24 Billion Stolen Credentials Found in a Giant Exposed Database
Researchers found an exposed server holding 24 billion credential records pulled from infostealer logs and old breaches, a stark reminder to enable MFA.
In June 2026, security researchers reported finding an exposed database holding about 24 billion credential records, one of the largest collections of stolen login data ever observed in the open. The trove was not a single new breach but a giant compilation, and it serves as a blunt reminder of why password reuse remains the most dangerous habit in personal security.
Quick answer
This was not a fresh hack of any one company. Cybernews researchers found an unprotected Elasticsearch server (about 8.3 TB, roughly 24 billion records) that stitched together old breach dumps and fresh infostealer logs from around 36 sources. The real danger is that many records pair a password with the exact site it unlocks, so reused passwords are immediately exploitable. Turn on multi-factor authentication, give every account a unique password, and switch high-value logins to passkeys.
Key takeaways
- Researchers at Cybernews found an unprotected Elasticsearch cluster on June 12, 2026, holding roughly 24 billion records across more than 8.3 terabytes; it was secured by June 15.
- The data was assembled from about 36 sources, including more than 30 Telegram channels, older breach compilations, and large volumes of fresh infostealer logs.
- Many records pair a username, plaintext password, and the exact login URL, so attackers do not have to guess where a credential works.
- The dataset leaned toward recent infostealer logs and even carried a layer of vulnerability intelligence, suggesting it was an active attack-targeting tool, not a dead archive.
- The fix is familiar and effective: unique passwords, a password manager, passkeys where possible, and multi-factor authentication on every account that matters.
What happened
Researchers at Cybernews said they discovered an unprotected Elasticsearch cluster on June 12 containing roughly 24 billion records spread across more than 8.3 terabytes of data. The server was reachable on the open internet before it was taken offline, with the cluster secured by June 15.
The data was not one company's breach. It was assembled from around 36 sources, including more than 30 Telegram channels openly used for trading stolen credentials, older breach compilations, and large collections of "infostealer" logs. Roughly 1.7 billion of the records traced back to hacking-related Telegram channels, mainly English and Russian-language, including at least one focused on stolen payment-card data. Many records were structured infostealer entries containing usernames, email addresses, plaintext passwords, and the exact login URL each password belonged to.
Note
An infostealer is malware that infects a device and quietly harvests saved passwords, browser cookies, autofill data, and session tokens, then sends them to attackers. A single infected machine can leak credentials for every site the victim used.
The details
The raw number, 24 billion, is attention-grabbing, but the more important detail is the format. Because each infostealer record pairs a username and password with the specific site it unlocks, attackers do not have to guess where a credential works. They can target accounts directly, which makes the dataset far more dangerous than a simple list of leaked passwords.
The trove also included active session cookies and tokens. Those are especially dangerous because they can let an attacker step into a logged-in session and, in some cases, bypass multi-factor authentication entirely, since the user already passed the second factor when the token was created. That is why session-hijacking has become a favored tactic even against accounts that look well protected.
Researchers noted the dataset appeared to be actively maintained. It contained a documented layer of records referencing software vulnerabilities and links to code repositories, plus copies of news articles about recent breaches, with timestamps suggesting the collection was being updated for months before discovery. That points to an organized operation using the database as a live targeting tool rather than a one-time dump.
What this is, and what it is not
It is worth being precise. This is largely a recompilation of previously stolen data combined with fresh infostealer logs, not necessarily proof that any single major service was newly hacked. Compilations like this recycle old breaches, which is why some passwords in them are years out of date.
That said, the risk is real because people reuse passwords. If even a fraction of the 24 billion records contain a still-valid login, billions of accounts could be exposed to takeover, particularly anywhere multi-factor authentication is not turned on. The mechanics of credential stuffing, where attackers replay leaked username and password pairs across many sites, are covered in our guide on how to check if you were in a breach and respond.
