Infutor 676 Million Records Including SSNs Exposed via Misconfigured Elasticsearch

• .What: Misconfigured Elasticsearch database exposed 676M consumer identity records including full SSNs, with no authentication required.
• .Who: Infutor Data Solutions (sold by Verisk to ActiveProspect January 8, 2026) - a data broker serving insurance, finance, education, and real estate sectors.
• .How: Elasticsearch 8.15.2 running on port 9200 with xpack.security explicitly disabled. No network segmentation. No encryption at rest.
• .Data: Full Social Security numbers, full names, dates of birth, complete address histories, phone numbers. Includes living and deceased individuals.
• .Actor: Spirigatito - a BreachForums actor also linked to Shaparak (Iran, 168M records), LifesHub (Brazil, 257M records), Safran Group supply chain (France), and BRELA (Tanzania) data thefts.
• .Scale: 676,798,866 indexed records across 91.72 GB. Actual unique individuals estimated in the tens to hundreds of millions. ~250 million related records had already been circulating on underground forums prior to this disclosure.
• .Response: No public statement from Infutor, Verisk, or ActiveProspect. No breach notifications filed. No credit monitoring offered. Three law firms investigating class actions.

Infutor Data Solutions was founded in 2003 as a family-owned consumer data company in Oakbrook Terrace, Illinois.

Norwest Venture Partners acquired the company in 2016 and invested in professionalizing operations - Infutor was named to the Inc. 5000 for six consecutive years, achieving a 68% three-year growth rate by 2021. Over two decades, it assembled what it called the TrueSource Identity Graph - 266 million consumer profiles across 120 million US households, built from public records spanning 3,000+ counties, property transactions, vehicle data, point-of-sale records, and commercial data partnerships.

The company also maintained a Consumer Referential Database of 460+ million historical records with 1.3 billion address entries. Verisk Analytics acquired Infutor in February 2022 for $223.5 million, merging it with Jornaya to form Verisk Marketing Solutions.

On January 8, 2026, Verisk sold the combined unit to ActiveProspect, a consent-based marketing platform backed by Five Elms Capital. The sale closed approximately eight weeks before the exposure was discovered.

On March 3, 2026, SOCRadar's automated external attack surface monitoring identified a publicly accessible Elasticsearch instance running version 8.15.2 on the default port 9200.

security), which has been enabled by default since version 8.0, had been explicitly disabled in the configuration.

SOCRadar validated data samples by cross-referencing records against publicly available obituary databases, confirming the data was authentic and contained records of both living and deceased individuals. The dataset spanned 91.72 GB across 676,798,866 indexed records.

SOCRadar rated the exposure as critical severity and initiated responsible disclosure procedures, including outreach to identify the data owner and hosting provider.

The critical problem: SOCRadar could not identify the data owner at the time of publication. The Elasticsearch instance appeared to be hosted by a third-party infrastructure provider, with no clear ownership attribution.

SOCRadar published its findings on March 3 to raise awareness - but the database remained publicly accessible and unsecured.

Five days later, on March 8-9, a threat actor operating under the handle "Spirigatito" posted the complete dataset on BreachForums alongside a 15 million record sample for verification.

The forum post stated: "The breach includes 676 798 866 unique citizens americans (including deceased persons). " The dataset circulated rapidly across dark web channels within hours.

Security community analysis subsequently attributed the data to Infutor based on the data structure, field composition, and volume matching Infutor's known data holdings.

SOCRadar's analysis also revealed that approximately 250 million related data entries had previously been observed circulating on hacker forums, suggesting that portions of the database had been discovered and exfiltrated by other actors before SOCRadar's own identification on March 3. One class action investigation references an unauthorized access window between June 23 and July 15, 2025 - if accurate, this places the initial exposure during Verisk's ownership, approximately eight months before public discovery.

Spirigatito is an opportunistic data broker active on BreachForums since at least November 2025, specializing in large-scale database exfiltration across diverse geographies.

Prior attributed campaigns include: Iran's Shaparak national payment network (November 2025 - 168 million payment records including national IDs, bank cards, and credentials across 55 GB); Brazil's LifesHub (February 16, 2026 - 257 million records); French aerospace manufacturer Safran Group (February 10, 2026 - 718,000+ lines of supply chain data listed for sale, though Safran denied a direct breach and attributed the exposure to a third-party provider); and Tanzania's BRELA government business registry (February 4, 2026 - 10.2 million records representing the entire national corporate registry).

The Infutor exfiltration required no technical exploitation.

Spirigatito located the exposed Elasticsearch instance using information published in SOCRadar's March 3 report, downloaded the dataset without authentication, and posted it on BreachForums within five days alongside a 15 million record sample.

This is not a sophisticated APT operation - it is an opportunistic actor exploiting a publicly documented misconfiguration that the data owner had not yet secured.

