A misconfigured cloud database containing billions of Social Security numbers (SSNs) and plaintext passwords was discovered exposed online.
Researchers at UpGuard say the unsecured Elasticsearch instance held approximately 2.7 billion records containing SSNs and roughly 3 billion email addresses and password combinations.
The exposed database was identified during routine internet scanning in the week of January 12, 2026. According to UpGuard, the instance was openly accessible without authentication and contained multiple indices clearly labeled “ssn” and “ssn2,” each storing millions of records with nine-digit numbers in a field explicitly named “ssn.”
In addition to the SSN datasets, the database included numerous indices containing email and password combinations. These were sharded alphabetically by the first character of the email address, suggesting a deliberate organizational structure rather than accidental logging.
The nature of the data, highly sensitive personally identifiable information (PII) combined with plaintext credentials, led researchers to suspect that the database belonged either to a threat actor compiling breach data or to a poorly secured threat intelligence operation aggregating previously leaked information. No hostnames, banners, or log artifacts were present to help identify the owner.
On January 16, UpGuard reported the exposed IP address and findings to the FBI’s Internet Crime Complaint Center (IC3) and submitted an abuse notification to German hosting provider Hetzner, which was hosting the server. Public access to the database was disabled on January 21 after follow-up communications emphasized the severity of the privacy violations.
Hetzner confirmed the issue had been forwarded to its customer, and the database was subsequently taken offline.
A spin of old breaches?
The sheer volume of records suggests the dataset may have been constructed by aggregating and refining data from prior large-scale breaches, such as the 2015 U.S. Office of Personnel Management (OPM) hack and the 2024 National Public Data breach. Both incidents exposed extensive SSN records and remain frequent sources for criminal data trading and recombination.
UpGuard did not download the full dataset due to its size and sensitivity, but analyzed a sample of 2.8 million SSN records. Within that subset, researchers identified over 1.45 million unique SSNs and more than 1 million unique name combinations, indicating significant duplication but also a large pool of distinct identities.
Extrapolating from the sample, the researchers estimate the full dataset could contain over 1 billion unique SSNs and more than 2.2 billion unique passwords. While not all records appear authentic, even a fraction being valid would represent a substantial percentage of the U.S. adult population.
To verify authenticity, the team cross-checked a limited number of entries against individuals they knew. In at least one case, a confirmed, valid SSN appeared among multiple records tied to the same individual. Another case involved a person who had previously been affected by identity theft, whose data was also present in the dataset.
To approximate when the password data was originally collected, UpGuard used what it described as a “cultural index fossil” technique, analyzing pop culture references embedded in passwords to estimate their timeframe.
For example, the dataset contained 655 instances of “obama” as a password compared to 265 instances of “trump.” Similarly, band names such as “onedirection” (5,032 mentions) and “falloutboy” (2,101 mentions) appeared far more frequently than more recent global phenomena like “btsarmy,” which appeared only twice.
The researchers concluded that large portions of the dataset likely originated around or before 2016, consistent with data harvested from older breaches that have since circulated in criminal combolists.
SSN exposure is critical because it cannot be easily changed, and once compromised, it can be reused indefinitely for fraud, credit abuse, and identity theft. It is recommended that owners of exposed SSNs place a credit freeze with major credit bureaus to prevent abuse.
Leave a Reply