Massive Exposed Database Leaks Billions of SSNs and Passwords
Researchers at UpGuard recently uncovered a misconfigured cloud database containing billions of sensitive records, including 2.7 billion Social Security numbers (SSNs) and 3 billion plaintext email-password combinations. The unsecured data was accessible without authentication, making it easily discoverable during routine internet scans.
After notifying the FBI’s Internet Crime Complaint Center (IC3) and the German hosting provider Hetzner, the database was taken offline. Cybersecurity analysts suggest the dataset likely originated from aggregated and refined data from previous large-scale breaches, with estimates indicating over 1 billion unique SSNs and 2.2 billion unique passwords in the collection.
To verify the data’s authenticity, researchers cross-checked records with known individuals, confirming that the SSNs were valid. One person in the dataset had previously been a victim of identity theft, reinforcing concerns about the data’s legitimacy. Most of the exposed information appears to have been harvested before 2016, highlighting how old breaches continue to fuel modern cybercrime.
The incident underscores the persistent risk of identity theft and fraud, as SSNs remain a critical authentication tool for financial accounts and credit applications. The scale of the leak demonstrates how threat actors compile and exploit stolen data long after initial breaches occur.
Source: https://natlawreview.com/article/privacy-tip-481-threat-actors-continue-use-data-old-breaches
Hetzner cybersecurity rating report: https://www.rankiteo.com/company/hetzner-online
"id": "HET1772159936",
"linkid": "hetzner-online",
"type": "Breach",
"date": "1/2016",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Billions of individuals',
'industry': 'Technology/Cloud Services',
'location': 'Germany (Hetzner)',
'type': 'Cloud Hosting Provider'}],
'attack_vector': 'Misconfigured Cloud Database',
'data_breach': {'data_encryption': 'Plaintext (passwords)',
'number_of_records_exposed': '5.7 billion (2.7B SSNs + 3B '
'email-passwords)',
'personally_identifiable_information': 'SSNs, Email '
'Addresses, Passwords',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Social Security Numbers (SSNs)',
'Email-Password Combinations']},
'description': 'Researchers at UpGuard uncovered a misconfigured cloud '
'database containing billions of sensitive records, including '
'2.7 billion Social Security numbers (SSNs) and 3 billion '
'plaintext email-password combinations. The unsecured data was '
'accessible without authentication, making it easily '
'discoverable during routine internet scans. The dataset '
'likely originated from aggregated and refined data from '
'previous large-scale breaches, with over 1 billion unique '
'SSNs and 2.2 billion unique passwords in the collection.',
'impact': {'data_compromised': '2.7 billion SSNs, 3 billion email-password '
'combinations',
'identity_theft_risk': 'High',
'systems_affected': 'Cloud Database'},
'lessons_learned': 'The incident underscores the persistent risk of identity '
'theft and fraud, as SSNs remain a critical authentication '
'tool. Old breaches continue to fuel modern cybercrime due '
'to aggregated and refined data.',
'motivation': 'Data Aggregation for Cybercrime',
'post_incident_analysis': {'root_causes': 'Misconfigured cloud database '
'accessible without authentication'},
'references': [{'source': 'UpGuard Research'}],
'response': {'containment_measures': 'Database taken offline',
'law_enforcement_notified': 'FBI’s Internet Crime Complaint '
'Center (IC3)',
'third_party_assistance': 'UpGuard Researchers'},
'title': 'Massive Exposed Database Leaks Billions of SSNs and Passwords',
'type': 'Data Breach',
'vulnerability_exploited': 'Unsecured Database Accessible Without '
'Authentication'}