• .676,798,866 indexed records - exceeding the current US population (~335 million), indicating the dataset includes historical, duplicate, and deceased-individual entries accumulated over Infutor's 23-year history of consumer data aggregation
• .Full Social Security numbers - the single most sensitive and least changeable piece of American identity data. A compromised SSN follows its owner for life, enabling credit fraud, tax fraud, medical identity theft, and synthetic identity creation
• .Full legal names and dates of birth - completing the identity theft triad required to open accounts, file false tax returns, and impersonate victims in government systems
• .Complete address histories - street address, city, state, and ZIP code. Historical addresses enable knowledge-based authentication bypass
• .Phone numbers - enabling SIM-swap attacks, targeted vishing, account recovery abuse, and multi-factor authentication interception
• .Demographic profiles assembled from 3,000+ county public records, property transactions, vehicle data, point-of-sale records, and commercial data partnerships spanning 30+ years

The 676 million record count aligns with Infutor's own data holdings: 266 million active consumer profiles plus 460+ million historical records in the Consumer Referential Database.

Most affected individuals have no direct relationship with Infutor and no awareness that their data was held by this company.

Failure 1 - Security Explicitly Disabled on Elasticsearch 8.x: The database ran Elasticsearch version 8.15.2. security enabled by default, requiring authentication out of the box. enabled to false in the configuration.

This is not a "misconfiguration" in the traditional sense - it is the deliberate disabling of a security control that was on by default.

Failure 2 - Port 9200 Exposed to Public Internet: The Elasticsearch instance was directly accessible on the default port 9200 from any IP address on the internet. No firewall rules, no VPN requirement, no IP allowlisting, and no cloud security group restricting access.

Failure 3 - No Network Segmentation: The database was not isolated in a private network segment. Basic architecture would place a database of this sensitivity behind multiple network layers - private subnet, VPN, and application-layer proxy at minimum. None existed.

Failure 4 - No Encryption at Rest: SSNs and other sensitive fields were stored in cleartext within the Elasticsearch index. Field-level or index-level encryption would have rendered the data useless even if accessed by unauthorized parties.

Failure 5 - No External Attack Surface Monitoring: The exposure persisted long enough for ~250 million records to circulate on underground forums and for SOCRadar to discover it externally.

The data owner's own security operations did not detect a 91.72 GB database sitting open on the public internet.

Failure 6 - Ownership Transition Without Security Audit: Verisk sold Infutor's data infrastructure to ActiveProspect in January 2026. Neither the seller's nor buyer's due diligence process appears to have identified a publicly accessible Elasticsearch instance containing 676 million SSNs.

Standard M&A security assessments include external attack surface scanning - this failure suggests the scan either was not performed or its results were not acted upon.

Failure 7 - Responsible Disclosure Enabled Exfiltration: SOCRadar discovered the exposure on March 3 and published its findings before the data owner was identified or the database was secured.

Within five days, Spirigatito used SOCRadar's publication to locate and download the entire dataset.

This highlights a systemic gap in responsible disclosure: when the data owner cannot be identified, publishing exposure details creates a race condition between remediation and exploitation.

US Federal:

• .FTC Act Section 5 - Unfair and deceptive practices. A data broker that explicitly disables authentication on a database containing 676 million SSNs meets the standard for unfairness. The CFPB's proposed data broker rule (Regulation V) was withdrawn in May 2025, leaving FTC Act enforcement as the primary federal mechanism.
• .PADFAA (Protecting Americans' Data from Foreign Adversaries Act) - The FTC sent warning letters to 13 data brokers on February 9, 2026, weeks before this breach. If any portion of this data reached foreign adversary nations, penalties of up to $53,088 per violation apply. Spirigatito's attributed involvement with Iranian and Tanzanian data thefts raises this risk.
• .Gramm-Leach-Bliley Safeguards Rule - Applicable if Infutor's data products were used by financial institutions for credit or risk decisions.
• .FCRA - If any Infutor data product is used for credit, employment, insurance, or tenant screening decisions, Infutor qualifies as a Consumer Reporting Agency with strict accuracy, dispute resolution, and security obligations.
• .SEC 8-K Disclosure - Verisk (NASDAQ: VRSK, $3.07B FY2025 revenue, ~$31.3B market cap) is publicly traded. If the exposure originated during Verisk's ownership, SEC material cybersecurity incident disclosure rules apply. No 8-K has been filed as of March 25.

State:

• .All 50 States Breach Notification - SSN exposure triggers mandatory notification in every US state. No notifications have been filed as of March 25, 2026.
• .California CCPA/CPRA - Data broker registration required with CalPrivacy ($6,000/year). California Delete Act (SB 362) requires participation in the DELETE Request and Opt-Out Platform, launched January 1, 2026. Penalty: $7,500 per intentional violation. CalPrivacy Data Broker Enforcement Strike Force (launched November 2025) actively targets non-compliant brokers. CalPrivacy fined National Public Data $46,000 even in bankruptcy.
• .Vermont Data Broker Registry - Registration required ($100/year). Penalty: $50/day up to $10,000 annually.
• .Oregon Data Broker Registry - Registration required. Penalty: $500/day up to $10,000 annually.
• .Texas Data Broker Registry - Registration required ($300). Penalty: $100/day up to $10,000 annually.
• .State AG Investigations - Expected from multiple jurisdictions. National Public Data drew investigations from 20+ state AGs.

