29.03.2026
2 min
397
Researchers have uncovered an exposed database containing 24 billion records, including usernames, email addresses, plaintext passwords, and login URLs. The data is believed to originate from infostealer malware logs, credentials stolen from compromised devices, Telegram channels, breach compilations, and other sources.
Researchers discovered an exposed Elasticsearch cluster containing 24 billion records and more than 8.3TB of data.
Most of the records appear to be infostealer logs, including usernames, email addresses, passwords, and login URLs.
The data originated from 36 different sources, including Telegram channels, breach compilations, and large credential “collections.”
It is currently impossible to determine how many records are duplicates or how many unique individuals have been affected.
The database is no longer publicly accessible, but reused passwords may still put countless accounts at risk.
While data breaches exposing millions of records have become increasingly common, a leak involving 24 billion usernames and passwords is on an entirely different scale. The sheer size of the discovery prompted researchers to repeatedly verify their findings after uncovering more than 8 terabytes of exposed data.
On June 12, researchers identified what may be one of the largest exposed databases ever discovered. They believe the overwhelming majority of the 24 billion records consist of infostealer logs. In other words, the database contains stolen usernames, passwords, and information about the services those credentials could potentially access.
“The credential leak is dangerous simply because of its enormous size. Since the data became exposed online, billions of accounts have been at serious risk of compromise, especially those not protected by multi-factor authentication,” the researchers explained.
The records were stored in an exposed Elasticsearch cluster, a group of interconnected search servers. The total volume of information exceeded 8.3 terabytes.
Nearly all of the exposed records were infostealer logs – data collected by malware designed to steal sensitive information. According to researchers, the logs contained credentials in plain text, including email addresses, usernames, and passwords.
In addition, researchers identified the URLs that the stolen credentials could allegedly provide access to, as well as the sources from which the logs originated. The exposed data came from 36 different sources, ranging from Telegram channels and aggregated collections of previous breaches to datasets exported directly from active servers.
More than 1.7 billion records are believed to have originated from various Telegram channels. All of them appeared to be connected to cybercriminal activity, primarily focused on credential theft and the distribution of leaked data.
More than 30 of the 36 sources were Telegram channels. The volume of records ranged from a few thousand entries to hundreds of millions. Most of the channels were in English, although some operated in Russian.
For security reasons, the names of these channels have not been disclosed. However, researchers noted that most of the Telegram-related data was likely sourced from channels associated with hacking and credential-sharing activities.
A separate category of Telegram channels was dedicated to distributing stolen payment card information. According to the findings, at least one channel appeared to be entirely focused on publishing compromised credit card data.
Interestingly, nearly 260 million records were linked to a source labeled “Darkside.” Several years ago, Darkside was one of the most prolific ransomware groups in operation. The group is best known for the attack on the Colonial Pipeline, which caused major fuel supply disruptions across the U.S. East Coast.
Approximately 22.6 billion records were attributed to a source identified as “collections.” These records may represent massive archives of infostealer logs that were previously leaked online, or datasets grouped according to the services they allegedly provide unauthorized access to.
Because the exposed database was taken offline shortly after its discovery, researchers were unable to conduct a deeper investigation into the origin of these so-called collections.
As a result, it was also impossible to determine which specific services were represented in the leak. However, given the enormous scale of the dataset, it is highly likely that it included platforms with very large user bases.
Researchers also identified a source containing 150 million records labeled “local database dumps.” Such records may indicate data exported directly from active servers.
“Additionally, the records contained the names of the files from which they were imported. In total, we identified at least 195 different file names. Some of them indicated connections to the AntiPublic collection and helped determine the types of accounts it contained,” the researchers said.
AntiPublic is one of the most well-known collections of stolen credentials. First appearing in 2016, it contained approximately 600 million records. Some of the files were categorized by service type, such as adult-content platforms or streaming services.
Another 146 million records originated from a source called “breach combination” and likely consisted of data gathered from previous security breaches. Such datasets are particularly valuable to cybercriminals because many users continue to reuse the same passwords for years.
The smallest source contained just 27 records and was labeled “RedLine Stealer.” RedLine is one of the most widely used infostealers and operates under a Malware-as-a-Service (MaaS) model, allowing cybercriminals to steal credentials with minimal technical expertise.
