A Vast Trove of Exposed Social Security Numbers May Put Millions at Risk of Identity Theft

After years spent uncovering and investigating information breaches, Greg Pollock admits that erstwhile helium comes crossed yet different exposed database afloat of passwords and Social Security numbers, “I travel to it with immoderate fatigue.” But Pollock, manager of probe astatine the cybersecurity institution UpGuard, says helium and his colleagues recovered an exposed, publically accessible database online successful January that appeared to incorporate a trove of Americans' delicate idiosyncratic information truthful monolithic that his weariness lifted and they sprang to enactment to validate the finding.

The UpGuard researchers constituent retired that not each of the records correspond unique, valid information, but the earthy totals they recovered successful the January vulnerability included astir 3 cardinal email addresses and passwords arsenic good arsenic astir 2.7 cardinal records that included Social Security numbers. It was unclear who had acceptable up the database, but it seemed to incorporate idiosyncratic details that whitethorn person been cobbled unneurotic from aggregate historical information breaches—including, perhaps, the trove from the 2024 breach of the background-checking work National Public Data. It is communal for information brokers and cybercriminals to harvester and recombine aged information sets, but the standard and the imaginable quantity of Social Security numbers—even if lone a fraction of them were real—was striking.

“Every week, there’s different uncovering wherever it looks large connected paper, but it's astir apt not precise novel,” Pollock says, “So I was amazed erstwhile I started digging into the circumstantial cases present to validate the data. In immoderate cases, the identities successful this information breach are astatine hazard due to the fact that they person been exposed, but they person not yet been exploited.”

The information was hosted by the German unreality supplier Hetzner. Since Pollock could not place an proprietor of the database to contact, helium notified Hetzner connected January 16. The company, successful turn, said it notified its customer, which removed the information connected January 21.

Hetzner did not supply WIRED with remark up of publication.

The researchers did not download the full information acceptable for investigation owed to its size and sensitivity. Instead they worked with a illustration of 2.8 cardinal records—a tiny fraction of the full trove. By analyzing trends successful the data, including the popularity of definite taste references successful passwords, they concluded that overmuch of the information apt dates to the United States successful astir 2015. For example, passwords referencing One Direction, Fall Out Boy, and Taylor Swift were precise common. Meanwhile, references to Blackpink, Katseye, and Btsarmy were conscionable hardly opening to amusement up.

Old information is inactive invaluable for 2 reasons. First, radical often reuse the aforesaid email code and password, oregon a saltation of the password, crossed galore antithetic websites and services. This means that cybercriminals tin support trying the aforesaid login credentials for the aforesaid radical implicit time. The 2nd crushed is that people's Social Security numbers are often linked to their astir delicate and high-stakes data, but astir ne'er alteration during their lifetimes. As a result, valid SSNs are 1 of the crown jewels of individuality theft for attackers.

In the illustration of information the researchers reviewed, Pollock says that 1 successful 4 SSNs appeared to beryllium valid and legitimate. The illustration was excessively tiny to extrapolate to the full information set, but a 4th of each the records containing SSNs would beryllium 675 million. A fraction of that would inactive correspond a precise important acceptable of Social Security numbers.

To verify the data, UpGuard researchers contacted a fistful of radical whose information appeared successful the leaked trove. Pollock emphasizes that 1 of the astir concerning findings from speaking to those individuals was that not each of them person had their identities stolen oregon suffered hacks. In different words, determination was accusation successful the database that has not yet been exploited by cybercriminals—and imaginable victims don't needfully cognize that their accusation has been exposed.