Earlier this month, a huge trove of data from scraping service National Public Data was posted online. The dump made international headlines because it included data on hundreds of millions of people, and included Social Security Numbers.
As if that wasn’t bad enough, KrebsOnSecurity is now reporting on another National Public Data company found hosting a file online that included the usernames and passwords for the back-end of its website, including for the site’s administrator.
The website of this company, Records Check, is hosted at recordscheck.net, and is very similar to nationalpublicdata.com with identical login pages. The publicly-accessible file, which has now been taken offline, showed that all RecordsCheck users were given the same 6-character password with instructions to change that password. Which many failed to do.
National Public Data’s founder, Salvatore “Sal” Verini told Krebs that the exposed file has been removed from the company’s website, and that the entire site will cease operations “in the next week or so.”
But that’s a bit too little too late. As bad as we feel about companies like these scraping our data, it’s even worse to see how carelessly they handle our personal information.
Back to the original NPD data dump, we now know a lot more now about this database.
Allegedly, the 277 GB set of data contained Social Security numbers and other sensitive data of about 2.9 billion people. That seems a stretch, so we looked into that.
The estimates from our researchers say that it contains 272 million unique social security numbers. That could mean that the majority of US citizens could be affected, although numerous people confirmed to BleepingComputer that it also included information about deceased relatives.
There are a few aspects in this case that make it very different from other data breaches.
For one, the data was “scraped,” meaning it was pulled from various sources and combined in a large database. So that means the data was already “out there.” Combining data sets often leads to duplicate records, for example, the same person but living at a different address will be listed twice.
However, combining the data in such a large database does allows those with access to amass a huge amount of data about each person.
Second, because of the scraping, there is no direct link between the breached entity and the people whose data is in the leaked database. Normally, businesses will inform their affected customers about what happened, offer credit monitoring services, and let them know what exactly was stolen.
Depending on the outcome of a complaint filed in the US District Court for the Southern District of Florida some of this might still happen, but it’s unlikely that it will be anywhere near what a company worried about it’s customers might be willing to do.
National Public Data has set up a website (only accessible with a US IP address, so from outside the US you may need to use a VPN) about the breach. According to that website:
“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.