: Usernames and passwords for their internal systems.
The breach wasn't necessarily a complex hack but a critical oversight. A security researcher discovered that NPD had left a zip file—often identified as index_breached.vc.zip or similar variants—publicly accessible on their website. This file contained:
Following the leak, multiple class-action lawsuits were filed against Jerico Pictures Inc. for failing to secure the data. You can find technical post-mortems and security analysis of the breach on platforms like the Huntress Blog or specialized security news sites like Risky Business .
Once discovered, the data was reportedly scraped and posted to the dark web by a threat actor known as "USDoD." The hacker initially attempted to sell the database for , claiming it contained 2.9 billion records , including: Full names Social Security numbers (SSNs) Mailing addresses Phone numbers The Impact
Experts later clarified that while the "2.9 billion" figure likely included many duplicates and deceased individuals, the scale remained historic. Unlike the , which stemmed from a software vulnerability, the NPD incident is frequently cited as a cautionary tale about directory listing vulnerabilities and the dangers of storing sensitive backups on internet-facing servers.
: Direct access to the company's proprietary software.
: Usernames and passwords for their internal systems.
The breach wasn't necessarily a complex hack but a critical oversight. A security researcher discovered that NPD had left a zip file—often identified as index_breached.vc.zip or similar variants—publicly accessible on their website. This file contained:
Following the leak, multiple class-action lawsuits were filed against Jerico Pictures Inc. for failing to secure the data. You can find technical post-mortems and security analysis of the breach on platforms like the Huntress Blog or specialized security news sites like Risky Business .
Once discovered, the data was reportedly scraped and posted to the dark web by a threat actor known as "USDoD." The hacker initially attempted to sell the database for , claiming it contained 2.9 billion records , including: Full names Social Security numbers (SSNs) Mailing addresses Phone numbers The Impact
Experts later clarified that while the "2.9 billion" figure likely included many duplicates and deceased individuals, the scale remained historic. Unlike the , which stemmed from a software vulnerability, the NPD incident is frequently cited as a cautionary tale about directory listing vulnerabilities and the dangers of storing sensitive backups on internet-facing servers.
: Direct access to the company's proprietary software.
