Following up on last Wednesday’s story about the massive data leak that appears to have captured the personal data of everyone in the U.S., U.K., and Canada, the situation may be even worse than originally thought.
The leak, which was originally estimated to have compromised about 2.7 billion records, and the data itself was hosted by a partner company which managed to publish its own passwords, enabling absolutely anyone to access the data.
Each of the leaked records apparently contains the person’s name, mailing addresses, and social security number, with some records including additional information, like other names associated with the person. None of this data is encrypted.
Per KrebsOnSecurity, one of the company’s resellers managed to accidentally publish its own login details for the database on its homepage. In addition to this, another NPD data broker with shared access to the leaked records “inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today […]”
A reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.
U.S.-based users can check if their data was exposed via the npdbreach.com or npd.pentester.com lookup services, which are available for free:
Via 9to5Mac and KrebsOnSecurity