Publicly Exposed Database Contains 676M U.S. Identity Records Including SSNs

A publicly accessible Elasticsearch database containing approximately 676 million indexed U.S. identity records — including full Social Security numbers — was recently identified by threat intelligence firm SOCRadar, which categorized the exposure as “critical” severity due to its scale and the presence of structured, searchable identity attributes.

Elasticsearch is a widely used cloud-based data indexing and search platform that enables large datasets to be structured and quickly queried; when deployed without authentication, it can be accessed and searched by anyone who discovers the exposed service.

According to the SOCRadar’s technical report, the database was exposed without authentication and contained structured records including full names, dates of birth, street addresses, phone numbers and SSNs. The total dataset size was approximately 91.7 GB.

Unique individuals likely far fewer than record count

While the raw index contained 676 million entries — a number exceeding the current U.S. population — SOCRadar officials cautioned that the figure does not represent unique individuals.

Ensar Seker, CISO at SOCRadar, told SecurityInfoWatch the dataset likely includes duplicate records, historical address tracking and multi-source aggregation.

“We are not confident that the 676 million indexed entries represent unique individuals,” Seker said. “The record count exceeding the U.S. population strongly indicates duplicate records, historical address tracking or multi-source aggregation.”

He added that the dataset likely represents “tens to hundreds of millions of individuals, but not 676 million distinct persons.”

Even so, Seker emphasized that uniqueness is not the primary risk driver.

“The operational risk is driven less by uniqueness and more by the presence of structured, searchable SSN-linked identity profiles,” he said.

Unlike routine data leaks involving email addresses or phone numbers, this exposure included non-rotatable identifiers such as SSNs and full dates of birth — data that cannot be easily changed once compromised.

Exposure assumed accessible upon discovery

SOCRadar said the database was accessible via an open Elasticsearch service without authentication controls. According to Seker, publicly exposed instances of this type are routinely discovered by automated threat actor scanning infrastructure.

“Open Elasticsearch services are continuously scanned by automated threat actor infrastructure,” Seker said. “These systems are indexed and flagged rapidly once exposed.”

While the company did not confirm evidence of logged exfiltration, Seker said the working assumption in cases of unauthenticated public exposure is that access may have occurred.

“In exposures of this nature, the absence of proof of access should not be interpreted as proof of non-access,” he said.

The firm also noted that prior underground discussions have referenced large U.S. identity datasets, suggesting that similar or partial records may already be circulating in fraud ecosystems.