A misconfigured Elasticsearch database has allegedly exposed the personal information of 676,798,866 Americans—roughly two records for every person in the United States. The breach reportedly includes full names, Social Security Numbers, dates of birth, address histories, and phone numbers. According to threat intelligence firm SOCRadar, the database was discovered exposed on March 3, 2026, and by March 8, 2026, a threat actor named “Spirigatito” posted the dataset on BreachForums, even sharing a sample of 15 million records online.
This article covers what happened, why it matters, what the data includes, and what victims should do next. The company behind the exposed database is Infutor, a consumer identity management and data resolution company that helps brands identify and verify customers. The timing raises additional concerns: Infutor was sold to marketing firm ActiveProspect by its parent company Verisk Analytics in January 2026—just weeks before the breach was discovered. As of now, Infutor and Verisk have not officially confirmed the breach through regulatory channels, making this an alleged rather than officially acknowledged incident.
Table of Contents
- How Large Is the Infutor Breach and What Data Was Exposed?
- How Did the Breach Happen? Understanding the Elasticsearch Misconfiguration
- What We Know About Infutor and Why the Timing Matters
- What Should Victims Do Right Now?
- Common Misconceptions About the Infutor Breach and What We Don’t Know
- Legal Status and Class Action Investigation Updates
- Why This Breach Matters Beyond Individual Victims
- Conclusion
How Large Is the Infutor Breach and What Data Was Exposed?
The scale of this breach is staggering. At 676,798,866 records spanning 91.7 gigabytes of data, the Infutor breach ranks among the largest data breaches in U.S. history. To put this in perspective, recent major breaches like the T-Mobile breach (2021, affecting 54 million customers) or the Equifax breach (2017, affecting 147 million people) affected far fewer individuals. The Infutor breach, if confirmed, would expose roughly 204% of the U.S.
adult population in raw record counts—suggesting that Infutor maintained duplicate or outdated records on many people. Each exposed record contains deeply personal information: full name, Social Security Number, date of birth, complete address history (not just current address), city, state, ZIP code, and phone number. This combination is particularly dangerous because SSNs combined with dates of birth and addresses enable identity theft, fraudulent credit applications, and targeted scams. An attacker possessing this information could impersonate victims to open lines of credit, file false tax returns, or commit medical identity theft. For context, a Social Security Number alone used to be less valuable for identity theft; now paired with the full data set Infutor exposed, it’s a complete identity toolkit.
How Did the Breach Happen? Understanding the Elasticsearch Misconfiguration
The breach stemmed from a fundamental security failure: an Elasticsearch database running version 8.15.2 was exposed directly to the public internet on port 9200 with no authentication required. Elasticsearch is a powerful search and analytics engine commonly used to index large datasets for quick retrieval. When properly configured, it requires authentication and sits behind firewalls. In this case, whoever deployed the Infutor database failed to implement these basic protections, leaving 676 million records exposed to anyone with an internet connection and knowledge that the database existed. The timeline is important. On March 3, 2026, SOCRadar’s automated scanning systems discovered the misconfigured database.
Rather than quietly reporting it to Infutor or following responsible disclosure practices, the finding appears to have been shared more broadly. By March 8, 2026—just five days later—a threat actor posted the full dataset on BreachForums, a dark web forum known for trading stolen data. The attacker didn’t just post a list of records; they shared a 15 million record sample publicly to prove the data’s authenticity and encourage buyers. This five-day window between discovery and public posting is critical because it means the data may have been in attackers’ hands for an unknown period before being formally announced, and copies likely circulate on the dark web already. A crucial limitation here: we don’t know exactly how long the database was exposed before SOCRadar found it. The misconfiguration could have existed for months or just days, and attackers may have been accessing it without detection long before March 3. This uncertainty makes it impossible to determine whether your data was accessed, when it might have been accessed, or by how many different actors.
What We Know About Infutor and Why the Timing Matters
Infutor is a consumer identity management company owned by Verisk Analytics. Its business is helping brands understand and identify customers—it aggregates public and semi-public data on millions of Americans and sells insights to marketing companies, financial institutions, and other enterprises. Infutor maintains what’s called a “data graph,” essentially a massive database of identity relationships linking phone numbers to addresses, SSNs to names, email addresses to credit histories, and more. The timing of this breach raises eyebrows.
In January 2026—just two months before the breach was discovered—Verisk Analytics sold Infutor to ActiveProspect, a consent-based marketing software company. ActiveProspect specializes in helping companies manage lead generation while staying compliant with telemarketing laws. The sale suggests Verisk wanted to offload Infutor’s significant data management and legal liability responsibilities. For context, maintaining a database of 676 million Americans’ SSNs and address histories creates enormous regulatory risk, especially under state data breach notification laws and privacy regulations like California’s CCPA. It’s unclear whether the security gaps existed before the sale, were created during the transition, or were inherited by ActiveProspect, but the timing raises questions about whether the handoff process included adequate security audits.
What Should Victims Do Right Now?
If your Social Security Number was exposed—and there’s roughly a 2-in-1 chance it was, given the scale of the database—you should take specific protective steps immediately. First, place a credit freeze with the three major credit bureaus: Equifax, Experian, and TransUnion. A credit freeze costs nothing and prevents anyone from opening new credit accounts in your name. You can place a freeze online at each bureau’s website; it takes about 15 minutes total and is the single most effective identity theft protection available. If you already have a freeze, verify it’s still active, because some freezes expire after a set period. Second, consider placing a fraud alert with one of the three bureaus (you only need to contact one, and they’ll alert the others).
