Hard as it may be to imagine, the massive data leak – which appears to include the personal data of everyone in the US, UK, and Canada – was even worse than we thought.
In a truly epic security fail, the same data was hosted by a partner company which managed to publish its own passwords, enabling absolutely anyone to access the data …
We learned last week of the leak of around 2.7 billion records.
Each record consists of the following information – a person’s name, mailing addresses, and social security number, with some records including additional information, like other names associated with the person. None of this data is encrypted.
But now KrebsOnSecurity reports that one of the company’s resellers managed to accidentally publish its own login details for the database – right there on its homepage!
Another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today […]
A reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.
Still, at least it would be impossible for things to get any worse, right? Right?
The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.
How to check your data, and protect yourself
Top comment by CuJo YYC
So lovely and considerate that, although "everyone in the US, UK, and Canada" are affected, no provision for checking on said breach is available to Canadians or residents of the UK.
If you want to check whether your data was exposed, those resident in the US can use one of two free lookup services:
Unfortunately neither supports searches for UK or Canadian addresses.
As the database was an older backup, you may find that the data it holds for you is out of date. However, if it is current, it’s recommended that you freeze your credit. This should prevent anyone stealing your identity to apply for loans or payment cards in your name, as all applications should be declined.
Photo by Bruno Aguirre on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments