Colonial Pipeline: 'The credential data leak is dangerous simply because of its enormous size': Experts warn "colossal" breach exposes 24 billion records including personal info

Massive 24-Billion-Credential Database Exposed in Unsecured Elasticsearch Instance

Security researchers at Cybernews uncovered an unprotected Elasticsearch database containing 24 billion plaintext credentials, making it one of the largest credential leaks ever discovered. The 8TB archive, compiled from 36 distinct sources, included usernames, passwords, and login URLs all stored in plaintext and freely accessible to anyone with the database’s location.

The dataset appears to be a live, regularly updated collection of infostealer logs, Telegram leaks, and prior breach data, with evidence suggesting it was last modified as recently as February 2026. While the exact age of the records remains unclear, the inclusion of recent data indicates the archive was actively maintained. The owner’s identity is unknown, though the sources span English and Russian-language channels, including 260 million records tied to "Darkside" Telegram channels a reference to the now-defunct ransomware group behind the 2021 Colonial Pipeline attack.

The sheer scale of the leak nearly three times the global population poses severe risks, particularly for accounts without multi-factor authentication (MFA). The database was secured shortly after discovery, preventing further analysis, but the incident underscores the ongoing threat of aggregated credential dumps in underground markets. The mix of infostealer outputs, breach compilations, and Telegram-sourced data suggests a sophisticated operation, likely aimed at facilitating account takeovers, fraud, or further cyberattacks.

Source: https://www.techradar.com/pro/security/the-credential-data-leak-is-dangerous-simply-because-of-its-enormous-size-experts-warn-colossal-breach-exposes-24-billion-records-including-personal-info

Colonial Pipeline Company cybersecurity rating report: https://www.rankiteo.com/company/colonial-pipeline-company

"id": "COL1781699400",
"linkid": "colonial-pipeline-company",
"type": "Breach",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Global (potentially all users '
                                              'without MFA)'}],
 'attack_vector': 'Unsecured Elasticsearch Instance',
 'data_breach': {'data_encryption': 'None (plaintext)',
                 'number_of_records_exposed': '24 billion',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (plaintext credentials)',
                 'type_of_data_compromised': ['Usernames',
                                              'Passwords',
                                              'Login URLs']},
 'description': 'Security researchers at Cybernews uncovered an unprotected '
                'Elasticsearch database containing 24 billion plaintext '
                'credentials, making it one of the largest credential leaks '
                'ever discovered. The 8TB archive, compiled from 36 distinct '
                'sources, included usernames, passwords, and login URLs all '
                'stored in plaintext and freely accessible. The dataset '
                'appears to be a live, regularly updated collection of '
                'infostealer logs, Telegram leaks, and prior breach data, with '
                'evidence suggesting it was last modified as recently as '
                'February 2026. The owner’s identity is unknown, though the '
                'sources span English and Russian-language channels, including '
                "260 million records tied to 'Darkside' Telegram channels. The "
                'database was secured shortly after discovery, but the '
                'incident underscores the ongoing threat of aggregated '
                'credential dumps in underground markets.',
 'impact': {'data_compromised': '24 billion plaintext credentials',
            'identity_theft_risk': 'High',
            'systems_affected': 'Elasticsearch database'},
 'investigation_status': 'Partially resolved (database secured)',
 'lessons_learned': 'The incident underscores the ongoing threat of aggregated '
                    'credential dumps in underground markets and the '
                    'importance of multi-factor authentication (MFA).',
 'motivation': 'Account takeovers, fraud, or further cyberattacks',
 'post_incident_analysis': {'corrective_actions': 'Secure databases, implement '
                                                  'encryption, and enforce '
                                                  'access controls',
                            'root_causes': 'Unsecured Elasticsearch database, '
                                           'lack of encryption, and improper '
                                           'access controls'},
 'recommendations': 'Enable multi-factor authentication (MFA) for all '
                    'accounts, monitor for credential leaks, and secure '
                    'databases with proper access controls.',
 'references': [{'source': 'Cybernews'}],
 'response': {'containment_measures': 'Database secured after discovery',
              'third_party_assistance': 'Cybernews researchers'},
 'title': 'Massive 24-Billion-Credential Database Exposed in Unsecured '
          'Elasticsearch Instance',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Unprotected database'}