reports using hacked law enforcement accounts at USInfoSearch.

There are numerous cybercriminal services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials, and some are now fully automated via Telegram instant message bots.

In November 2023, KrebsOnSecurity wrote about one such service, which was being powered by hacked accounts at the U.S. consumer data broker USInfoSearch.com. This is notable because the leaked source code indicates Records Check pulled background reports on people by querying NPD’s database and records at USInfoSearch. KrebsOnSecurity sought comment from USInfoSearch and will update this story if they respond.

The point is,if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.

All Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus. It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 theFederal Trade Commissionannouncedthe bureaus had permanently extended a program that lets you check your credit report once a week for free.

If you haven’t done this in a while, now would be an excellent time to order your files. To place a freeze, you’ll need to create an account at each of the three major reporting bureaus, Equifax,ExperianandTransUnion. Once you’ve established an account, you should be able to then view and freeze your credit file. If you spot errors, such as random addresses and phone numbers you don’t recognize, do not ignore them. Dispute any inaccuracies you may find.

National Public Data Published Its Own Passwords (2025)

FAQs

How did National Public Data get my information? ›

National Public Data obtained the information by scraping nonpublic sources without consent, according to a proposed class action lawsuit. Here are steps you can take to see if your information was stolen and then protect your Social Security number if your personal data was leaked in the massive data hack.

What is NPD national public data? ›

National Public Data is a background check company that provides information either through legitimate sources or by scraping it off the web, Lee said. Because the data is collected more casually, it can be gathered without consumers' permission and outside of certain regulations.

How has my passwords appeared in a data leak? ›

For example, if your password for your Amazon account is “redsox2004”, and your iPhone informs you it has appeared in a data leak, this simply means that in publicly available account credentials covering various companies that were breached, “redsox2004” was on the list of passwords.

What if the password was used in a data breach? ›

Our first recommended action after a breach is for the exposed users to immediately change their password for that account – and for any other accounts that are protected by the same (or a similar) password.

How do I remove information from public data USA? ›

We hope you find this publicdatausa opt out guide helpful!
  1. Go to www.publicdatausa.com.
  2. Input your first and last names, then the state. ...
  3. If your data is on the next page, copy the URL.
  4. Scroll to the bottom of the page and click the "Remove my information" link.
Apr 19, 2023

How did my personal information get on the Internet? ›

Personal information generally gets on the internet as publicly available information when an individual engages in routine business transactions, such as buying something online. Other information may come from federal and state public records, as well as from your social media accounts.

What is an example of public data? ›

Public data comes in many forms. In terms of government data, it could be the texts of laws, performance metrics for local councils, or lists of councilors within municipalities. It could also be transportation, geographic/mapping or weather data.

When did the national public data breach occur? ›

National Public Data, which collects information for background checks, confirmed on its website that there were “potential leaks of certain data in April 2024 and summer 2024.” According to reports, USDoD put the stolen data up for sale on the dark web for $3.5 million.

What information is public data? ›

Public data is information that can be freely used, reused and redistributed by anyone with no existing local, national or international legal restrictions on access or usage.

Why does my iPhone say my password has appeared in a data leak? ›

This message pops up because Apple has expanded its iCloud Keychain with a cybersecurity feature called password monitoring. It continuously scans your saved passwords and compares them with a list of compromised passwords.

Should I be worried if my password is in a data leak? ›

You should absolutely change passwords immediately if you've been informed that you've been a victim of a data leak. The best course of action is to detect compromised passwords (which may apply to more than one site if you, like many, repeat passwords) and replace them with a strong password.

Do I have to change all of my passwords after a data leak? ›

Compromised passwords and username combinations are unsafe because they've been published online. We recommend that you change any compromised passwords as soon as you can.

Why are all my passwords compromised? ›

One of the most common causes of compromised passwords is the use of weak passwords that are easy to guess. Simple passwords, such as “123456” or “password”, are effortless for attackers to crack. Additionally, reusing passwords across multiple accounts significantly elevates the risk.

How to delete accounts with compromised passwords? ›

Enter your email address and phone number in the website HaveIBeenPwned to get a list of sites where your personal information has been compromised. Then, go to the sites listed that you are no longer using to find the steps to delete your account, which will often be in the account settings.

What must be done if your password has been compromised? ›

What to do when your password has been compromised
  • Change your password, and be sure to do so in a secure fashion: ...
  • Make sure that you never send your password over the network unencrypted. ...
  • Use "good" passwords, that are hard to guess or break.

Why does the government collect your data? ›

What exactly does the government do with this data? The data is used in a wide variety of law enforcement, public safety, military and intelligence missions, depending on which agency is doing the acquiring. We've seen it used for everything from rounding up undocumented immigrants or detecting border tunnels.

Can US government access my data? ›

The federal government collects and uses personal information on individuals in increasingly sophisticated ways for things like law enforcement, border control, and enhanced online interactions with citizens.

How does data gov collect data? ›

In accordance with the requirements of the OPEN Government Data Act, the Data.gov catalog is populated by harvesting federal agency harvest sources that have the metadata inventories of the agency datasets. For example, GSA datasets are obtained from the GSA metadata harvest source.

How does public data work? ›

Public data is data that can be used, reused, or redistributed. Government entities at all levels (municipal, state, federal, and international) produce large amounts of public data. Typically this data is accessible without restrictions.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: The Hon. Margery Christiansen

Last Updated:

Views: 5525

Rating: 5 / 5 (70 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.