Researchers at UpGuard have discovered a misconfigured cloud database online while conducting routine internet scanning that contains billions of records, including 2.7 billion Social Security numbers (SSNs) and 3 billion plaintext email addresses and password combinations. The fairly easy-to-find data was accessed without authentication.
After reporting the access to the FBI’s Internet Crime Complaint Center (IC3) and the German hosting provider Hetzner, the database was taken down.
According to Cyberinsider, “the sheer volume of records suggests the dataset may have been constructed by aggregating and refining data from prior large-scale breaches.” The researchers estimate the full dataset could contain over 1 billion unique Social Security numbers and more than 2.2 billion unique passwords.
The researchers even attempted to verify the authenticity of the data by cross-checking it with people they knew. They found that the Social Security numbers in the dataset were valid, and one individual had already been a past victim of identity theft. They concluded that most of the data was harvested before 2016.
The findings show that compromised data from past breaches are aggregated and used today for identity theft and fraud. Since Social Security numbers are an authentication tool to open financial accounts and credit cards, it is important that consumers protect themselves from identity theft and fraud. Checking your credit report, enrolling in credit monitoring and placing a credit freeze on your accounts are still effective ways to protect yourself from identity theft. If you haven’t done so yet, now is the time to make it a priority.