A data-privacy study by UpGuard reveals a publicly accessible database in January containing roughly 3 billion email addresses and passwords, and about 2.7 billion records with Social Security numbers, suggesting data aggregated from multiple historic breaches and potentially dating back to around 2015.

Some individuals whose data appeared in the leak were contacted by UpGuard, and many had not yet experienced identity theft, underscoring that exposure does not always translate to immediate misuse.

The article highlights two reasons old data remains dangerous: credential reuse across sites and SSNs as long-lived identifiers that attackers prize for identity theft, illustrating the long tail of risk from past breaches.

A significant portion of sampled SSNs appeared likely valid (about one in four), suggesting a sizable number of real identities at risk, though the sample cannot be extrapolated to the entire dataset.

The data was hosted on the German cloud provider Hetzner, which removed the data after UpGuard notified them in mid-January and the customer removed it a few days later; Hetzner did not provide comment for publication.

UpGuard analyzed a sample of 2.8 million records to infer trends, noting password references to One Direction, Fall Out Boy, and Taylor Swift, with earlier US-centric patterns and growing mentions of groups like Blackpink, Katseye, and BTS Army, indicating data age and origin.

Experts warn that such large, mixed datasets can linger as 'land mines,' with data handling failures creating privacy and security risks for decades, echoing the ongoing impact of breaches like OPM in 2015 and Equifax in 2017.