Massive 24-Billion-Record Database of Stolen Credentials Exposed Online
Researchers at Cybernews uncovered a publicly accessible Elasticsearch database containing 24 billion stolen credential records, totaling 8.3 terabytes of data. The exposed cluster, which was briefly available online before being secured, aggregated information from 36 sources, including Telegram channels, prior breach compilations, infostealer logs, and direct server exports.
The dataset included 1.7 billion records from hacking-related Telegram channels primarily in English and Russian alongside structured infostealer logs with usernames, email addresses, plaintext passwords, and login URLs. Some entries also contained stolen credit card data, while others featured vulnerability reports, breach articles, and cyberattack discussions, suggesting the database was actively maintained for either commercial monitoring or offensive cyber operations.
The breach rivals the scale of past "mega-dumps," such as the "mother of all breaches" linked to the Leak-Lookup search engine, but with a heavier focus on fresh infostealer logs rather than older breach data. Infostealer logs often capture browser-stored passwords, session cookies (including MFA bypass tokens), autofill data, device fingerprints, and even crypto wallet details from infected devices.
While the database was taken offline shortly after discovery limiting further exposure researchers could not fully analyze duplicates or confirm all affected individuals. However, the presence of reused passwords still poses a significant risk to compromised accounts.
The incident underscores the persistent circulation of stolen credentials from phishing, data breaches, and malware infections, reinforcing the need for heightened security measures.
Elasticsearch TPRM report: https://www.rankiteo.com/company/elastic-co
Leak-Lookup TPRM report: https://www.rankiteo.com/company/intelforge
"id": "intela1781699483",
"linkid": "intelforge, elastic-co",
"type": "Breach",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Unknown (potentially millions)',
'industry': 'Cybercrime/Monitoring',
'type': 'Database Operator'}],
'attack_vector': ['Phishing', 'Malware (Infostealers)', 'Data Breaches'],
'data_breach': {'number_of_records_exposed': '24 billion',
'personally_identifiable_information': ['Usernames',
'Email Addresses',
'Plaintext Passwords',
'Login URLs',
'Session Cookies',
'Autofill Data',
'Device Fingerprints'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Credit Card Data',
'Session Cookies',
'Autofill Data',
'Device Fingerprints',
'Crypto Wallet Details',
'Vulnerability Reports',
'Breach Articles']},
'description': 'Researchers at Cybernews uncovered a publicly accessible '
'Elasticsearch database containing 24 billion stolen '
'credential records, totaling 8.3 terabytes of data. The '
'exposed cluster aggregated information from 36 sources, '
'including Telegram channels, prior breach compilations, '
'infostealer logs, and direct server exports. The dataset '
'included usernames, email addresses, plaintext passwords, '
'login URLs, stolen credit card data, vulnerability reports, '
'and cyberattack discussions.',
'impact': {'data_compromised': '24 billion records (8.3 TB)',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'Elasticsearch database'},
'investigation_status': 'Partial (limited analysis due to early takedown)',
'lessons_learned': 'The incident underscores the persistent circulation of '
'stolen credentials from phishing, data breaches, and '
'malware infections, reinforcing the need for heightened '
'security measures such as password hygiene, MFA, and '
'monitoring for credential leaks.',
'motivation': ['Commercial Monitoring', 'Offensive Cyber Operations'],
'post_incident_analysis': {'corrective_actions': ['Secure database access '
'controls',
'Monitor for unauthorized '
'data aggregation'],
'root_causes': ['Publicly accessible Elasticsearch '
'database',
'Aggregation of stolen credentials '
'from multiple sources']},
'recommendations': ['Enforce password hygiene',
'Implement Multi-Factor Authentication (MFA)',
'Monitor for credential leaks',
'Use adaptive security measures'],
'references': [{'source': 'Cybernews'}],
'response': {'containment_measures': 'Database taken offline',
'third_party_assistance': 'Cybernews researchers'},
'title': 'Massive 24-Billion-Record Database of Stolen Credentials Exposed '
'Online',
'type': 'Data Exposure',
'vulnerability_exploited': 'Publicly accessible Elasticsearch database'}