New NPD breach exposes passwords, raising fresh security concerns
If you thought last week that just about every piece of personal data about you was stolen last week was bad, wait until you hear about how the passwords for the holding company were stolen too.
In April, cybercriminals began selling data stolen from NPD, which included names, addresses, phone numbers, and even email addresses of more than 272 million individuals, many of whom were deceased. NPD acknowledged the breach in August, attributing it to a security incident dating back to December 2023.
However, the situation worsened when it was discovered that a sister site, recordscheck.net, inadvertently published administrator passwords and source code on its homepage.
A reader of KrebsOnSecurity alerted the site to the presence of a file named “members.zip” on the Records Check website. The file, accessible until August 19, contained usernames and passwords for various site components, similar to NPD’s leading platform. Many RecordsCheck users hadn’t changed their default passwords.
Due to the breach of NPD’s platforms, consumers face a heightened risk of identity theft. Compromised passwords allow cyber criminals to access personal information stored on NPD’s platforms and beyond.
What you can do
Given the severity of the breach, consumers should immediately freeze their credit files with major credit reporting bureaus, such as Equifax, Experian, and TransUnion. A credit freeze restricts access to your credit report, making it harder for identity thieves to open new accounts in your name.
While credit freezes don’t prevent all identity theft, they provide essential protection in a vulnerable data landscape.
Regularly monitor your credit reports for unauthorized activity. The Federal Trade Commission allows free credit reports, which can detect and dispute inaccuracies early.
Use unique, strong passwords for different online accounts and change them regularly. A password manager can help maintain security without the burden of memorizing complex passwords.
Finally, several websites have been established to help people in determining if their Social Security Number and other data were compromised in the breach. One such website is npdbreach.com, a lookup page created by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com.
As the investigation into the NPD breach continues, consumers and regulators must demand greater accountability for handling and protecting personal data.
