Data Broker Infutor Breach Exposes 676 Million Consumer Records

Consumer identity management platform Infutor has reportedly suffered a massive data breach exposing approximately 676 million records. The compromised data allegedly includes full names, dates of birth, physical addresses, phone numbers, and Social Security numbers—everything needed for identity theft.

A threat actor using the handle "Spirigatito" posted the database for sale on dark web forums on March 8, 2026. Security firms flagged the listing almost immediately, with analysts confirming the sheer scale places this among the most significant data broker breaches ever documented if verified.

What We Know

According to SOCRadar's analysis, the exposure resulted from a misconfigured Elasticsearch database—a depressingly common cause of large-scale breaches. Improperly configured databases left accessible on the public internet continue to enable some of the largest data exposures, despite years of warnings from security researchers.

Infutor serves industries including insurance, consumer finance, higher education, platforms and service providers, and real estate. Companies in these sectors use Infutor's data for marketing campaigns, customer verification, and identity insights. The breach doesn't just affect Infutor's direct customers—it potentially impacts anyone whose data flows through the consumer identity verification ecosystem.

The Data Broker Problem

Most people have never heard of Infutor, yet the company may hold detailed records about them. Data brokers operate in a shadow economy, collecting and aggregating information from public records, commercial transactions, and other sources to build consumer profiles.

This creates an asymmetric risk: consumers don't know what data exists about them or who holds it, making it impossible to take proactive protective measures. When a breach occurs, affected individuals learn about their exposure after the fact—if they learn at all.

The TELUS Digital breach we covered yesterday involved a BPO company holding data on behalf of clients. The Infutor breach demonstrates the same pattern at data broker scale: your information sits in systems you've never interacted with directly.

Corporate Ownership Changes

The timing is complicated. In January 2026, data analytics company Verisk Marketing Solutions—which acquired Infutor in 2022—was itself acquired by ActiveProspect. These ownership transitions can create security gaps as systems migrate between management teams and integration efforts compete with security priorities.

Whether the breach occurred before or after the ActiveProspect acquisition remains unclear. Investigators are still determining the timeline and scope.

Impact Assessment

If the 676 million figure is accurate, this breach potentially affects a majority of American adults. The United States has approximately 330 million people; accounting for deceased records and historical data, a 676 million record database could represent comprehensive coverage of the adult population over many years.

Social Security numbers are particularly dangerous. Unlike passwords, SSNs cannot be changed. Exposure creates permanent identity theft risk that no amount of credit monitoring can fully mitigate.

Affected individuals should assume their SSN is compromised and take protective measures:

1. Freeze credit at all three bureaus (Equifax, Experian, TransUnion)—this is free and prevents new account fraud
2. Monitor existing accounts for unauthorized activity
3. Consider identity theft protection services that monitor dark web markets
4. File IRS Identity Protection PIN to prevent tax refund fraud

Our data breach guide covers the immediate steps anyone should take after learning their information was exposed.

The Elasticsearch Pattern

Misconfigured Elasticsearch databases have caused dozens of major breaches over the past five years. The database technology itself is secure when properly configured, but default settings often allow unauthenticated access, and rushed deployments skip security hardening.

Organizations running Elasticsearch should immediately audit their configurations:

• Disable external network binding unless absolutely required
• Enable authentication (not optional, despite what defaults suggest)
• Configure TLS for transport layer encryption
• Implement proper access controls and API key management
• Monitor for unauthorized access attempts

Cloud providers offer managed Elasticsearch services with better default security postures. Organizations still running self-managed instances should strongly consider migration.

Why This Matters

Data brokers represent concentrated risk to consumer privacy. A single breach can expose more records than all retail breaches in a typical year combined. Yet data broker security practices receive far less scrutiny than consumer-facing companies because the general public doesn't interact with these businesses directly.

The Aura.com breach from the ShinyHunters campaign earlier this month affected a security company ironically focused on protecting consumer identity. The Infutor breach affects a company that profits from aggregating that same consumer data. Neither outcome inspires confidence in the data broker ecosystem's ability to protect what it collects.

Regulatory pressure on data brokers has increased, but breaches like this suggest industry practices haven't kept pace with the sensitivity of the data involved. Until that changes, consumers remain exposed through systems they cannot see and relationships they never consented to.