(Credit: Glowimages via Getty Images)
In a disturbing find, a cybersecurity vendor discovered an exposed online database that may have been storing as many as 1 billion Social Security numbers (SSNs).
A database indexed using Elasticsearch was left open on the internet, according to security provider UpGuard. The stockpile contained 3 billion records, including email addresses and passwords, along with another dataset of 2.7 billion records, including SSNs.
Specifically, the SSNs consisted of two datasets spanning 353.3GB and 76.7GB, for a total of 430GB, UpGuard told PCMag. The company suspects a hacker or “amateurish threat intelligence vendor” is behind the database.
(Credit: UpGuard)The finding is unsettling since stolen SSNs can be exploited to commit identity theft. How they were collected remains a mystery, but the data may have been leaked through various breaches over the years. Back in 2024, a little-known background check provider called National Public Data disclosed it had lost a trove of SSN-related data to hackers.
The database UpGuard discovered is clearly staggering in scope. But it's unclear how much of the information might’ve been authentic versus redundant or fabricated. "Because of the size and sensitivity of the data, we did not attempt to download the entire data set," UpGuard said.
Instead, the company downloaded “a sample of 2.8 million records” within one of the SSN-focused datasets. “The sample of 2.8M records included 1,453,086 unique SSNs, indicating some repeats as expected from manual observation. About 52% of the records had unique SSNs and about 40% of the records had unique names,” UpGuard says.
(Credit: UpGuard)The finding suggests the entire database contained 1.08 billion SSNs. UpGuard’s Director of Research, Greg Pollock, also said he found personal information belonging to two friends.
“For John Doe, there were four records with his name,” Pollock wrote. “Each record had a unique physical address, which I recognized as being the correct state and city, though some of the exact street addresses were not correct. Across the four records there were also three different SSNs. I contacted John Doe and he confirmed that one of them was his actual Social Security number.”
So it looks like some of the data is junk, but other portions are real. The US government notes only "548.3 million" different SSNs have been issued so far.
The database also contained entries including "EMAIL MY BILL" and "1234 EAT MY DOOKIE ST," which suggests “at some point in the lifecycle of this data, there were real end users putting data into web forms,” Pollock added.
UpGuard reported the issue to the FBI and to the German hosting provider, Hetzner, which contacted the mysterious client behind the online database. “We contacted our client and explained what ss database hosting not acceptable. Client now deleted this file from server. So, problem solver for now," Hetzner said.
Still, the database underscores how many people's personal information, including their SSNs, may already be in the hands of a hacker. But users can take steps to protect themselves after a data breach, which can include placing a credit freeze to prevent identity theft schemes.