National Public Data (NPD), a background check company, admitted it exposed sensitive info like phone numbers, addresses and Social Security numbers to hackers. 

While the company hasn’t shared how big the breach is, it supposedly involves 2.7 billion records, likely including some data on almost every American.

It gets even worse. A new report revealed that another NPD data broker, which shares access to the same consumer records, published user passwords to its back-end database.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

What you need to know

KrebsOnSecurity reported that a sister NPD property, called recordscheck.net, was hosting an archive that included the usernames and passwords of the site’s administrator.

A review of the now-removed archive reveals that it contained the source code, along with plain text usernames and passwords, for various components of recordscheck.net. This site bears a striking resemblance to nationalpublicdata.com, with matching login pages.

The exposed archive, titled “members.zip,” suggests that all RecordsCheck users were initially given the same six-character password and advised to change it, though many didn’t.

According to KrebsOnSecurity, which referenced breach tracking service Constella Intelligence, the passwords found in the source code archive match those exposed in earlier data breaches. This suggests that millions of users may be affected in this case as well.

We reached out for a comment from RecordsCheck but did not hear back before our deadline.

Another NPD data broker published user passwords to its back-end database. (Kurt “CyberGuy” Knutsson)

PHARMA GIANT’S DATA BREACH EXPOSES PATIENTS’ SENSITIVE INFORMATION

National Public Data’s response

Salvatore “Sal” Verini, the founder of NPD and a retired sheriff’s deputy from Florida, told KrebsOnSecurity that the exposed archive, a .zip file containing recordscheck.net credentials, has been removed from the company’s website. Verini also mentioned that the site is scheduled to shut down “in the next week or so.”

“Regarding the zip, it has been removed, but it was an old version of the site with non-working code and passwords,” Verini said. He declined to offer additional information, stating that the issue is under active investigation and he cannot comment further.

Identity theft protection is essential to fight data breaches. (Kurt “CyberGuy” Knutsson)

WORLD’S LARGEST STOLEN PASSWORD DATABASE UPLOADED TO CRIMINAL FORUM

Reminder to invest in identity theft protection

News of the NPD data breach surfaced after a California man filed a lawsuit against the company, as reported by Bloomberg. He discovered the breach through his identity theft protection service, which flagged his data in the leaked database. Since then, many people online have reported receiving similar alerts from their protection services, allowing them to take action before it was too late.

In 2024, an identity theft protection service is practically a must-have. If you’ve been keeping up with CyberGuy articles, you’ve probably seen frequent reports on data breaches, whether it’s the AT&T breach, Dell breach or the Advance Auto Parts leak.

One of the best parts of using identity theft protection is that they might include identity theft insurance of up to $1 million to cover losses and legal fees and a white-glove fraud resolution team where a U.S.-based case manager helps you recover any losses. See my tips and best picks on how to protect yourself from identity theft.

4 additional tips to protect yourself from data breaches

Identity theft protection is the first thing I recommend to everyone, but there are also steps you can take to protect yourself.

1. Be careful with passwords: The recordscheck.net leak exposed passwords, and as I discussed, many users didn’t change the auto-assigned passwords. That’s a big mistake. Always create strong passwords for your accounts and devices and avoid using the same password for multiple online accounts.

Consider using a password manager to securely store and generate complex passwords. It will help you to create unique and difficult-to-crack passwords that a hacker could never guess. Second, it also keeps track of all your passwords in one place and fills passwords in for you when you’re logging into an account so that you never have to remember them yourself. Get more details about my best expert-reviewed Password Managers of 2024 here.

2. Remove your personal information from the Internet: While no service can completely erase your data from the Internet, using a data removal service is a smart move, especially in light of recent data breaches like the NPD incident. These services aren’t cheap, but neither is your privacy.

CLICK HERE FOR MORE US NEWS

They handle the heavy lifting by continuously monitoring and systematically removing your personal information from countless websites. This gives peace of mind and is one of the most effective ways to safeguard your data online. Check out my top picks for data removal services here.

3. Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions and security alerts.

4. Routinely check your credit reports: Obtain a free copy of your credit report from each of the three credit reporting agencies mentioned earlier. Review the reports carefully for any suspicious or unauthorized activity. If you find any inaccuracies or signs of fraud, report them to the credit reporting agency immediately.

4.3 MILLION AMERICANS EXPOSED IN MASSIVE HEALTH SAVINGS ACCOUNT DATA BREACH

Kurt’s key takeaway

The NPD data breach and the security incident involving its sister website highlight the irresponsibility of these companies in handling sensitive public information. There is an urgent need for governments to step in and impose serious legal consequences, not just a slap on the wrist. Fines should be involved. Anyone dealing with sensitive data must ensure that the data is encrypted and take measures to prevent it from falling into the wrong hands.

Do you believe current regulations are sufficient for handling data breaches or do they need to be more stringent? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.

Google will have to face a class action lawsuit that accuses it of collecting users’ data through Chrome without their consent. In a decision on Tuesday, a federal appeals court reversed a December 2022 ruling that dismissed the case, saying the lower court should’ve reviewed Google’s disclosures and determined “whether a reasonable user reading them would think that he or she was consenting to the data collection.”

The class action lawsuit, first filed in 2020, alleged that Google collected data from Chrome users — regardless of whether they enabled Chrome sync. This feature saves bookmarks, passwords, open tabs, and other data to your Google account, giving you easy access to this information when signed into Chrome on multiple devices.

The plaintiffs claimed Chrome “intentionally and unlawfully” sent Google browsing history, IP addresses, persistent cookie identifiers, and unique browser identifiers without their explicit permission. At the time, Google argued users consented to this by accepting the company’s privacy policy. Judge Yvonne Gonzalez Rogers agreed, stating in her order granting dismissal that “Google adequately disclosed, and plaintiffs consented to, the collection of the at-issue data.”

However, Judge Milan D. Smith Jr. writes in today’s decision that Judge Gonzalez Rogers didn’t take into account whether users actually understood this agreement. “Google had a general privacy disclosure yet promoted Chrome by suggesting that certain information would not be sent to Google unless a user turned on sync,” Smith writes. The case will be returned to the lower courts for reconsideration.

“We disagree with this ruling and are confident the facts of the case are on our side. Chrome Sync helps people use Chrome seamlessly across their different devices and has clear privacy controls,” Google spokesperson José Castañeda says in a statement to The Verge. And while Google will soon no longer require users to enable Chrome sync to access saved information, Castañeda says, “This announcement is not related to the litigation.”

Google is upgrading its Gemini writing tools in Gmail to help you polish drafts that you’ve already written. Now, among other Gemini-powered “Help me write” options like Formalize and Elaborate, you can tap “Polish” to refine your emails, Google says in a blog post. The company has also added shortcuts that appear in the body of your emails on Android and iOS, making it more obvious that there are AI writing tools to use.

The tools are available to people who pay for Google One AI Premium accounts or who have paid for Google’s Gemini add-on for Workspace. If that’s you, when you open an empty draft, you’ll see a “Help me write” shortcut appear that you can tap to have Gemini draft text for you. Once you have 12 or more words in a draft — AI-written or not — you should see a new “Refine my draft” shortcut, shown in gray letters below the words.

Swipe your thumb across the text, and you’ll be given the choice to Polish, Formalize, Elaborate, or Shorten, or to have Gemini just write a whole new draft for you. (And if the “Refine my draft” shortcut doesn’t appear, tapping the pencil icon does the same thing.)