676 Million Americans' SSNs Are on the Dark Web — Infutor Left 91.7 GB Exposed with No Password

Elasticsearch is an open-source search and analytics engine widely used for large-scale data indexing. By default, Elasticsearch 8.x requires authentication — but misconfiguration remains alarmingly common. In Infutor's case, the database was reachable on port 9200 with no password, no IP allowlisting, and no TLS encryption requirement. Any actor who discovered the server URL could execute a single HTTP GET request to enumerate the indices and download every record.

Automatic discovery of misconfigured databases is a mature criminal capability. Services like Shodan and Censys continuously index open internet ports and their associated service banners, making every unprotected Elasticsearch instance discoverable within hours of exposure. Threat actors operate automated scrapers that query these services daily for newly exposed databases meeting high-value criteria — large record counts, presence of fields named 'ssn', 'social_security', 'dob', or 'address_history'. An Elasticsearch server containing 676 million identity records with SSN fields would appear as an extremely high-value target within hours of becoming discoverable.

SOCRadar's discovery on March 3 does not represent the earliest possible discovery — it represents the earliest known documented discovery. The server may have been open for days, weeks, or longer before SOCRadar flagged it. Critically, Elasticsearch does not natively log unauthenticated access attempts against an open server — there may be no way for Infutor or Verisk to determine how many actors accessed the database before it was secured, or for how long. The gap between when Spirigatito's BreachForums post appeared (March 8) and when SOCRadar flagged the server (March 3) suggests the harvesting happened in this window, but earlier access cannot be ruled out.

The exposed Infutor Elasticsearch database contained 676,798,866 records — more than twice the current US adult population. The record count exceeds the number of living Americans because the dataset includes deceased individuals, historical records for individuals who have moved, and in some cases multiple records per individual across different data vintages. Security researchers describe the data quality as 'broker-grade' — meaning records are regularly verified and enriched by the commercial customers who purchase them, not scraped and left to decay.

Each record includes: full legal name; complete Social Security number (nine digits, unmasked); date of birth; current address; and address history spanning decades of residential moves. Phone number fields appear in a significant proportion of records. The presence of historical address data is particularly dangerous for identity verification systems that use 'knowledge-based authentication' — the 'what street did you live on in 2009?' questions used by banks, the IRS, and government agencies. With complete address histories, an attacker can answer these questions as if they were the genuine account holder.

Infutor serves industries including insurance underwriting, consumer finance, higher education enrollment, and real estate. If you are a US resident who has ever applied for auto insurance, a mortgage, a student loan, or a credit card, there is a high probability that your data passed through Infutor's systems and appears in this dataset. Infutor's own documentation states the company maintains identity records on 'virtually every US consumer.'

On March 8, 2026, a BreachForums user operating under the handle 'Spirigatito' published a thread titled 'United States — Infutor Consumer Identity Management Platform — 676,798,866 Records' with samples confirming the data's authenticity. The post included field-level confirmation of SSN, DOB, and address data across multiple sample records, and offered the full 91.7 GB dataset for download. Dark web intelligence trackers documented the posting spreading to Telegram criminal channels and secondary forums within hours.

BreachForums operates as the primary English-language marketplace for stolen data following a series of law enforcement seizures of predecessor forums. Despite FBI takedown operations, the forum has rebooted multiple times — in January 2026, the BreachForums database itself was breached, exposing over 324,000 registered users in an incident covered across threat intelligence feeds. The January 2026 BreachForums leak demonstrated that even the forum's own operational security is compromised. Separately, the [Amtrak breach we reported on April 19](/blog/amtrak-shinyhunters-salesforce-breach-9-million-records) was also listed on BreachForums by the ShinyHunters group — illustrating how the forum functions as the primary publication venue for exfiltrated data across multiple threat actors.

The Spirigatito handle has no documented prior activity in threat intelligence reporting before the Infutor post, suggesting either a new actor or an established actor operating under a fresh alias. The name references a first-stage evolution Pokémon character — a common pattern in criminal forum naming conventions that blends mundane pop-culture references with anonymity. Verification of the sample records by multiple independent researchers confirmed the data is genuine Infutor output, not a fabricated dump.

Unlike traditional intrusion-based breaches where network IOCs (IP addresses, domains, hashes) are actionable for defenders, the Infutor exposure is a data-at-rest breach where the harm manifests in downstream identity fraud rather than network activity. The relevant indicators are personal identity misuse signals, not network artifacts.

Key identity fraud signals to monitor following the Infutor exposure: unexpected credit inquiries from financial institutions you have not contacted; new accounts appearing on credit reports you did not open; IRS notices about duplicate tax filings or unexpected tax returns in your name; Social Security Administration alerts about earnings you did not record (visible at ssa.gov/myaccount); health insurance explanation-of-benefits statements for services you did not receive; and collection notices for debts on accounts you never opened.

For organisations, the Infutor dataset significantly amplifies the risk of spear-phishing attacks targeting employees. A threat actor with name, employer address, and SSN for a target can craft highly credible pretexting scenarios impersonating the IRS, Social Security Administration, health insurers, or financial institutions — all using details that appear to verify the caller's legitimacy.

The 2024 National Public Data breach — which exposed 2.9 billion records — generated significant coverage, yet downstream identity fraud from that incident was lower than the scale suggested. The reason is data quality. NPD aggregated records from public sources, voter rolls, and court records with limited verification. Many records were duplicate, outdated, or contained partial SSNs. The Infutor dataset is structurally different.

Data brokers like Infutor are paid by insurance companies, mortgage lenders, and financial institutions specifically because their records are accurate and current. These companies run identity verification checks that depend on Infutor data being right. Every Infutor SSN in the dataset has been used for a real-world transaction within a system that required it to be valid. This means the Infutor dataset has an unusually high 'hit rate' for fraud: a random record from the Infutor dump is far more likely to enable successful identity fraud than a random record from a scraped compilation.

The [ShinyHunters McGraw-Hill breach](/blog/shinyhunters-mcgraw-hill-salesforce-breach-45-million) we covered previously exposed 13.5 million student and educator records — significant but bounded to a specific population. The Infutor dataset spans virtually every adult American who has participated in the formal financial system over the past several decades. The attack surface is not a company's customers — it is the American population itself.

The data broker ecosystem creates a structural amplification risk that individual breach notifications cannot address. Infutor sold this data to dozens of downstream buyers in insurance, finance, and real estate. Those buyers integrated it into their own systems. The Infutor exposure means that in addition to the direct BreachForums listing, criminal actors who purchase or inherit this data can use it to reverse-engineer downstream business datasets — a multiplier effect that extends the breach impact far beyond Infutor's own customer base.

Because the Infutor dataset contains SSNs that cannot be changed, remediation is not about reversing the exposure — it is about making the exposed data useless to fraudsters. The seven steps below represent the most effective personal mitigation actions available. None of them require waiting for Infutor or Verisk to issue a formal notification. Every US resident should complete these steps regardless of whether they believe they are specifically in the dataset.

The Infutor data breach exposes a structural vulnerability in the American identity system: we have outsourced our most sensitive personal identifiers to an industry that is not required to secure them, does not notify the individuals affected when it fails, and whose errors cannot be corrected because Social Security numbers cannot be changed. The 676 million records on BreachForums represent the complete identity toolkit for virtually every American who has participated in the formal financial system — and most of them do not know it yet. Freeze your credit today. Get an IRS Identity Protection PIN today. Create your SSA account today. These three actions cost nothing and make the Infutor dataset useless for the frauds it most enables. Do not wait for Infutor or Verisk Analytics to tell you to do this.