Class Action:

• .Chimicles Schwartz Kriner & Donaldson-Smith LLP - formal investigation launched
• .Siri & Glimstad LLP / Milberg PLLC - representing affected individuals via Class Action U
• .Bryson Harris Suciu & DeMay PLLC - investigating potential class action
• .No formal lawsuit filed as of March 25 - investigations in progress

Ownership Liability:

• .The breach exposure likely originated during Verisk's ownership (if June-July 2025 access window is accurate) but was discovered after the sale to ActiveProspect (January 8, 2026). Standard M&A purchase agreements include representations and warranties regarding cybersecurity and data protection compliance. If Verisk knew or should have known about the exposure before the sale, indemnification claims and potential fraud causes of action may arise.

Infutor exemplifies the systemic risk of the US data broker industry - a $313 billion market with 750+ known companies, many operating entirely outside public awareness.

These companies aggregate sensitive personal data from hundreds of sources, sell access commercially, and face minimal federal regulation.

The regulatory framework has weakened since National Public Data's 2024 breach (272 million SSNs): the CFPB's proposed data broker rule was withdrawn in May 2025, federal privacy legislation (ADPPA) remains stalled, and only four states require data broker registration.

National Public Data filed for bankruptcy with less than $75,000 in assets, leaving 272 million Americans with no meaningful remedy - then quietly resurrected as "Perfect Privacy LLC." Infutor's case may follow a similar pattern: the business unit changed hands three times in ten years (Norwest VP in 2016, Verisk in 2022, ActiveProspect in 2026), each transition potentially diluting accountability for historical data security failures.

1. Never Disable Default Security Controls - Elasticsearch 8.x ships with authentication enabled by default. Whoever configured this instance explicitly disabled it.

Organizations must enforce configuration management policies that prevent the disabling of security defaults, with automated drift detection and alerting.

2. Network Isolation for Sensitive Data Stores - A database containing 676 million SSNs must never be directly accessible from the public internet. Deploy behind VPN with mandatory authentication, private subnet with no public IP, IP allowlisting, and application-layer proxy.

3. Field-Level Encryption for SSNs - Social Security numbers must be encrypted at the application layer before storage, with decryption keys managed through a dedicated secrets management service.

Even if the database is accessed without authorization, encrypted fields are unusable.

4. Continuous External Attack Surface Monitoring - Deploy automated external scanning to detect exposed services within hours, not months. Set alerts for any Elasticsearch, MongoDB, or database service accessible on public IPs.

5. M&A Security Due Diligence - Both acquisition (Verisk 2022) and divestiture (ActiveProspect 2026) should have included comprehensive external attack surface assessments before closing.

6. Data Minimization - No single database should contain 676 million SSNs in searchable format.

Implement purpose limitation: SSNs needed for real-time identity resolution should be tokenized, with the actual SSN retrievable only through a controlled API with authentication, rate limiting, and audit logging.

7. Responsible Disclosure Protocol Reform - When researchers discover exposed databases containing hundreds of millions of SSNs, publishing findings before the data owner is identified and the database is secured creates a race condition that threat actors will win.

Disclosure should route through CISA or directly to the hosting provider for takedown before public reporting.

The following gaps exist in the public record for this incident. Independent OSINT verification (March 27, 2026) confirmed all five gaps remain unresolved:

1. The total number of unique individuals affected has not been established - the 676 million record count includes historical, duplicate, and deceased-individual entries, and the actual unique living persons exposed may be significantly lower.

2. The class action investigation referencing an unauthorized access window between June 23 and July 15, 2025 has not been independently verified - only Class Action U cites these specific dates.

If accurate, the exposure predates the January 2026 Verisk-to-ActiveProspect sale by approximately six months.

3. Neither Infutor, Verisk, nor ActiveProspect has issued any public statement, making it impossible to confirm the data's provenance, ownership chain, or whether the database was a production system or a legacy artifact.

4. The approximately 250 million records reportedly circulating on underground forums prior to SOCRadar's discovery have not been linked to specific threat actors or access events.

5. Whether the Elasticsearch instance was operated directly by Infutor/ActiveProspect or by a third-party infrastructure provider has not been confirmed.

6. Whether Infutor, Verisk Marketing Solutions, or ActiveProspect is registered in any of the four state data broker registries (California, Vermont, Oregon, Texas) could not be confirmed through passive OSINT - active registry queries would be required.

SOCRadar, Biometric Update, Prism News, DailyDarkWeb, DarkNetSearch, DataBreach.io, ClassAction.org, Class Action U, Chimicles Schwartz Kriner & Donaldson-Smith LLP, Dark Web Informer, HackNotice, CYFIRMA, Verisk Newsroom, ActiveProspect, GlobeNewsWire, Inc.