[conspire] Huge, serious data breach at data broker National Public Data

Rick Moen rick at linuxmafia.com
Tue Aug 20 20:23:59 PDT 2024 

Brian Krebs published a heck of a story, here:
https://krebsonsecurity.com/2024/08/national-public-data-published-its-own-passwords/
Consumer data broker National Public Data (NPD) had a security breach of
272 million American's names, addresses, phone numbers, _SSNs_, and
other data.  This was publicised in July, but NPD 'fessed up that the
leak dates back to Dec. 2023.  

Did I mention the SSNs?  (Just getting yr. attention.  This is serious
stuff.)


Worse, an NPD sister property hosted an archive ("members.zip") of the
same data, incompetently included in that archive its site’s
administrator's security credentials, and thus handed the keys to its
kingdom to the world's online criminals.  

So, since a bunch of people, good and bad, have copies of the
members.zip data, a couple of the good guys have stood up Web sites to
help people learn if their SSN and other data was exposed in this
breach. One is npdbreach.com, a lookup page erected by Atlas Data
Privacy Corp.  Another lookup service is available at npd.pentester.com.


I checked at npdbreach.com:  Supplying my firstname, lastname, and Zip
Code, yep:  

                           1 Result Found
Name              Address      ZIP Code      SSN         Phone
[my legal name]   Redacted     94025         Redacted    Redacted

Again, just stressing:  My SSN _is_ in the leaked data.  And probably
the same for 272 million other Americans.  Probably you.



There's probably a _lot_ of bad things the criminals can do with this
data, including sundry forms of identity theft.  However, the first and 
most obvious crime is:  credit card fraud.

When I read Brian Krebs's article, I immediately registered at the four
credit reporting agencies, and set up a credit report freeze at each.
Such a freeze makes it so it's almost impossible for new credit to be
opened in one's name, and ensures that almost nobody can even view one's
credit information.  (You can toggle off the freeze when necessary to 
apply for credit or let someone "pull" your credit report.)


My notes:


Equifax (my.equifax.com):  The free offering is called "CoreCredit" and
is what I signed up for on 2024-08-19.  Credit freeze placed 2024-08-19.


Experian (experian.com):  Account set at Experian to "frozen" at
2024-08-19.  https://usa.experian.com/mfe/regulatory/security-freeze


Innovis (innovis.com):  Tried to sign up online on 2024-08-19, but for
unstated reasons they don't like my telephone number and refused
registration.  So, as plan B, called there automated voice-response
number, 866-712-4547, and ordered credit freeze.  This was reported
done, with 
Confirmation number: [redacted]
The system says I will receive a related PIN via postal mail.


TransUnion (service.transunion.com):  Credit freeze toggled into place
2024-08-19.



I _seriously_ urge that everyone else do likewise.

More information about the conspire mailing list