Massive MongoDB Exposure of 4.3 Billion Professional Records
A misconfigured MongoDB database containing approximately 16 terabytes of data was discovered exposed online, revealing 4.3 billion professional records. The database, found by cybersecurity researcher Bob Diachenko in collaboration with nexos.ai, included sensitive personally identifiable information (PII) such as full names, email addresses, phone numbers, job roles, employment history, education, and links to professional platforms like LinkedIn. The dataset was organized into nine collections, with at least three containing nearly two billion unique records each, and one collection alone holding over 732 million records with photographs. The database was secured two days after discovery, but it remains unknown who may have accessed the data during the exposure window.
Analysis by Cybernews and other researchers indicated that the data likely originated from various sources, possibly through scraping and aggregation, and included enrichment metrics and Apollo.io IDs, though there was no evidence of a breach at Apollo.io itself. The scale and detail of the exposed information present significant risks for targeted phishing, social engineering, and identity theft. The owner of the database has not been confirmed, and the incident highlights ongoing risks associated with unsecured cloud databases and the aggregation of large-scale professional data sets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Exposed database is secured two days after discovery
Approximately two days after the exposure was identified, the open MongoDB database was closed or secured. Reports indicate the source or owner was still not publicly confirmed after remediation.
Researchers discover exposed 16TB MongoDB with 4.3B professional records
On 2025-11-23, researcher Bob Diachenko and nexos.ai found an unsecured MongoDB database exposed online containing about 16TB of data and roughly 4.3 billion professional or LinkedIn-style records. The dataset included names, emails, phone numbers, job roles, employment history, education, social media links, and other PII, with ownership still unconfirmed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
4.3B LinkedIn-Style Records Found in One of the Largest Data Exposures Ever
techrepublic.com
Open source16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records
hackread.com
Open sourceExperts found an unsecured 16TB database containing 4.3B professional records
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Massive Data Exposure via Misconfigured Elasticsearch Server Containing 6 Billion Records
A misconfigured Elasticsearch server, believed to be operated from Russia or a Russian-speaking country, was discovered leaking over 6.19 billion records to the public internet without any authentication or password protection. The exposed server contained a massive trove of 1.12 terabytes of data, including records collected from both disclosed and undisclosed data breaches, as well as information obtained through website scraping. Among the most sensitive data found were records from Ukrainian bank Accordbank, which included users’ full names, birthdates, birthplaces, addresses, phone numbers, national ID numbers, passport numbers, and tax codes. Independent cybersecurity researcher Anurag Sen was the first to identify the exposed server and report its existence to the media. The server’s index information confirmed the scale of the exposure, with over 6.19 billion records available for anyone to access. Screenshots from the server revealed that the data was stored in JSON format and included detailed personally identifiable information (PII) from various sources. The database also contained files referencing Accordbank, which were later observed being peddled by the user "tRex_Prime" on DarkForums, indicating that the data may have already been accessed and distributed by other threat actors. The leak included not only banking and contact information but also records from other breaches and data scraped from websites, making the exposure particularly broad and damaging. The server was eventually taken offline, but it remains unclear how long the data was accessible or how many unauthorized parties may have downloaded the information. Previous incidents involving hacking groups such as ShinyHunters and Nemesis were also mentioned, as they had leaked stolen data and hacking tools from other exposed cloud storage resources in the past. The incident highlights the ongoing risks associated with misconfigured cloud infrastructure and the potential for large-scale data aggregation to amplify the impact of breaches. Security experts warn that such exposed databases are prime targets for cybercriminals seeking to exploit PII for identity theft, fraud, and further attacks. The presence of both old and new breach data, as well as scraped information, demonstrates the evolving tactics of threat actors in collecting and monetizing sensitive information. Organizations are urged to regularly audit their cloud configurations and monitor for unauthorized data exposures to prevent similar incidents. The scale and sensitivity of the leaked data underscore the urgent need for improved security practices in managing large datasets, especially those containing PII from multiple sources. The incident serves as a stark reminder of the consequences of failing to secure cloud-based data storage and the far-reaching impact such exposures can have on individuals and organizations worldwide.
Mar 21, 2026
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
Mar 21, 2026
Exposed Elasticsearch Database Leaked 24 Billion Stolen Credentials
Researchers uncovered an exposed **Elasticsearch** database containing roughly **24 billion** plaintext credential records, including usernames, email addresses, passwords, and associated login URLs. The dataset was estimated at more than **8 terabytes** and appeared to aggregate data from **36 sources**, including infostealer logs, Telegram channels, prior breach collections, local database dumps, and exports from live servers. Investigators said the database was publicly accessible before being taken offline, but the owner could not be identified. The exposed records create a significant risk of **credential stuffing**, account takeover, and broader identity abuse at global scale, especially for users who do not use **multi-factor authentication**. Researchers reported that more than 30 of the sources were linked to Telegram channels and that **22.6 billion** entries were broadly labeled as “collections,” while signs of regular updates suggested the dataset was being actively curated. They also found records referencing **CVE** identifiers, GitHub links, breach news, and social media posts about incidents, indicating the operator may have been monitoring the cybersecurity landscape while maintaining the credential trove.
Jun 19, 2026