New details emerge about a breach of National public data (NPD), a consumer data broker that recently posted the Social Security Numbers, addresses and phone numbers of hundreds of millions of Americans online. KrebsOnSecurity has learned that another NPD data broker that shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was publicly available on its homepage until today.

In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what had been taken, including the names, addresses, phone numbers, and in some cases email addresses of more than 272 million people (many of whom are now deceased).

NPD acknowledged the breach on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July breach on a different malicious hacker who also accessed the company’s database. That database, they said, has been circulating under the radar since December 2023.

Following last week’s story about the scope of the NPD breach, a reader alerted KrebsOnSecurity to a sister NPD property – the background search service recordscheck.net — was hosting an archive containing the usernames and passwords of the site administrator.

A look at that archive, which was available on Records Check’s website until just before its publication this morning (August 19), shows that it contains the source code and plain-text usernames and passwords for various parts of recordscheck.net, which visually resembles nationalpublicdata.com and has identical login pages.

The exposed archive, which is called “members.zipindicates that all RecordsCheck users were initially assigned the same six-character password and instructed to change it, but many did not.

According to breach tracking service Constella Intelligence, the passwords in the source code archive are identical to login credentials exposed in previous data breaches involving email accounts belonging to NPD’s founder, an actor and retired Florida sheriff’s deputy. Salvatore “Sal” Verini.

Mr. Verini said via email that the exposed archive (a .zip file) containing the recordscheck.net credentials has been removed from the company’s website and that the site is expected to cease operations “within a week or so.”

“Regarding the zip, it has been removed, but it was an old version of the site with broken code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an ongoing investigation, which we cannot comment on at this time. But as soon as we can, we will (be with you), as we are monitoring your blog. Very informative.”

The leaked source code of recordscheck.net indicates that the website was created by a web development company based in Lahore, Pakistan, called creationnext.comwho did not return messages requesting comment. The homepage of CreationNext.com contains a positive testimonial from Sal Verini.

A testimonial from Sal Verini on the homepage of CreationNext, the Lahore, Pakistan-based web development company that reportedly designed NPD and RecordsCheck.

Several websites have now been set up to help people find out if their BSN and other data has been exposed in this breach. One of them is npdbreach.com, a lookup page set up by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show that NPD had old and largely inaccurate data about Yours Truly.

The best advice for those concerned about this breach is to freeze your credit file with each of the major credit reporting agencies. Freezing your files makes it much harder for identity thieves to create new accounts in your name and it limits who can view your credit information.

A freeze is a good idea because all the information identity thieves need to assume your identity is now widely available from multiple sources. This is due to the multitude of data breaches we have seen involving social security numbers and other important static data points about individuals.

Screenshots of a Telegram-based identity theft service selling background reports through hacked law enforcement accounts on USInfoSearch.

There are numerous cybercriminal services offering detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts with data brokers that target private investigators and law enforcement, and some are now fully automated via Telegram instant message bots.

In November 2023, KrebsOnSecurity reported on one such service, which was powered by hacked accounts at US consumer data broker USInfoSearch.com. This is notable because the leaked source code indicates that Records Check requested background reports on people by querying USInfoSearch’s database and NPD data. KrebsOnSecurity reached out to USInfoSearch for comment and will update this story if they respond.

The point is, if you’re an American who hasn’t frozen your credit files and you haven’t experienced any new account fraud, the identity thieves probably haven’t gotten to you yet.

All Americans are also entitled to a free copy of their credit report weekly from each of the three major credit bureaus. Previously, consumers were allowed to receive one free report annually from each of the bureaus, but in October 2023 Federal Trade Commission announced that the bureaus have permanently extended a program that allows you to check your credit report once a week for free.

If you haven’t done so in a while, now is a great time to order your files. To place a freeze, you’ll need to set up an account with each of the three major reporting agencies, Equifax, Experian, and TransUnion. Once you’ve set up an account, you should be able to view and freeze your credit file. If you see errors, such as random addresses and phone numbers you don’t recognize, don’t ignore them. Dispute any inaccuracies you find.