A massive collection of stolen login credentials containing roughly 24 billion records was briefly exposed online, according to cybersecurity researchers at Cybernews.
Researchers say the publicly accessible Elasticsearch cluster contained usernames, email addresses, plaintext passwords, and login URLs linked to a wide range of online services. The database was taken offline after its discovery, but the scale of the collection has raised concerns about how much stolen credential data is circulating within cybercriminal ecosystems.
While it’s unclear who assembled the database or how many unique victims are represented, the findings highlight a growing problem: infostealer malware and credential reuse continue to provide attackers with vast quantities of account data that can be weaponized long after an initial compromise.
What was inside the database
According to Cybernews, the exposed system reportedly contained a mix of data types, but the majority appeared to be infostealer logs, records captured by malware designed to extract sensitive information from infected devices.
These logs typically include usernames, passwords, browser-stored credentials, and sometimes session data or tokens. Researchers also found that many records included the service URL that the credentials were meant to access.
The dataset was drawn from at least 36 sources, ranging from Telegram channels to breach compilations and data allegedly exported directly from live systems. A large portion of the material, roughly 1.7 billion records, came from Telegram channels linked to cybercrime activity, including groups sharing stolen credentials and financial data.
One of the largest chunks of data, about 22.6 billion records, was grouped under a label described as “collections.” Researchers said this section likely combined multiple infostealer datasets and previously leaked material, though the exact origin remains unclear.
Despite the scale of the discovery, key questions remain unanswered. Researchers say it is still unclear who collected or maintained the database, how many individuals are affected, or how many of the records are duplicates.
More than just passwords
Beyond login data, the exposed cluster also contained unexpected material related to cybersecurity tracking.
Researchers identified documents that referenced known vulnerabilities (CVEs), linked to GitHub repositories, and even included news articles about recent cyber incidents. Some entries appeared to include social media posts discussing ransomware operations and breach activity.
This suggests the data’s maintainer may have been actively monitoring cybersecurity developments and continuously adding new material to the collection. Even though the database is no longer publicly accessible, researchers stress that the risk has not disappeared.
Much of the danger comes from password reuse. If the same login details are used across multiple platforms, attackers can use them in automated credential stuffing attempts to break into accounts. Experts say enabling multi-factor authentication and avoiding reused passwords remain the most effective defenses.
Security advice for users
Cybersecurity experts are urging users to assume that reused passwords may already be compromised and take immediate precautions.
Key steps include changing reused passwords, especially for email, banking, and social media accounts, and enabling multi-factor authentication wherever possible. Password managers are also recommended to generate unique credentials for each service.
Users are also being warned to stay alert for phishing e3mails or messages that claim to check whether their data was exposed, as these are often used to harvest additional credentials.
Also read: ShinyHunters claims it stole 297GB of Council of Europe data, including payroll and medical records, though the organization has not confirmed a breach.