Earlier this month, a huge trove of data from scraping service National Public Data was released online. The dump made international headlines because it contained data on hundreds of millions of people, including Social Security Numbers.

As if that wasn’t bad enough, KrebsOnSecurity is now reporting on another National Public Data company that has hosted a file online containing the usernames and passwords for the website’s backend, including that of the site’s administrator.

The company’s website, Records Check, is hosted at recordscheck.net and looks very similar to nationalpublicdata.com with identical login pages. The publicly available file, now taken offline, showed that all RecordsCheck users were given the same six-character password with instructions to change it. Many did not.

National Public Data founder Salvatore “Sal” Verini told Krebs that the exposed file has been removed from the company’s website and that the entire site will be inoperable “within a week or so.”

But that’s a bit too late. As much as we hate it that companies like these scrape our data, it’s even worse to see how careless they are with our personal information.

Different

Back to the original NPD data dump. We now know a lot more about this database.

The 277GB trove of data reportedly contained Social Security numbers and other sensitive data for approximately 2.9 billion people. That seems a bit of an exaggeration, so we investigated.

Our researchers estimate that it contains 272 million unique social security numbers. That could mean that the majority of US citizens could be affected, although numerous people confirmed to BleepingComputer that it also contained information about deceased relatives.

There are a number of aspects that significantly distinguish this case from other data breaches.

First, the data was “scraped”, which means that it was taken from different sources and combined into a large database. This means that the data was already “there”. Combining datasets often leads to duplicate records, for example, the same person living at a different address is listed twice.

However, combining the data into such a large database gives those with access to it the opportunity to collect a huge amount of data about each person.

Secondly, scraping removes the direct link between the hacked entity and the people whose data is in the leaked database. Typically, companies inform their affected customers about what happened, offer credit monitoring services, and let them know exactly what was stolen.

Depending on the outcome of a complaint filed in the U.S. District Court for the Southern District of Florida, this could still happen, but it’s unlikely to come close to what a company concerned about its customers would be willing to do.

National Public Data has set up a website (only accessible with a US IP address, so from outside the US you may need to use a VPN) about the breach. According to the website:

“The information believed to have been leaked included name, email address, phone number, social security number, and postal address(es).”

Protecting yourself after a data breach

There are a number of measures you can take if you are or suspect that you are a victim of a data breach.

• Check the seller’s advice. Every breach is different, so check with the supplier to see what happened and follow any specific advice.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use anywhere else. Better yet, have a password manager choose one for you.
• Enable two-factor authentication (2FA). If possible, use a FIDO2-compatible hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device cannot be phished.
• Beware of fake sellers. The thieves may contact you by posing as the seller. Check the seller’s website to see if they are contacting victims, and verify the identity of anyone who contacts you through another communication channel.
• Take your time. Phishing attacks often impersonate well-known individuals or brands and use themes that require urgent attention, such as missed deliveries, account suspensions, and security warnings.
• Consider not saving your card detailsIt’s certainly more convenient if sites remember your card details for you, but we strongly recommend not saving that information on websites.
• Set up identity control. With Identity Monitoring, you will be notified if your personal information is being traded illegally online and will be helped with recovery.

If you want to know what personal information of yours has been exposed online, you can use our free Digital Footprint scan. Enter the email address you are curious about (it is best to enter the email address you use most often) and we will send you a free report.