Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
After years spent researching and investigating Data breachesGreg Pollock admits that when he came across another exposed database full of passwords and… Social Security numbers“‘I came at it with some fatigue.’” But Bullock, director of research at cybersecurity firm UpGuard, says he and his colleagues found an exposed, publicly accessible database on the Internet in January that appeared to contain a trove of Americans’ sensitive personal data, so massive that he was exhausted and got to work verifying the finding.
the Researchers at UpGuard point out Not all records represent unique, valid information, but the initial totals they found in the January disclosure included nearly 3 billion email addresses and passwords as well as about 2.7 billion records that included Social Security numbers. It’s not clear who set up the database, but it appears to contain personal details that may have been cobbled together through several historical data breaches — including, perhaps, troves of… 2024 breach of the National Background Check Service’s public data. It’s common for data brokers and cybercriminals to collect and reassemble old data sets, but the size and potential quantity of Social Security numbers — even if only a portion of them are real — was eye-catching.
“Every week, there’s another discovery that sounds big on paper, but is probably not very new,” Bullock says. “So I was surprised when I started looking at the cases identified here to validate the data. In some cases, the identities in this data breach are at risk because they have been exposed, but not yet exploited.”
The data was hosted by German cloud provider Hetzner. Since Pollock was unable to identify the owner of the database to contact, he notified Hetzner on January 16. The company, in turn, said it notified its client, who removed the data on January 21.
Hetzner did not provide WIRED for comment prior to publication.
The researchers did not download the entire data set for analysis due to its size and sensitivity. Instead, they worked with a sample of 2.8 million records, a small fraction of the total trove. By analyzing trends in the data, including the popularity of certain cultural references in passwords, they concluded that much of the data likely came back to the United States around 2015. For example, passwords mentioning One Direction, Fall Out Boy, and Taylor Swift were very popular. Meanwhile, mentions of Blackpink, Katseye, and Btsarmy were barely beginning to appear.
Old data is still valuable for two reasons. First, people often reuse the same email address and password, or a variation of the password, across many different websites and services. This means that cybercriminals can continue to try the same login credentials of the same people over time. The second reason is that people’s Social Security numbers are often linked to their most sensitive, high-risk data, but it never changes during their lifetime. As a result, valid Social Security numbers are one of the crown jewels of identity theft for attackers.
In the sample of data the researchers reviewed, Bullock says one in four Social Security numbers appeared to be valid and legitimate. The sample was too small to extrapolate to the entire data set, but a quarter of all records containing Social Security numbers would be 675 million. A small portion of that will still be a very large set of Social Security numbers.
To verify the data, UpGuard researchers contacted a small number of people whose data appeared in the leaked collection. Bullock emphasizes that one of the most troubling findings from talking to these individuals is that not all of them have had their identities stolen or been hacked. In other words, there was information in the database that cybercriminals had not yet exploited — and potential victims didn’t necessarily know that their information had been exposed.