Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

A massive data leak that probably exposed all of your personal info is hugely worse than thought

New NPD breach exposes passwords, raising fresh security concerns

If you thought last week that just about every piece of personal data about you was stolen last week was bad, wait until you hear about how the passwords for the holding company were stolen too.

In April, cybercriminals began selling data stolen from NPD, which included names, addresses, phone numbers, and even email addresses of more than 272 million individuals, many of whom were deceased. NPD acknowledged the breach in August, attributing it to a security incident dating back to December 2023.

However, the situation worsened when it was discovered that a sister site, recordscheck.net, inadvertently published administrator passwords and source code on its homepage.

A reader of KrebsOnSecurity alerted the site to the presence of a file named "members.zip" on the Records Check website. The file, accessible until August 19, contained usernames and passwords for various site components, similar to NPD's leading platform. Many RecordsCheck users hadn't changed their default passwords.

Due to the breach of NPD's platforms, consumers face a heightened risk of identity theft. Compromised passwords allow cyber criminals to access personal information stored on NPD's platforms and beyond.

What you can do

Given the severity of the breach, consumers should immediately freeze their credit files with major credit reporting bureaus, such as Equifax, Experian, and TransUnion. A credit freeze restricts access to your credit report, making it harder for identity thieves to open new accounts in your name.

While credit freezes don't prevent all identity theft, they provide essential protection in a vulnerable data landscape.

Regularly monitor your credit reports for unauthorized activity. The Federal Trade Commission allows free credit reports, which can detect and dispute inaccuracies early.

Use unique, strong passwords for different online accounts and change them regularly. A password manager can help maintain security without the burden of memorizing complex passwords.

Finally, several websites have been established to help people in determining if their Social Security Number and other data were compromised in the breach. One such website is npdbreach.com, a lookup page created by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com.

As the investigation into the NPD breach continues, consumers and regulators must demand greater accountability for handling and protecting personal data.



12 Comments

apple4thewin 321 comments · 3 Years

Wow it keeps getting worse and worse. Imagine how long people knew about it and kept quiet until a massive hacking group opened a zip file and pressed the Staples red button

StrangeDays 12980 comments · 8 Years

I'm in the breach, awesome.

Arguably worse than the highly covered Windows BSOD issue last month, but next to no media coverage. I guess if it doesn't make you miss a flight nobody cares.

mac_dog 1084 comments · 16 Years

How does a company inadvertently post admin credentials? Ridiculous. 

VictorMortimer 239 comments · New User

There really is no excuse for this.  These data brokers should simply not be allowed to exist.  It should be illegal for ANY company to collect social security numbers for any purpose other than tax reporting.

zimmermann 346 comments · 9 Years

Is this about a data breach in the USA? How about passwords in other countries?