A fraud alert is free and lasts one year; it requires lenders to verify your identity before opening new accounts, adding a delay that deters some identity thieves but is weaker than a credit freeze. Third, monitor your credit reports at all three bureaus using the free report available yearly at AnnualCreditReport.com. Check for accounts you don’t recognize, inquiries from companies you didn’t apply to, and address changes. However, credit monitoring is a reactive step—by the time fraud appears on your credit report, a crime has already been committed. Credit freezing is the proactive step that prevents the problem. Fourth, be extremely suspicious of any unsolicited calls, emails, or letters claiming to be from Infutor or offering credit monitoring services. Scammers commonly impersonate breached companies to phish victims or sell fake protection services.
Common Misconceptions About the Infutor Breach and What We Don’t Know
One critical fact to understand: as of the current date, Infutor and Verisk have not officially confirmed this breach through regulatory channels. No formal notification has been sent to state attorneys general, and no official company statement has been issued acknowledging that the breach occurred or that victims’ data was accessed. This is unusual for a breach of this magnitude. Federal law and most state laws require companies to notify affected individuals and regulators of data breaches without unreasonable delay. The fact that Infutor or Verisk has not made an official statement—despite public reporting and dark web activity—suggests either they’re still investigating, they dispute the breach occurred, or they’re building a response strategy. Until they confirm it officially, insurers and courts may dispute whether obligations have been triggered.
Another misconception: the 676 million record count does not necessarily mean 676 million unique American victims. Infutor’s database likely contains multiple records per person—old addresses, previous phone numbers, alternative identities, or records for people who died or moved. The actual number of unique individuals affected could be significantly lower, though still substantial. This doesn’t make the breach less serious, but it’s important for understanding the scale realistically. Additionally, not everyone in the database may have had their SSN exposed; the records Infutor maintains vary in completeness. However, the threat actor’s claim that the database includes SSNs suggests at minimum many millions of SSNs were exposed.
Legal Status and Class Action Investigation Updates
Law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP (CSK&D) is investigating potential class action lawsuits related to the breach. Class action suits in data breach cases typically allege that the company failed to implement adequate security measures and seek compensation for victims’ costs—credit monitoring, credit freezing services, identity theft insurance, and damages for the breach of privacy. However, class actions require official confirmation of the breach before they can proceed in most jurisdictions. Since Infutor has not yet formally confirmed the breach, no lawsuits have been filed and no settlements announced.
Once Infutor issues an official statement, class action filings typically follow within weeks. If you’re interested in joining a future class action, you don’t need to do anything now. Class actions are automatically included unless you opt out, and notification of eligible class members is provided after settlement is reached. You’ll typically have the option to submit a claim for reimbursement of expenses or receive your share of a settlement fund. Keep detailed records of any costs incurred due to identity theft or fraud prevention—credit monitoring service fees, credit freeze costs, or time spent resolving fraudulent accounts—because these can sometimes be reimbursed under settlement terms.
Why This Breach Matters Beyond Individual Victims
The Infutor breach exemplifies a critical vulnerability in how American identity data is managed: concentrated, inadequately secured, and increasingly valuable to criminals. Infutor is not a typical e-commerce company that incidentally collected customer data. It’s a data company—its entire business model is aggregating and maintaining identity information on hundreds of millions of Americans. These companies operate with minimal public visibility and oversight because they don’t directly sell to consumers; they sell to other businesses. This creates a gap in accountability: consumers don’t know what data these firms hold, can’t typically see what’s stored about them, and have limited legal recourse if security fails. The breach also underscores how quickly data moves once stolen.
From March 3 discovery to March 8 public posting was just five days. Modern data breaches aren’t slow-motion disasters; they’re immediate. Once credentials or data samples appear on hacking forums, copies proliferate globally and remain in circulation for years. This is why proactive steps like credit freezing—which don’t rely on a company’s response time—are so critical. Looking forward, expect increased regulatory scrutiny of data brokers and companies that maintain large identity databases, particularly at the state level where privacy laws are tightening. However, until federal data privacy legislation passes, the patchwork of state laws will continue to create gaps that companies like Infutor can exploit.
Conclusion
The alleged Infutor breach exposing 676 million Americans’ SSNs, addresses, and personal data represents one of the largest data breaches in U.S. history. The incident stemmed from a completely unprotected Elasticsearch database, discovered on March 3, 2026, and shared on dark web forums by March 8. While Infutor and Verisk have not officially confirmed the breach, the evidence from security researchers and threat actors is substantial.
For anyone concerned their data was exposed, the most important action is to place a credit freeze with the three major credit bureaus—this free step prevents most identity theft, while credit monitoring only detects it after the fact. As this situation develops, watch for official confirmation from Infutor, class action lawsuits from CSK&D, and regulatory notifications from state attorneys general. Keep your credit frozen, monitor your credit reports for suspicious activity, and stay alert for scams impersonating Infutor. This breach highlights why data brokers pose outsized risk in the American financial system: they hold identity data for hundreds of millions of people with minimal accountability, little public visibility, and, as this breach demonstrates, sometimes inadequate security controls. Your best defense is taking control of what you can control—your credit access and your awareness.