24 Billion Stolen Credentials Found in Exposed Elasticsearch Cluster
Cybernews researchers discovered 8.3TB of stolen credentials—usernames, passwords, session tokens—in an unprotected database. Data came from 36 sources including infostealer logs and Telegram channels.
Cybernews researchers discovered an unprotected Elasticsearch cluster containing 24 billion credential records and more than 8.3 terabytes of stolen data. The exposed database included usernames, email addresses, plaintext passwords, login URLs, browser cookies, session tokens, and cryptocurrency wallet data—essentially everything an attacker needs for account takeovers at scale.
The database was taken offline shortly after discovery on June 17, but its existence reveals how much stolen credential data circulates within cybercriminal ecosystems. This wasn't a breach of any single organization—it was an aggregation point for the output of years of credential theft.
What Was Exposed
The collection contained data from 36 distinct sources, revealing the supply chain of credential theft:
Infostealer Logs: The vast majority of records came from malware that harvests credentials from infected machines. These logs captured not just passwords but autofill data, device fingerprints, and active session tokens.
Telegram Channels: Approximately 1.7 billion records traced back to Telegram channels involved in cybercrime—trading stolen credit cards, sharing access credentials, and operating as marketplaces for compromised accounts.
Prior Breach Compilations: Around 22.6 billion records came from aggregated "collections" that compile credentials from multiple breaches. These compilations are routinely shared and re-shared across criminal forums.
Live Server Exports: Some datasets appeared to have been exported directly from compromised authentication servers, capturing credentials as users logged in.
The Credential-Stuffing Threat
A database this size supercharges credential-stuffing attacks—automated attempts to log into accounts using stolen username/password combinations. Because password reuse remains common despite years of warnings, credentials stolen from one breach often unlock accounts across multiple services.
The collection was particularly dangerous because it included enrichment data linking credentials to known CVEs. This enables attackers to prioritize targets running vulnerable software, combining credential access with exploit delivery for maximum impact.
Organizations managing data breach response should treat this exposure as a reminder that stolen credentials don't disappear—they accumulate and get repackaged. A breach from 2023 might surface in a criminal database in 2026, still viable against users who never changed their passwords.
Operational Security Implications
The database operated on an Elasticsearch cluster with no authentication and no network restrictions. While this made discovery trivial for researchers, it also means criminal operators were sloppy enough to expose their own infrastructure.
Threat intelligence teams should note: criminal data repositories are themselves attack surfaces. Monitoring for exposed databases like this can provide early warning of credential theft campaigns before stolen data gets weaponized.
Who's at Risk
Anyone with online accounts. The breadth of sources—Telegram channels, infostealer campaigns, breach compilations—means credentials from virtually any service could appear in aggregations like this.
Specific indicators of elevated risk:
- Password reuse across multiple accounts
- No multi-factor authentication enabled
- Credentials created before 2024
- Downloads from untrusted sources (infostealer infection vector)
- Use of cryptocurrency exchanges or DeFi platforms (wallet data was included)
Recommended Actions
- Check exposure using breach notification services like Have I Been Pwned
- Rotate exposed passwords immediately and ensure new passwords are unique per service
- Enable MFA everywhere using authenticator apps rather than SMS
- Audit saved passwords in browsers—these are infostealer targets
- Download software only from official sources to avoid infostealer infections
For security teams, the existence of such databases argues for credential monitoring services that detect when employee credentials appear in criminal marketplaces. Early detection enables forced password resets before attackers act.
The Bigger Picture
This database represents what happens after successful phishing campaigns, malware infections, and breach intrusions. Every infostealer infection, every phishing success, every database dump eventually flows downstream into aggregations like this.
The criminals who operate these collections aren't hackers themselves—they're data brokers, providing the raw material for account takeovers, business email compromise, and identity theft. Disrupting them requires going beyond technical defenses to understand the economics of credential theft.
Frequently Asked Questions
Can I check if my credentials were in this specific database? The database was taken offline before public tools could index it. Use services like Have I Been Pwned to check for credentials exposed across known breaches—if you're in those, you may well have been in this aggregation too.
Who was operating this database? Researchers couldn't determine the operator's identity. The lack of authentication suggests either carelessness or intentional exposure for some purpose. The database's offline status prevents further analysis.
Related Articles
Crunchyroll Breach Exposes 6.8 Million Users via Malware
Hackers infected a contractor's device to steal Okta credentials, then pivoted to Crunchyroll's Zendesk. Support ticket data for 6.8 million subscribers extracted.
Mar 24, 2026Data Broker Infutor Breach Exposes 676 Million Consumer Records
Infutor data breach reportedly exposes 676 million consumer records including Social Security numbers. Misconfigured Elasticsearch database blamed for the exposure.
Mar 18, 2026HungerRush POS Extortion: Threat Actor Mass-Mails Restaurant Customers
Attacker leverages infostealer-compromised credentials to extort restaurant POS provider HungerRush, sending threatening emails directly to customers demanding response.
Mar 5, 2026Everest Ransomware Dumps Full 1TB of ASUS Stolen Data
After ASUS missed ransom deadline, Everest releases complete data trove including ROG source code, Qualcomm SDKs, and ArcSoft files on cybercrime forums.
Jan 3, 2026