Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
Editorials & Other Articles
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
A Vast Trove of Exposed Social Security Numbers May Put Millions at Risk of Identity Theft
https://www.wired.com/story/a-mega-trove-of-exposed-social-security-numbers-underscores-critical-identity-theft-risks/No paywall link
https://archive.li/yjy7W
After years spent finding and investigating data breaches, Greg Pollock admits that when he comes across yet another exposed database full of passwords and Social Security numbers, “I come to it with some fatigue.” But Pollock, director of research at the cybersecurity company UpGuard, says he and his colleagues found an exposed, publicly accessible database online in January that appeared to contain a trove of Americans' sensitive personal data so massive that his weariness lifted and they sprang to action to validate the finding.
The UpGuard researchers point out that not all of the records represent unique, valid information, but the raw totals they found in the January exposure included roughly 3 billion email addresses and passwords as well as about 2.7 billion records that included Social Security numbers. It was unclear who had set up the database, but it seemed to contain personal details that may have been cobbled together from multiple historic data breaches—including, perhaps, the trove from the 2024 breach of the background-checking service National Public Data. It is common for data brokers and cybercriminals to combine and recombine old data sets, but the scale and the potential quantity of Social Security numbers—even if only a fraction of them were real—was striking.
“Every week, there’s another finding where it looks big on paper, but it's probably not very novel,” Pollock says, “So I was surprised when I started digging into the specific cases here to validate the data. In some cases, the identities in this data breach are at risk because they have been exposed, but they have not yet been exploited.”
The data was hosted by the German cloud provider Hetzner. Since Pollock could not identify an owner of the database to contact, he notified Hetzner on January 16. The company, in turn, said it notified its customer, which removed the data on January 21.
*snip*