An unsecured database that likely contains tens of millions of unique Social Security numbers, alongside email addresses and passwords, has been discovered by security researchers.
While the database appears to have been collated from a number of separate data breaches over approximately a decade, the researchers explain why even very old personal data remains a live threat …
Exposed passwords and Social Security numbers
Wired reports that the database was discovered by cybersecurity company UpGuard. The raw total number of records is measured in the billions but likely contains a great many duplicates, so the true number of unique entries is hard to determine from the sample examined.
The raw totals […] included roughly 3 billion email addresses and passwords as well as about 2.7 billion records that included Social Security numbers.
However, it seems likely that the unique entries total somewhere in the tens to hundreds of millions of entries. UpGuard was able to contact a sample of people whose data was included, and verification suggests that around a quarter of the Social Security numbers are correct.
Data appears to span a decade
The researchers suspect that much of the data may have come from a massive data leak of some 2.7 billion records back in 2024. It was suggested at the time that this may have included sensitive personal data for every person in the US, UK and Canada.
Other data appears much older, and the method used to estimate its age is amusing.
By analyzing trends in the data, including the popularity of certain cultural references in passwords, they concluded that much of the data likely dates to the United States in roughly 2015. For example, passwords referencing One Direction, Fall Out Boy, and Taylor Swift were very common.
Very old data can remain a threat
It can be tempting to dismiss such discoveries as largely irrelevant given that they don’t reflect a new data breach. However, UpGuard research director Greg Pollock says that even decade-old data can remain a live threat for two reasons.
First, some data never changes, with Social Security numbers an obvious example. Second, the validation process indicates that much of the data has not yet been exploited. This means that potential victims may not know that their personal data is out there. It’s often the case that victims are only alerted when an attacker attempts to use the data to access their accounts.
“Every week, there’s another finding where it looks big on paper, but it’s probably not very novel,” Pollock says. “So I was surprised when I started digging into the specific cases here to validate the data. In some cases, the identities in this data breach are at risk because they have been exposed, but they have not yet been exploited.”
9to5Mac’s Take
Pollock’s point is a solid one, and underlines the importance of using a password manager to ensure that you have strong, unique passwords for each of the websites, online services, and apps you use.
- Official Apple Store on Amazon
- Apple’s iPhone cases: iPhone 17 | iPhone 17 Pro and Pro Max | iPhone Air
- Wireless CarPlay adapter (2026 update)
- AirTag holders and accessories
- Mac Pro-style Mac mini casing
- NordVPN – privacy-first VPN with no logs and independent audits to verify
Photo by William Warby on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments