Data leak in the USA, Great Britain and Canada – even worse than expected

Although it's hard to imagine, the massive data breach – which apparently affected the personal information of everyone in the US, UK and Canada – was even worse than we thought.

In a truly epic security failure, the same data was hosted by a partner company that managed to publish its own passwords, allowing absolutely anyone to access the data…

We learned last week about the leak of around 2.7 billion records.

Each record contains the following information: a person's name, mailing address, and social security number. Some records contain additional information, such as other names associated with the person. None of this data is encrypted.

But now KrebsOnSecurity reported that one of the company’s resellers managed to accidentally publish his own login credentials for the database – exactly where on his homepage!

Another NPD data broker, with access to the same customer data, accidentally published the passwords to its backend database in a file that was freely available on its homepage until today. […]

A reader alerted KrebsOnSecurity that a sister company of NPD – the background search service recordscheck.net – hosted an archive containing the username and password of the site administrator.

But at least it would be impossible for things to get any worse, right? Or?

The shared archive, named “members.zip,” indicates that all RecordsCheck users were initially assigned the same six-digit password and asked to change it, but many did not do so.

How to check your data and protect yourself

If you would like to check whether your information has been disclosed, U.S. residents can use one of two free lookup services:

Unfortunately, neither of them supports searching for addresses in the UK or Canada.

Since the database is an older backup, you may find that the data it contains is out of date, but if it is current, it is recommended that you freeze your credit. This should prevent anyone from stealing your identity to apply for loans or payment cards in your name, as all applications should be rejected.

Photo by Bruno Aguirre on Unsplash