Not every record in a dump like this carries the same threat. Knowing which type you are dealing with tells you how urgently to act:
| Record type | What it contains | Why it is dangerous | Your fix |
|---|---|---|---|
| Old breach compilation | Email plus a years-old password | Still unlocks accounts you never updated | Change any password you still reuse |
| Fresh infostealer log | Username, plaintext password, exact login URL | Attacker knows precisely where it works | Treat the device as compromised; reset from a clean machine |
| Session cookie / token | A live authenticated session | Can bypass MFA entirely | Sign out everywhere and revoke active sessions |
| Payment-card record | Card number and details | Direct financial fraud | Freeze the card and watch statements |
Warning
Compilation leaks blend old and current data. The fact that an old password appears does not mean a new breach occurred, but any password you still use that shows up in a leak should be changed immediately.
Why it matters
Compilation dumps like this lower the barrier to attack. A would-be intruder no longer needs technical skill to harvest credentials; they can simply buy or download a pre-sorted file that maps logins to sites. That commoditization is part of why AI-assisted attacks have grown so quickly, a trend we cover in how AI phishing is beating your inbox filter.
The pattern also underscores how infostealers have become the engine behind modern credential theft. Unlike a breach of one company, an infostealer infection on a single laptop can leak logins for dozens of services at once, which is why avoiding pirated software and sketchy downloads matters as much as any password policy.
What to do tonight
You do not need to panic over a 24-billion-record headline, but a focused half hour meaningfully shrinks your exposure. Run these in order:
- Turn on multi-factor authentication everywhere it is offered, starting with email, banking, and your password manager. Email is the master key, because most password resets land there, so secure it first. MFA blocks the overwhelming majority of credential-stuffing attempts.
- Check your exposure at a reputable service like Have I Been Pwned, then change any password that appears and any password you reuse anywhere else.
- Use a password manager (Bitwarden, 1Password, or your browser's built-in vault) and give every account a unique, generated password, so one leak cannot cascade.
- Switch high-value logins to passkeys where available; they are not phishable and never stored as a reusable secret. Our step-by-step passkey setup guide covers each major platform.
- Sign out of all active sessions on your important accounts, which kills any stolen session token an attacker might be holding.
- Watch for infostealer infections: avoid pirated software, cracked games, and sketchy "free download" sites, which are the most common way these credential thieves get on a machine in the first place.
Frequently asked questions
Was my specific account breached?
Not necessarily. This is a compilation, so the presence of one of your old passwords often reflects an older breach rather than a new one. Use a reputable breach-checking service to see whether your email appears, and change any password you still use that shows up.
Does multi-factor authentication fully protect me?
It stops the vast majority of credential-stuffing attacks, but stolen session tokens can sometimes bypass it. That is why pairing MFA with unique passwords and, ideally, phishing-resistant passkeys gives the strongest protection.
How do I know if I have an infostealer infection?
Warning signs include unexpected logins, antivirus alerts, or credentials leaking despite strong passwords. Run a reputable malware scan, change passwords from a clean device, and revoke active sessions on important accounts.
Should I change every password I own?
Focus first on high-value accounts: email, banking, and your password manager. Then replace any reused passwords. A password manager makes generating and storing unique credentials painless.
Was this a single company being hacked?
No. It was an aggregated server combining roughly 36 sources, including more than 30 Telegram trading channels, older breach compilations, and recent infostealer logs. The presence of your data in it does not point to one specific company failing, which is exactly why the defenses are universal rather than vendor-specific.
For now, the 24-billion-record dump is less a single catastrophe than a snapshot of how much stolen data already circulates. The defenses are familiar, and they work: unique passwords, a password manager, and multi-factor authentication on everything that matters.
Sources & further reading
- cybernews.com/security/24-billion-credentials-data-leak/
- malwarebytes.com/blog/news/2026/06/24-billion-stolen-records-found-in-giant-data-dump-check-if-youre-affected
- securityaffairs.com/193864/security/24-billion-stolen-credentials-exposed-in-massive-data-leak.html
- techtimes.com/articles/318746/20260620/credential-stuffing-risk-spikes-24-billion-stolen-passwords-linked-live-exploit-data.htm
- techrepublic.com/article/news-24-billion-credential-records-exposed-database/
