A Vast Trove of Exposed Social Security Numbers May Put Millions at Risk of Identity Theft
Summary
UpGuard found a massive exposed database with billions of emails/passwords and SSN records, likely from past breaches. Hosted by Hetzner, it was removed after notification. Old data still poses a significant risk.
Researchers find massive data cache
Cybersecurity firm UpGuard discovered a publicly accessible database in January containing 3 billion email addresses and 2.7 billion records that included Social Security numbers. The database sat exposed on the open internet without any password protection or encryption. Greg Pollock, UpGuard’s director of research, identified the trove while investigating exposed cloud storage instances.
The data was hosted by Hetzner, a German cloud service provider. Pollock could not identify the specific owner of the database, so he notified Hetzner directly on January 16. The provider contacted its customer, and the data was removed from public view on January 21.
This exposure represents one of the largest collections of sensitive personal information found in recent years. While many of the records likely stem from older data breaches, the sheer volume of Social Security numbers makes it a significant threat to identity security. The researchers spent weeks validating the authenticity of the information to determine the level of risk to the public.
Billions of records were exposed
The raw totals found in the database suggest a massive aggregation of previous leaks and stolen datasets. Researchers found approximately 3 billion combinations of email addresses and passwords. They also found 2.7 billion entries that contained Social Security numbers (SSNs) alongside other identifying details.
UpGuard researchers did not download the entire dataset because of its massive size and the sensitivity of the contents. Instead, they analyzed a sample of 2.8 million records to understand the scope of the leak. This sample allowed the team to verify the types of data present without mishandling the entire multi-terabyte cache.
The database appears to be a "combolist," which is a collection of data stolen from various sources over several years. Cybercriminals and data brokers often combine these datasets to create comprehensive profiles of individuals. This specific collection may include data from the 2024 National Public Data breach, which also involved billions of records.
- 3 billion email and password combinations
- 2.7 billion records containing Social Security numbers
- 2.8 million records analyzed in the initial sample
- 5 days elapsed between the report and the data's removal
Pop culture reveals the age
The researchers used cultural markers within the password data to estimate when the information was originally collected. Passwords frequently reference popular music, movies, and celebrities, which allows analysts to track the "vintage" of a dataset. The team found that much of the data likely dates back to 2015.
The sample contained thousands of references to One Direction, Fall Out Boy, and Taylor Swift. These artists were at the height of their mainstream popularity in the mid-2010s. Conversely, references to modern K-pop groups like BTS or Blackpink were rare or entirely absent from the sample.
This suggests that while the database was discovered in 2024, it contains "historical" data that has been circulating in underground forums for nearly a decade. However, the age of the data does not necessarily decrease its value to hackers. Many users maintain the same digital habits and identity markers for decades.
Social Security numbers stay valid
Old data remains dangerous because Social Security numbers almost never change during a person's lifetime. Unlike a credit card number, which a bank can easily replace after a fraud event, an SSN is a permanent identifier. Attackers use these numbers to open fraudulent bank accounts, file false tax returns, and apply for loans.
Pollock’s team found that one in four Social Security numbers in their sample appeared to be valid and legitimate. If that ratio holds across the entire 2.7 billion records, it would represent 675 million valid SSNs. Even if the actual number is a fraction of that, the exposure is catastrophic for consumer privacy.
The researchers contacted a small group of individuals whose data appeared in the leak to verify the findings. Many of these people confirmed their details were accurate but stated they had not yet been victims of identity theft. This indicates that much of this data is a "ticking time bomb" that has been collected but not yet fully exploited by criminals.
Data leaks have long tails
The discovery highlights the "long tail" of risk associated with major breaches like the 2015 Office of Personnel Management (OPM) hack or the 2017 Equifax breach. Once sensitive data enters the public domain, it is impossible to claw back. It moves from one database to another as brokers repackage it for sale on the dark web.
UpGuard researchers noted that modern data management failures continue to exacerbate these risks. Pollock cited the recent concerns surrounding the Department of Government Efficiency (DOGE) and its handling of federal data as a parallel example. When safeguards that separate sensitive datasets are removed, the potential for permanent privacy damage increases.
Identity theft protection often focuses on recent transactions, but this discovery shows that decade-old information is still a primary tool for attackers. Users who have not changed their passwords since 2015 are at extreme risk of credential stuffing attacks. These attacks use automated scripts to test leaked passwords against thousands of different websites.
Steps for consumer protection
Security experts recommend several immediate actions for anyone concerned that their data was included in this or similar breaches. Because SSNs are permanent, the most effective defense is a credit freeze. This prevents lenders from accessing a credit report, which stops identity thieves from opening new accounts in a victim's name.
Password hygiene remains the second most important defense against these massive combolists. Using a password manager ensures that every account has a unique, complex password. If one service is breached, the leaked password cannot be used to access other sensitive accounts like email or banking.
- Freeze your credit with Equifax, Experian, and TransUnion.
- Enable multi-factor authentication (MFA) on all financial and email accounts.
- Change passwords that have not been updated since 2015.
- Monitor tax transcripts for unauthorized filings using your SSN.
The UpGuard finding serves as a reminder that personal data is rarely deleted once it is stolen. It simply waits in exposed databases for the next buyer or the next curious researcher to find it. Pollock describes these datasets as "land mines" that remain dangerous for decades after they are initially planted.
Related Articles
HackerOS is what a Linux enthusiast’s OS should be
HackerOS is a versatile Debian-based Linux distribution with multiple editions for different users. It includes unique features like a helpful ZSH terminal and fun "hacker" commands, making it appealing for both regular users and enthusiasts.
Rising identity complexity: How CISOs can prevent it from becoming an attacker’s roadmap
Identity has evolved from simple usernames to include machines, APIs, and cloud services, massively expanding the attack surface. Modern IAM must shift from administration to active defense, focusing on continuous posture assessment, attack path analysis, and automated response to prevent breaches.
Stay in the loop
Get the best AI-curated news delivered to your inbox. No spam, unsubscribe anytime.