Researchers find 24 billion stolen credentials in an 8.3 TB infostealer dump left exposed online

Cybernews researchers discovered what they are describing as one of the largest credential dumps ever found: an unsecured Elasticsearch cluster containing 24 billion records totalling more than 8.3 terabytes of data. The collection was found on June 12, 2026, and the database was taken offline or secured by June 15. While the immediate exposure window has closed, the data itself — compiled from infostealer malware logs, Telegram channels, and existing breach compilations — remains in circulation wherever it was shared before discovery.

The scale puts this leak in a category of its own. The 2021 RockYou2021 compilation, widely cited as the largest credential list ever published, contained 8.4 billion records. The 2024 RockYou2024 release expanded that to nearly 10 billion. At 24 billion records, this collection is more than double either of those, and the composition matters: unlike older compilations that are mostly recycled data, a significant portion of this dump comes from fresh infostealer logs, meaning recently stolen credentials that have not yet been widely rotated.

What Infostealer Logs Are and Why They Are Worse Than Database Dumps

Traditional breach databases contain credentials stolen when a specific service is compromised — they tend to include hashed passwords that require cracking and are often years out of date by the time they appear in dumps. Infostealer logs are different. They are generated by malware running on infected devices: software that captures browser-stored passwords, autofill credentials, and session cookies in plaintext at the moment they are used.

This means infostealer logs contain working credentials as of the date the infection occurred. They bypass the need to crack hashes. They often include the associated login URL, making it trivial to match a password to the service it unlocks. And because they pull credentials from the infected machine's browser storage, they often capture passwords that users have not changed in years — the ones sitting in their password manager or browser autofill that they have stopped thinking about.

The 24 billion records in this collection were compiled from at least 36 different sources: various Telegram channels where infostealer operators sell logs, existing breach compilations, and what researchers describe as data that appears to have been exported directly from live servers, suggesting some portion of the data was very recently active.

Who Found It and What Happened

The Cybernews research team identified the exposed database on June 12 as part of ongoing scanning for publicly exposed cloud storage and database instances. The cluster was accessible without authentication — a misconfiguration that left all 8.3 terabytes readable by anyone who found the IP address. The database owner has not been identified publicly. Researchers speculate the data could belong to either a threat actor using it as an operational credential database, or a security company aggregating breach data for monitoring services — though the plaintext exposure and lack of any apparent access controls make the security-company theory less plausible.

The database was secured or taken offline by June 15, three days after discovery. The window of unprotected exposure is unknown — it could have been days or months.

The Credential Stuffing Risk

The practical risk from this type of leak is credential stuffing: automated tools that take username-password pairs from breach databases and test them against live services at scale. Services without rate limiting, IP blocking, or mandatory multi-factor authentication are particularly vulnerable.

Security researchers and vendors including Malwarebytes and TechRadar, which both covered the Cybernews disclosure, emphasize that the highest-risk users are those who reuse passwords across services — which, per most surveys, is the majority of users. A credential in this dump that matches a user's banking password, email password, or corporate VPN password creates an immediate account takeover risk regardless of where the credential was originally stolen.

What to Do

The standard advice applies and remains the right answer: use a password manager to generate unique passwords for every service, enable multi-factor authentication wherever available, and watch for account activity alerts from your email and financial providers. Services like HaveIBeenPwned are expected to ingest credential data of this scale once it is made available by researchers — checking your email address there in the coming days is worthwhile.

For security teams at organizations: this dump should be treated as a trigger to audit whether any employee credentials appear in publicly available breach databases and to enforce password rotation for any matches. Given that the data is compiled from infostealer logs, corporate credentials from employees with infected personal devices are particularly at risk.