Plaintext passwords may have struck again

National Public Data (NPD) confirmed last week that it suffered a security breach dating back to December last year. An alleged stolen NPD database containing 2.9 billion lines of data, including Social Security numbers, was advertised on the dark web in April by a hacker group known as USDoD for $3.5 million, and the stolen data has since been posted publicly in various locations.

Now, Krebs On Security reports a roughly identical website to NPD called recordscheck.net was found to be hosting an archive containing site logins as well as source code for some of the site’s tools in plaintext. That would’ve been enough information to access the same consumer records as NPD. The now-removed file contained email data belonging to NPD founder Salvatore Verini, an actor and retired sheriff’s deputy from Florida.

In an email exchange with Krebs On Security, Verini wrote that the file contained an old website version with “non-working code” and indicated the site will cease operations “in the next week or so.” Verini did not comment further, citing an “active investigation.” Krebs On Security also found that Verini wrote a positive testimonial for Creation Next, a web developer company mentioned in the archived source code.

Since the leak on the hacker forum last month, several websites like npdbreach.com, from Atlas Privacy, and npd.pentester.com have popped up, saying they offer searches to find out if your information is included in the leak. Using these services, of course, means you need to put your name, birth year, and perhaps your SSN into someone’s form. As Krebs notes, given the many leaks that have already revealed similar information, the best course of action may be to put a freeze on your credit report with the major bureaus (Equifax, Experian, and TransUnion) and take advantage of the free weekly credit reports you are entitled to.