In a disturbing find, a cybersecurity vendor discovered an exposed online database that may have been storing as many as 1 billion Social Security numbers (SSNs).
A database indexed using Elasticsearch was left open on the internet, according to security provider UpGuard. The stockpile contained 3 billion records, including email addresses and passwords, along with another dataset of 2.7 billion records, including SSNs.
Specifically, the SSNs consisted of two datasets spanning 353.3GB and 76.7GB, for a total of 430GB, UpGuard told PCMag. The company suspects a hacker or “amateurish threat intelligence vendor” is behind the database.
(Credit: UpGuard)
The finding is unsettling since stolen SSNs can be exploited to commit identity theft. How they were collected remains a mystery, but the data may have been leaked through various breaches over the years. Back in 2024, a little-known background check provider called National Public Data disclosed it had lost a trove of SSN-related data to hackers.
The database UpGuard discovered is clearly staggering in scope. But it’s unclear how much of the information might’ve been authentic versus redundant or fabricated. “Because of the size and sensitivity of the data, we did not attempt to download the entire data set,” UpGuard said.
Instead, the company downloaded “a sample of 2.8 million records” within one of the SSN-focused datasets. “The sample of 2.8M records included 1,453,086 unique SSNs, indicating some repeats as expected from manual observation. About 52% of the records had unique SSNs and about 40% of the records had unique names,” UpGuard says.
(Credit: UpGuard)
The finding suggests the entire database contained 1.08 billion SSNs. UpGuard’s Director of Research, Greg Pollock, also said he found personal information belonging to two friends.
“For John Doe, there were four records with his name,” Pollock wrote. “Each record had a unique physical address, which I recognized as being the correct state and city, though some of the exact street addresses were not correct. Across the four records there were also three different SSNs. I contacted John Doe and he confirmed that one of them was his actual Social Security number.”
Recommended by Our Editors
So it looks like some of the data is junk, but other portions are real. The database also contained entries including “EMAIL MY BILL” and “1234 EAT MY DOOKIE ST,” which suggests “at some point in the lifecycle of this data, there were real end users putting data into web forms,” Pollock added.
UpGuard reported the issue to the FBI and to the German hosting provider, Hetzner, which contacted the mysterious client behind the online database. “We contacted our client and explained what ss database hosting not acceptable. Client now deleted this file from server. So, problem solver for now,” Hetzner said.
Still, the database underscores how many people’s personal information, including their SSNs, may already be in the hands of a hacker. But users can take steps to protect themselves after a data breach, which can include placing a credit freeze to prevent identity theft schemes.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
