Security researchers have discovered an unsecured database that likely contains tens of millions of unique Social Security numbers, along with email addresses and passwords.
While the database appears to have been compiled from a series of separate data breaches spanning around a decade, researchers explain why even very old personal data remains a live threat…
Passwords and social security numbers exposed
Wired reports that the database was discovered by cyber security company UpGuard. The gross total number of records is measured in the billions, but likely contains a large number of duplicates, so the actual number of unique records is difficult to determine from the sample examined.
The rough totals (…) included roughly 3 billion email addresses and passwords, as well as about 2.7 billion records that included Social Security numbers.
However, it seems likely that the number of unique records is somewhere in the tens to hundreds of millions of records. UpGuard was able to contact a sample of people whose information was included, and verification suggests that about a quarter of the Social Security numbers are correct.
The data appears to span decades
Researchers believe that much of the data may have come from a massive data breach of around 2.7 billion records in 2024. At the time, it was suggested that it could have included the sensitive personal data of every person in the US, UK and Canada.
The other data seems much older and the method used to estimate his age is amusing.
By analyzing trends in the data, including the popularity of certain cultural references in passwords, they concluded that much of the data likely came from the United States around 2015. For example, passwords referencing One Direction, Fall Out Boy, and Taylor Swift were very common.
Very old data can remain a threat
It may be tempting to dismiss such discoveries as largely irrelevant given that they do not reflect a new data breach. But UpGuard director of research Greg Pollock says even ten-year-old data can remain a live threat for two reasons.
First, some data never changes, social security numbers being an obvious example. Second, the verification process shows that much of the data has not yet been used. This means that potential victims may not know that their personal information exists. Often, victims are only notified when an attacker tries to use the data to access their accounts.
“Every week there’s another find where it looks big on paper, but it’s probably not very new,” says Pollock. “So I was surprised when I started looking into specific cases to verify the data. In some cases, the identities in this data breach are at risk because they have been exposed but not yet exploited.”
9to5Mac’s Take
Pollock’s point is solid and highlights the importance of using a password manager to ensure you have strong and unique passwords for each of the websites, online services and apps you use.
Photo by William Warby on Unsplash
FTC: We use automatic affiliate links with income. More.
