TL;DR: In the week of January 12, 2026, UpGuard researchers discovered an Elasticsearch database sitting completely open on German hosting provider Hetzner. No password. No authentication. No encryption. Inside: approximately 2.7 billion records containing Social Security numbers and 3 billion email-password combinations. The data appears to be compiled from multiple previous breaches: the 2015 OPM hack, the 2024 National Public Data breach, and others. UpGuard reported it to the FBI on January 16. Hetzner shut down access on January 21. The researchers verified the data was real by checking SSNs against people they knew personally. About a quarter of the SSNs checked out. The raw number likely includes duplicates, but even accounting for that, we're talking tens to hundreds of millions of unique identities.
No Lock on the Door
The database was sitting there. Anyone with an internet connection could have found it.
UpGuard's security team stumbled on it during routine internet scanning in mid-January 2026. What they found was an Elasticsearch instance (a type of database commonly used for searching large datasets) with absolutely no security [1].
No password requirement. No authentication layer. No encryption. The digital equivalent of leaving a filing cabinet containing every American's Social Security number in a public park.
The database contained two indexes: one labeled "ssn" and another labeled "ssn2." Each held millions of records [1]. The data included:
- Social Security numbers
- Email addresses
- Plaintext passwords
- Names
- Physical addresses
No encryption on the passwords. Just sitting there in plain text for anyone to read.
They Checked If It Was Real
Here's the part that should worry you: UpGuard's researchers verified the data was legitimate.
"Every week, there's another finding where it looks big on paper, but it's probably not very novel," said Greg Pollock, UpGuard's research director. "So I was surprised when I started digging into the specific cases here to validate the data" [2].
The team cross-checked SSNs against people they knew personally. About a quarter of the Social Security numbers they checked were accurate. They also identified over 1.45 million unique SSNs and more than 1 million unique name combinations in their 2.8 million record sample [3].
The raw totals (2.7 billion SSN records, 3 billion email-password pairs) almost certainly include massive duplication. But even if 90% are duplicates, you're still looking at hundreds of millions of unique identities exposed on an unprotected server.
Where Did This Data Come From?
UpGuard's analysis suggests the database was compiled from multiple previous breaches, stitched together into a single searchable collection [1].
The likely sources include:
- The 2015 OPM breach: 21.5 million federal employees' background check records stolen
- The 2024 National Public Data breach: 2.7 billion records with SSNs leaked, similar to this dataset
- Other major breaches: The aggregated nature suggests multiple sources
The researchers used an unusual technique to date the data: password analysis. They looked at cultural references embedded in people's password choices. High frequency of "One Direction," "Fall Out Boy," and "Taylor Swift" references. More passwords containing "obama" than "trump." The patterns suggest much of the underlying data originated around 2015-2016 [2][3].
Old data. But SSNs don't change. If your SSN was in the OPM breach, it's still your SSN now.
Who Left This Open?
UpGuard traced the database to German hosting provider Hetzner, but couldn't identify who was responsible for creating it [1].
The server could have belonged to:
- A threat actor: Someone who compiled breach data and forgot to lock the door
- An amateur "threat intelligence" vendor: Someone collecting breach data for "research" with terrible security
- A criminal marketplace: A data broker who got sloppy
The irony isn't lost: whoever compiled billions of stolen records apparently didn't know how to secure a database. The thieves got robbed.
The Response
UpGuard reported the exposure to the FBI's Internet Crime Complaint Center (IC3) on January 16, 2026. Five days later, on January 21, Hetzner removed public access to the database [1].
That's the good news: the exposed database is no longer accessible.
The bad news: UpGuard found no evidence the database had been accessed by criminals before they discovered it, but they also couldn't rule it out. The database had been sitting there with no logging of who accessed it. For all we know, every identity thief with basic internet skills already downloaded a copy.
Why Does Old Data Still Matter?
You might think: these are breaches from 2015 and 2024. Old news.
It's not. Social Security numbers are permanent. Unlike passwords or credit card numbers, you can't change your SSN after a breach (with rare exceptions for fraud victims). Every breach that exposes SSNs creates permanent risk.
And criminals don't just use breach data once. They combine datasets, enriching records with additional information from new breaches. That 2015 OPM data? It's been merged with employment records, credit files, healthcare data, and now this massive password collection. Each breach makes the picture more complete [4].
This is the "zombie data" problem. Old breaches keep coming back because the underlying data never expires.
What You Can Do
Since there's no way to know whose data was in this specific database, treat it as if yours was included:
- Freeze your credit. All three bureaus: Equifax (800-349-9960), Experian (888-397-3742), TransUnion (888-909-8872). It's free and prevents anyone from opening accounts in your name.
- Get an IRS Identity Protection PIN. File at IRS.gov. This prevents tax fraud using your SSN.
- Check if your passwords leaked. Use Have I Been Pwned to check if your email appears in known breaches. If so, change passwords immediately, and never reuse them.
- Use a password manager. If your 2015 password is in this database, every site where you used that password is compromised. A password manager creates unique passwords for each site.
- Enable two-factor authentication everywhere. Even if your password is exposed, 2FA blocks most account takeovers.
The Pattern
This exposure is different from a traditional breach. No company got hacked. No attacker broke in. Someone just left the door wide open on billions of records that had already been stolen.
That's almost worse. It means breach data is being aggregated, compiled, and stored in ways that make it even more dangerous, and the people handling it can't be trusted to implement basic security.
Your Social Security number has probably been exposed multiple times by now. The question isn't whether you've been breached. It's whether you've protected yourself against the consequences.
Credit freeze. IRS PIN. Password manager. 2FA everywhere. These aren't optional anymore.
Sources
- UpGuard: Social Insecurity: Billions of Social Security Numbers and Passwords (January 2026)
- 9to5Mac: Millions of passwords and Social Security numbers exposed as old hacks remain a threat (February 19, 2026)
- CyberInsider: Exposed database leaks 2.7 billion SSNs and 3 billion passwords (February 19, 2026)
- Fox News: 2.7 billion records leaked in massive US data breach (February 2026)
Published: February 27, 2026