Infutor
Analysis of the Infutor data exposure affecting approximately 677 million records of US consumer data, including Social Security Numbers, reportedly caused by a misconfigured Elasticsearch database.
Published by the Scrutex.ai Research Team | March 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Infutor
US-based identity verification and consumer intelligence platform that aggregates and provides consumer data for marketing, identity verification, and fraud prevention purposes.
Sector
Data Brokerage / Identity Verification
Region
United States
Date of Incident
March 3, 2026 (discovery)
Date Disclosed
March 9, 2026
Estimated Impact
Approximately 676,798,866 unique records
Data Types Exposed
Full names, dates of birth, physical addresses, phone numbers, Social Security Numbers
Attack Type
Misconfiguration
Attack Vector
Misconfigured Elasticsearch database left publicly accessible without authentication
Threat Actor
Not applicable
Current Status
Class-action investigations are reportedly underway. The exposure was identified by SOCRadar on March 3, 2026.
Severity Assessment
Critical. Nearly 677 million records containing highly sensitive PII including Social Security Numbers represent one of the largest consumer data exposures in US history. The data is sufficient for large-scale identity theft, financial fraud, and social engineering campaigns.
What Happened
According to a report published on March 9, 2026, Infutor, an identity verification and consumer intelligence platform, was involved in a data breach affecting approximately 676,798,866 unique records of US consumer data.
The exposure reportedly resulted from a misconfigured Elasticsearch database that was left publicly accessible without authentication. The misconfiguration was identified by SOCRadar on March 3, 2026.
The exposed data reportedly includes full names, dates of birth, physical addresses, phone numbers, and Social Security Numbers of American citizens. Class-action investigations are reportedly underway.
Timeline
March 3, 2026
SOCRadar reportedly identifies misconfigured Elasticsearch database belonging to Infutor
March 9, 2026
Public reporting on the exposure of approximately 677 million records
March 2026
Class-action investigations reportedly initiated
Impact and Risk Assessment
For Affected Individuals
With nearly 677 million records reportedly containing Social Security Numbers, a significant proportion of the US adult population may be affected. The combination of SSN, full name, date of birth, and address provides everything needed for identity theft and financial fraud.
Affected individuals face long-term risk, as Social Security Numbers cannot be easily changed. The data may be used for years to come in identity theft, account takeover, and fraudulent account creation.
For Organisations
Organisations that use Infutor’s services for identity verification and consumer intelligence face questions about the security of their data supply chain and whether their use of Infutor data exposes them to regulatory or litigation risk.
Financial institutions and other organisations that rely on SSN-based identity verification may face increased fraud attempts as the exposed data proliferates.
Regulatory Context
The exposure of Social Security Numbers triggers notification obligations under data breach notification laws in all 50 US states. Class-action investigations suggest significant litigation exposure.
As a data broker, Infutor may face scrutiny under emerging state-level data broker regulations and the FTC’s enforcement actions against data brokers with inadequate security practices.
What Should You Do?
If You Are a Potentially Affected Individual
Consider placing a credit freeze with all three major credit bureaus (Equifax, Experian, TransUnion) to prevent fraudulent account opening using your SSN.
Monitor your credit reports regularly for unauthorised accounts or inquiries.
Be alert to phishing attempts and social engineering that may leverage the exposed personal information to appear legitimate.
If You Are a Security or Risk Professional
Audit your organisation’s use of third-party data brokers and consumer intelligence platforms. Assess whether your data suppliers maintain adequate security controls.
Review Elasticsearch and database configurations across your environment. Ensure all databases require authentication and are not exposed to the public internet.
Implement enhanced identity verification controls that go beyond SSN-based verification, as the widespread exposure of SSNs undermines their value as an authentication factor.
Learnings and Recommendations
Misconfigured databases remain one of the most common causes of large-scale data exposure. Organisations handling hundreds of millions of consumer records must implement automated configuration auditing and public exposure monitoring.
Data brokers and consumer intelligence platforms aggregate extraordinarily sensitive data at scale, making them high-value targets and creating catastrophic impact when security fails.
Social Security Numbers are increasingly compromised at scale, undermining their utility as identity verification factors. Organisations should move toward multi-factor identity verification that does not rely solely on SSN knowledge.
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.