UpGuard Researchers discovered a completely unsecured Elasticsearch database on a German hosting provider.

Contents included:

  • 2.7 billion SSN records
  • 3 billion email–password combinations
  • Names, addresses and plaintext passwords

The headlines are scary but misleading. Are there even 2.7 BILLION people with social security numbers? Short answer: No — there are not.

The U.S. population is only about 340 million, and even including deceased americans, the total count of all SSNs ever issued is around 450 million.

So why did the report mention 2.7 billion SSN records?
Because the exposed database contained massive duplication and data aggregated from multiple past breaches — not 2.7 billion unique SSNs. According to the UpGuard analysis, the 2.7B records came from combined breach dumps, and the dataset likely contained tens to hundreds of millions of unique individuals once duplicates are removed.

Even though there aren’t billions of SSN holders. The “2.7 billion records” figure refers to a giant, unprotected database full of repeated, recycled, and merged breach data — not a literal count of unique Social Security numbers. The UpGuard discovery provides critical information for several reasons:

  1. It Reveals a Major, Real-World Security Failure
    UpGuard researchers found an Elasticsearch database sitting openly on the public internet, with no password, no authentication, and no encryption — meaning anyone in the world could access it without restrictions.

Exposed data of this kind provides a live resource for criminals, not just theoretical risk. The fact that it was found through routine scanning shows how easily discovered it was. This highlights systemic issues with unsecured cloud instances — one of the top causes of modern breaches.

  1. 2. It Shows That Old Breach Data Is Still Circulating and Being Repackaged.
    The dataset contained information aggregated from multiple previous major breaches, such as the 2015 OPM hack and the 2024 National Public Data breach, among others.
    It confirms that stolen data does not disappear — it gets copied, merged, resold, left on open servers, and reused for years. Even if much of the data was duplicated, criminals benefit from large, consolidated datasets because they enable faster, more effective identity matching.

Why this matters
The exposure includes real people’s SSNs. The dataset is not just junk — it contains working combinations of sensitive identifiers. Even a fraction of the total suggests tens to hundreds of millions of unique individuals may be present in the full dataset. This makes the event relevant to identity‑theft risk and it shows how criminals could build “Identity Profiles”.
The database included highly sensitive fields:
Social Security Numbers
Names
Addresses
Email addresses
Plaintext passwords (no encryption)

This type of data could be used for:
Account takeovers
Tax fraud
Credit fraud
Social-engineering attacks
Password reuse attacks

It’s a reminder that our biggest risk isn’t always sophisticated attackers — it’s mismanaged cloud infrastructure. It shows that large datasets from many historical breaches are still floating around, unprotected.

Bottom Line:
The report is valuable not because the 2.7 billion number is literal, but because it exposes a dangerous, real-world instance of mass data mishandling. Massive amounts of real people data is still online, unsecured. Even if the headline number is inflated by duplicates, the report is a warning signal, not a meaningless statistic.

Here’s the TOP 10 list of things you should do!
Given the amount of personal data unsecured and unprotected available to criminals, these protective actions are no longer optional—they’re essential.

1. Place a Fraud Alert on Your Credit File
A fraud alert makes it harder for someone to open new credit in your name. It’s free and lasts one year (renewable). You only need to contact one credit bureau—they notify the others.

  1. Consider Freezing Your Credit (Stronger Protection)
    A credit freeze blocks lenders from pulling your credit report, stopping criminals from opening new accounts in your name.
    https://www.investopedia.com/how-to-freeze-and-unfreeze-your-credit-5075527
  2. 3. Sign Up for Any Free Credit Monitoring Offered
  3. Check Your Social Security Statement
  4. Monitor Tax Filings to Prevent Tax Fraud
    Criminals may file fraudulent tax returns using your SSN. Protect yourself by: Creating an IRS online account before a criminal does
  5. Obtain an Identity Protection PIN (IP PIN) from the IRS
    An IRS IP PIN prevents anyone except you from filing a tax return under your SSN.
    https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin
  6. Monitor All Your Financial Accounts Closely
  7. Be Skeptical of Calls, Emails, or Letters Claiming to Be From SSA, IRS, or Your Bank
  8. Change Your Passwords — Especially if You Reuse Them
  9. If You Discover Misuse, Report It Immediately

Thanks to GRC research for this important and timely information.

Here’s a link to UpGuards “Social Insecurity” research document:
https://www.upguard.com/breaches

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!