TL;DR:
- 676 million indexed records containing U.S. identity data were found in an unsecured Elasticsearch database
- Full Social Security numbers alongside names, dates of birth, addresses, and phone numbers, completely searchable
- Database owner still unknown: SOCRadar couldn't identify who left this data exposed
- 91.7 GB of data sat open on port 9200 with zero authentication required
- 250 million related records had already appeared on criminal forums before this discovery
- Governance failure, not a hack: someone just forgot to set a password
What SOCRadar Found
Threat intelligence firm SOCRadar discovered an Elasticsearch server sitting on the open internet, no authentication required. Inside: 676 million indexed records containing U.S. identity data.
Not just names. Not just emails. The full package:
- Full legal names
- Complete Social Security numbers
- Dates of birth
- Street addresses
- Phone numbers
All of it searchable. All of it structured in a way that made it trivially easy to find a specific person's complete identity profile.
The database (91.7 gigabytes across nearly 677 million records) ran on Elasticsearch version 8.15.2 with port 9200 exposed. Anyone who found it could query it like a search engine for identity theft.
Who Owns This Data?
Nobody knows.
SOCRadar attempted to identify the database owner and coordinate remediation, but at the time of their report, the actual data owner hadn't been publicly identified. The instance appeared to be hosted by a third-party provider, but that's where the trail went cold.
This is actually worse than a named company getting breached. When there's a responsible party, you can demand answers. You can file complaints. You can sue. When 676 million records sit exposed and nobody will claim ownership? Good luck getting accountability.
How Many People Are Actually Affected?
The 676 million number is record count, not unique individuals. SOCRadar cautioned that the dataset likely includes duplicates and historical entries, the same person appearing multiple times with different addresses over the years.
Their estimate: "tens to hundreds of millions of individuals" are represented. That's still potentially a third of the U.S. population or more.
SOCRadar validated samples from the dataset, including cross-referencing one record against publicly available obituary data to confirm the information was authentic. The records are real.
The Data May Already Be Gone
Here's the worst part: approximately 250 million related data entries had already appeared on criminal forums before SOCRadar even found this database.
That means portions of this data have been circulating among threat actors for who knows how long. Automated scanners run 24/7 looking for exactly this kind of exposed database. When they find one, they grab everything within minutes.
Even if the database gets secured today, the damage is done. You can't un-ring this bell.
Why SOCRadar Called This "Critical"
SOCRadar's CISO Ensar Seker explained why this exposure is so dangerous: "The operational risk is driven less by uniqueness and more by the presence of structured, searchable SSN-linked identity profiles."
Translation: Even if you only appear once in this database, that single record contains everything someone needs to become you. SSNs and dates of birth are "non-rotatable identifiers": you can't change them after they're exposed.
Password leaked? Change it. Email compromised? Get a new one. Social Security number exposed? You're stuck with it forever.
Not a Hack: Just Incompetence
This wasn't a sophisticated cyberattack. There was no exploit, no zero-day vulnerability, no nation-state hacker group.
Someone spun up an Elasticsearch database, loaded it with hundreds of millions of identity records, and never set a password. That's it.
SOCRadar characterized this as a governance failure: "failures in cloud asset visibility, access control enforcement, and external attack surface governance." In plain English: nobody was paying attention to what was exposed on the internet.
This keeps happening because there are no real consequences for companies that leave databases open. Breach notification letters, free credit monitoring for a year, maybe a fine that amounts to a rounding error. Then everyone moves on.
What You Should Do
Without knowing who owns this database, there's no way to check if you're specifically affected. But given the scale (hundreds of millions of records), assume you might be and act accordingly:
- Freeze your credit at all three bureaus: Equifax, Experian, TransUnion. It's free and stops new accounts from being opened in your name.
- Get an IRS Identity Protection PIN: Prevents fraudulent tax returns filed with your SSN. Request one here.
- Monitor your credit reports: AnnualCreditReport.com offers free weekly access to all three bureaus.
- Watch for targeted phishing: With your address, phone, and DOB exposed, criminals can craft convincing scams. Verify any unexpected contact through official channels.
- Consider identity theft protection: Not the free post-breach kind, actual services that monitor your SSN usage and help you recover if something goes wrong.
The Pattern Continues
This is the second massive identity record exposure we've covered this year. Two weeks ago, IDMerit left 1 billion records in an unsecured MongoDB database. Before that, UpGuard found 2.7 billion SSNs sitting in an open Elasticsearch instance.
See the pattern? Companies aggregate massive amounts of identity data, store it in cloud databases, and then fail at the most basic security configuration. No authentication, no access controls, no monitoring to detect exposure.
Meanwhile, the individuals whose data gets exposed have no recourse. No notification (since nobody knows who owns the database). No credit monitoring offer. No class action settlement years from now. Just the knowledge that your SSN might be searchable in a criminal database forever.
Sources
- Biometric Update: Open Elasticsearch Server Exposes 676 Million US Identity Records
- Security Info Watch: Publicly Exposed Database Contains 676M U.S. Identity Records Including SSNs
- ID Tech: SOCRadar Discovers Open Elasticsearch Server Exposing 676 Million US Identity Records
- Mobile ID World: Newly Uncovered Open Server Exposes 676 Million US Identity Records Including SSNs
Published: March 4, 2026