Columbia’s Data Breach Exposes Hidden Victims Who Never Attended the University

Columbia breach exposed SSNs of 868,969 people, including thousands who never applied through forgotten recruitment databases

Jun 4, 2026

2 min read

Key Takeaways

Columbia’s breach exposed 868,969 people including thousands who never attended the university
Attackers stole 2.5 million applicant records and 1.8 million SSNs from legacy databases
Universities routinely collected SSNs through testing organizations before 2012 without proper purging

Columbia University’s massive 2025 data breach affected 868,969 people, including thousands who received alarming notification letters despite having zero connection to the prestigious institution.

The Breach That Revealed Invisible Relationships

Between May and June 2025, a politically motivated attacker infiltrated Columbia’s systems and exfiltrated 460 gigabytes of sensitive data. The haul included Social Security numbers, dates of birth, financial aid records, and academic histories stretching back decades.

The hacker, claiming to expose post-affirmative action admissions practices, managed to steal information on over 2.5 million applicants and up to 1.8 million SSNs. Columbia detected the breach in late June but didn’t notify the public until July, leaving many victims scrambling to understand how their most sensitive identifier ended up in a stranger’s hands.

How Your Data Ended Up in Columbia’s Vaults

Your confusion about receiving a Columbia breach letter makes perfect sense—the university collected your SSN through recruitment pipelines you probably forgot existed. Before 2012, Columbia routinely ingested prospect data from testing organizations like College Board and ACT, plus various scholarship services that shared SSNs as student identifiers.

According to Columbia officials, students provided consent through checkboxes on test forms or scholarship applications. The problem? Columbia attempted to purge these SSNs after 2012 but missed at least one legacy database. Like finding a forgotten hard drive in your closet, except this one contained sensitive data on millions of people.

The Broader Data Retention Problem

Electronic Frontier Foundation technologists describe Columbia’s decades-long SSN retention as “really indicting,” highlighting how institutions treat personal data as assets rather than liabilities. This isn’t Columbia’s unique failing—it’s symptomatic of an entire sector that hoarded sensitive identifiers long past their usefulness.

Protecting Yourself from Invisible Data Relationships

Your compromised SSN won’t expire like a credit card. Place credit freezes with all three bureaus, monitor accounts aggressively, and consider that this breach might be the first of many surprise notifications.

The uncomfortable truth? Your data probably lives in systems you can’t imagine, collected through forgotten interactions decades ago. Columbia’s breach illuminates a chilling reality: you’re vulnerable to tracking users through institutions you never chose to trust.

Share this

You Might Also Like_

Our Editorial Process

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →

Join over 100k Readers

Join 100,000+ readers discovering the coolest gadgets, smart buying guides, and the tech news that actually matters.

LATEST Lists_

Why Trust Gadget Review

With over 25 years of experience, our editorial process is built on human expertise, ensuring that every article is reliable and trustworthy. AI helps us shape our content to be as succinct and engaging as possible.

Learn more about our commitment to integrity in our Code of Ethics.