A massive trove of stolen login credentials—roughly 24 billion records—was briefly exposed on an Elasticsearch cluster before being taken offline, cybersecurity researchers say. The dataset included usernames, email addresses, plaintext passwords, and service
For a short window of time, a huge cache of stolen account data sat exposed on the open internet. Then it went dark.
Cybersecurity researchers at Cybernews say that roughly 24 billion records from a publicly accessible Elasticsearch cluster were briefly available. Inside. the material reportedly included usernames. email addresses. plaintext passwords. and login URLs tied to a wide range of online services. The database was taken offline after discovery. but the sheer scale of the collection has only sharpened alarm among security teams: there’s now a bigger question about how much stolen credential data is already moving through cybercriminal ecosystems.
The dataset’s contents were not limited to one type of theft trail. Researchers say the exposed system held a mix of data types. with most entries appearing to be infostealer logs—records captured by malware built to extract sensitive information from infected devices. Those logs typically include usernames and passwords, browser-stored credentials, and sometimes session data or tokens. Many records also reportedly came with the service URL the credentials were intended to access.
The numbers are staggering. Researchers say the dataset was pulled from at least 36 sources. spanning Telegram channels to breach compilations and data allegedly exported directly from live systems. About 1.7 billion records were traced to Telegram channels linked to cybercrime activity, including groups sharing stolen credentials and financial data.
Then there’s the largest chunk: around 22.6 billion records grouped under a label described as “collections.” Researchers say that section likely combined multiple infostealer datasets and previously leaked material. though the exact origin remains unclear. Even with the database offline. the core uncertainties aren’t resolved—researchers say it’s still unknown who assembled or maintained the database. how many unique victims are represented. and how many of the records are duplicates.
The leak also contained material that doesn’t look like typical stolen-credential packaging. Researchers identified documents referencing known vulnerabilities (CVEs) and linking to GitHub repositories. Some entries included news articles about recent cyber incidents. and some appeared to carry social media posts discussing ransomware operations and breach activity.
That combination suggests the collection’s maintainer may have been actively monitoring cybersecurity developments while continuously adding material. And while the exposed Elasticsearch cluster is no longer publicly accessible. researchers stress the risk hasn’t disappeared—because the danger doesn’t hinge on whether the database is online. If stolen credentials are already out in the wild, they can be used long after an exposure ends.
There’s one part that hits users hardest: credential reuse. If attackers find that the same login details work across multiple platforms. they can launch automated credential stuffing attempts and test those credentials at scale. Security guidance remains blunt here—experts say multi-factor authentication and avoiding reused passwords are among the most effective defenses.
For people trying to stay ahead of what may already be compromised, cybersecurity experts are urging immediate action. Users are being told to change reused passwords. especially for email. banking. and social media accounts. and to enable multi-factor authentication wherever possible. Password managers are also recommended to generate unique credentials for each service.
Even if someone upgrades their passwords today, the next threat can arrive in a familiar shape. Users are also being warned to watch for phishing emails or messages claiming to check whether their data was exposed. Those prompts are often designed to pull even more credentials from victims.
The database may be offline now, but the scale of what it held leaves a lasting bruise—and a reminder that the afterlife of stolen data can be much longer than the moment it was seen.
24 billion records leak stolen credentials infostealer logs Elasticsearch exposure plaintext passwords credential stuffing password reuse multi-factor authentication phishing warnings CVEs tracking data