24 Billion Credentials Just Leaked — Is Yours in There?

Researchers found one of the largest credential databases ever exposed. Here's what was inside, who's at risk, and what to do right now.

On June 12th, Cybernews researchers discovered an exposed Elasticsearch cluster containing 24 billion records and over 8.3 terabytes of data. It is likely one of the largest credential databases ever found publicly accessible. The database is now offline, but the credentials inside aren't going away.

Here's what you need to know.

What Was Inside

Nearly every record in the database was an infostealer log, which is data harvested from infected devices by malware that silently collects browser-saved passwords, session cookies, and login URLs.

Each record included:

-Email address or username

-Plaintext password (not hashed — the real one)

-The URL the credential unlocks

-The source the log came from

The data came from 36 distinct sources: over 30 criminal Telegram channels (including channels named after the Darkside ransomware gang responsible for the Colonial Pipeline attack), breach compilations, direct database exports from live servers, and large aggregate collections.

Over 22.6 billion records came from sources labeled "collections" that are aggregations of previously leaked data, infostealer logs, and credential dumps organized by the type of service they unlock. Streaming accounts. Adult content platforms. Banking logins. Cloud services.

The remaining 1.7 billion+ records came directly from criminal Telegram channels.

This Isn't a Breach — It's Worse

A traditional data breach means a company's database was hacked and records were stolen. What Cybernews found is different: this is a credential aggregation operation — someone who has been systematically collecting infostealer logs from Telegram channels, breach compilations, and database dumps and consolidating them into a single searchable index.

The data owner was actively maintaining the database. Researchers found:

-5,200+ documents tracking news articles about recent data breaches, including a February 2026 article

-9,500+ documents cross-referencing CVE vulnerability IDs and GitHub exploit repositories

-2,900+ documents logging social media posts about cybersecurity incidents

This isn't hoarding. This is operational intelligence, ie. someone building and refining a targeting resource.

Why Infostealer Logs Are the Most Dangerous Credential Type

A password in a breach dump is dangerous. A credential from an infostealer log is catastrophic.

Here's why: an infostealer doesn't just grab your password. It grabs every saved password on your device, including banking, email, work VPN, cloud storage, password manager, and master password in a single pass. It also grabs active session cookies, which allow attackers to bypass your 2FA entirely by replaying an authenticated session without needing your password at all.

The infostealer runs silently, usually via a malicious download or phishing link. Within 24–72 hours, the harvested logs appear for sale in criminal Telegram channels. Within days, attackers are testing your credentials against financial accounts and corporate VPNs.

By the time you find out your password was in a breach database, the attacker may have already been inside your email, your bank, and your work network using your credentials, authenticated and invisible.

The Reused Password Problem

Even if you've never been directly infected by infostealer malware, you're at risk if any of your passwords appear in a breach compilation.

The 24 billion record database includes the AntiPublic collection (originally 600 million records from 2016), breach compilations, and "combo lists" which are files that pair email addresses with every known password associated with that address across all prior breaches.

If you reused a password from any service that was breached in the last decade, your credentials exist in this database and they are ready to be tested against your current accounts via automated credential stuffing.

The database is offline. The credentials are not.

What to Do Right Now

The Cybernews team and every security researcher who has looked at this data agrees on the same immediate steps:

1. Change reused passwords first. Email, banking, and anything tied to your phone number. These are the accounts attackers target first because they unlock everything else.

2. Enable MFA everywhere it's available. Authenticator apps are preferred over SMS as SIM swap fraud can intercept SMS codes even when 2FA is enabled.

3. Use a password manager. Unique passwords on every account eliminate credential stuffing entirely. A password reused nowhere cannot be stuffed anywhere.

4. Check your email addresses against breach databases. If your email appears in the Cybernews dataset, it should surface in monitoring tools within days.

5. Watch for phishing follow-up. Attackers who have your credentials often send targeted phishing messages referencing account details you'd expect only a legitimate sender to know. That detail came from your infostealer log. Don't trust the context.

What RelayShield Monitors

RelayShield monitors the exact data sources involved in this leak, including criminal Telegram channels and infostealer log markets in near real-time. When your credentials appear in a new log or breach compilation, you receive an alert within hours, not weeks, with a four-step device remediation protocol.

RelayShield also monitors your phone number at the carrier level for SIM swap activity, the attack that bypasses 2FA the moment your credentials are replayed against a financial account.

The 24 billion records are offline. But the criminal Telegram channels that distributed them are still active. New logs are posted every day.

Start monitoring →

Sources: Cybernews Research Team, June 17, 2026.