Get blog updates
In the hours following yet another sweeping series of cyberattacks that collectively exposed the personal data of over 16 billion credentials, the Social Security numbers of nearly every living American, and the identity verification records of a billion people across 26 countries, executives in the only industry where this kind of catastrophic security failure routinely occurs confirmed there was no realistic way to prevent such incidents.
“This was an incredibly advanced, coordinated assault that exploited the fact that we stored 560 million customers’ full names, addresses, phone numbers, and credit card details in a cloud database with no multi-factor authentication,” said Richael Mapino, who oversees an organization that charges a $4.50 convenience fee to inform you your data was stolen. “ShinyHunters are a very sophisticated threat actor. You try having a system that requires a password and a second thing.”
The incident — one of at least 165 companies breached in a single Snowflake credential-stuffing campaign — follows a long string of similar incidents. Change Healthcare, the largest processor of medical claims in the United States, exposed the health records of 190 million Americans after attackers found a single server with no multi-factor authentication. AT&T disclosed that the call and text records of essentially all 110 million of its customers had been sitting in a Snowflake-hosted workspace accessible with a stolen credential. Analysts confirmed that all three organizations had received security recommendations about MFA in the months prior but logged them as low priority due to ongoing initiatives to optimize quarterly earnings per share.
“We’re seeing a pattern here,” admitted Undrew Aitty, glancing at a fresh SEC filing that his lawyers were already describing as “largely aspirational.” “But the truth is, when you are responsible for the insurance claims, prescriptions, test results, and surgical records of one in three Americans, you simply cannot be expected to tick every security checkbox. We did require passwords. Long ones, sometimes.”
Separately, a Florida company called National Public Data — which you have never heard of, never consented to give your data to, and which scraped your name, address history, relatives’ names, and Social Security number from public records databases and sold them as a commodity — confirmed that a threat actor had purchased this data for $3.5 million and published it on a dark web forum. The breach covered 272 million Social Security numbers, representing 60% of all SSNs ever issued by the IRS. The company filed for bankruptcy in October 2024 and shut down in December 2024, leaving no one to sue, no one to notify, and no mechanism to un-expose the data.
“It’s unfair to expect companies to keep all that information secure,” said Jark Vuckerberg, while deploying a new AI feature trained on private messages users believed were end-to-end encrypted. “There’s just so much of it. At some point you have to ask: who is really responsible here — the corporation that vacuumed up your most intimate personal data into a centralized honeypot for seventeen years, or the criminal who stole it? Personally I think it should be up to operating system makers to collect even more data, like the age and identity of every person on earth before they can use their apps. This time, it should be safe.”
Researchers also discovered a database of 184 million plaintext email address and password combinations, stored with no encryption and no password protection, accessible to anyone on the open internet. The database included credentials for Apple, Google, Facebook, Microsoft, Amazon, Netflix, PayPal, Roblox, and 220 email addresses ending in .gov. The owner of the database could not be determined. The researcher who found it described it as “a cybercriminal’s dream working list.” Industry analysts described it as “Tuesday.”
Meanwhile, a Know-Your-Customer verification platform called IDMerit left a one-terabyte MongoDB database exposed on the public internet with no password, containing the KYC identity documents — the most sensitive category of personal data, collected specifically to verify you are who you say you are — of over a billion people across 26 countries, including 203 million Americans. The database was discovered by researchers, secured, and never publicly attributed to any breach response, regulatory action, or executive consequence.
When asked whether decentralization — giving individuals and communities control over their own data rather than pooling it into a central honeypot — could reduce the surface area of such attacks, Zam Puckerstein replied: “That’s a great idea. We’re actually testing something like that. We call it ‘Your Privacy Matters to Us,’ which is the tagline on the settings page where you can choose between ‘share everything’ and ‘share almost everything.’ The button for the second option is slightly smaller and in gray.”
At press time, companies were reportedly preparing to send breach notification emails to affected users — approximately 14 months after the breach occurred — informing them that their data “may have been accessed” and offering one free year of identity theft monitoring from a subsidiary of one of the companies that caused the breach, provided users click a link, enter their Social Security number to verify identity, and agree to updated terms of service.
This article is an homage to The Onion’s article about mass shootings that happens with some regularity in the USA, which is reposted every so often with only the dates and names changed. See our 2023 edition and our 2021 edition.