Exposed Elasticsearch Database Leaked 24 Billion Stolen Credentials
Researchers uncovered an exposed Elasticsearch database containing roughly 24 billion plaintext credential records, including usernames, email addresses, passwords, and associated login URLs. The dataset was estimated at more than 8 terabytes and appeared to aggregate data from 36 sources, including infostealer logs, Telegram channels, prior breach collections, local database dumps, and exports from live servers. Investigators said the database was publicly accessible before being taken offline, but the owner could not be identified.
The exposed records create a significant risk of credential stuffing, account takeover, and broader identity abuse at global scale, especially for users who do not use multi-factor authentication. Researchers reported that more than 30 of the sources were linked to Telegram channels and that 22.6 billion entries were broadly labeled as “collections,” while signs of regular updates suggested the dataset was being actively curated. They also found records referencing CVE identifiers, GitHub links, breach news, and social media posts about incidents, indicating the operator may have been monitoring the cybersecurity landscape while maintaining the credential trove.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Exposed credential database is taken offline after discovery
The exposed database was taken offline shortly after researchers discovered it. Researchers still could not identify the owner, determine the age of most records, or assess the full extent of duplication and affected individuals.
Cybernews discovers exposed Elasticsearch cluster with 24 billion records
Cybernews researchers found an exposed Elasticsearch cluster on June 12 containing roughly 24 billion records and more than 8.3 TB of data. The dataset largely consisted of stolen credentials, including usernames, email addresses, plaintext passwords, and associated URLs aggregated from 36 sources such as infostealer logs, Telegram channels, and breach collections.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
24 Billion Stolen Credentials Exposed in Massive Data Leak - Security Affairs
securityaffairs.com
Open source24B Records Exposed in Massive Leak of Emails, Passwords, and Login Data
techrepublic.com
Open sourceMassive database with 24 billion credentials found exposed online | brief | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Massive Credential Exposure Reveals Billions of Stolen Login Records
Researchers and media reports disclosed enormous troves of exposed login data, including an unprotected 47.42 GB database containing **184,162,718** unique usernames and passwords tied to services such as Microsoft, Facebook, Google, Instagram, Snapchat, Discord, Netflix, PayPal, and government portals in 29 countries. Security researcher Jeremiah Fowler found the database on an unmanaged server with no password protection or encryption, and sample records included account types, website URLs, and plaintext passwords labeled `senha`. Fowler said multiple individuals confirmed the leaked credentials were genuine after he contacted them directly. The exposed records are believed to be linked to **infostealer malware** and broader malware-as-a-service collection operations, with subsequent reporting describing a far larger cache totaling **16 billion** credentials affecting major consumer platforms including Apple, Facebook, and Google. The disclosures raise immediate risks of credential stuffing, account takeover, phishing, fraud, and unauthorized access to corporate and government systems. Public access to the 184 million-record database was later restricted after responsible disclosure to the hosting provider, but the owner of the data remains unidentified.
May 25, 2026
Unsecured Infostealer Database Exposes 149M Usernames and Passwords
A publicly accessible database containing **~149.4 million unique usernames and passwords** (about **96GB** of data) was discovered online by security researcher **Jeremiah Fowler**. The trove included not just credential pairs but also associated site links, indicating it was designed to enable direct account access across many services; major concentrations included **Gmail (48M)**, **Facebook (17M)**, **Instagram (6.5M)**, **Yahoo (4M)**, **Netflix (3.4M)**, **Outlook (1.5M)**, **iCloud (900K)**, and **Binance (420K)**. The database was reportedly **not encrypted and not password-protected**, and it also contained credentials tied to **.gov domains** from multiple countries, raising risks of follow-on activity such as spearphishing, impersonation, and potential access attempts against government networks. Fowler reported the exposure to the hosting provider, and the database was subsequently **removed for terms-of-service violations**; Fowler said he could not determine who owned or operated the dataset. Reporting indicates the database likely aggregated logs from **infostealer malware**, which commonly uses techniques like **keylogging** to capture credentials from infected devices; Fowler noted the dataset continued to **grow over roughly a month** while he worked to reach the host. The hosting arrangement was described as a global provider using regional affiliates, with the exposed instance attributed to an affiliate in **Canada**, and the provider was not publicly named.
Mar 21, 2026
Massive Data Exposure via Misconfigured Elasticsearch Server Containing 6 Billion Records
A misconfigured Elasticsearch server, believed to be operated from Russia or a Russian-speaking country, was discovered leaking over 6.19 billion records to the public internet without any authentication or password protection. The exposed server contained a massive trove of 1.12 terabytes of data, including records collected from both disclosed and undisclosed data breaches, as well as information obtained through website scraping. Among the most sensitive data found were records from Ukrainian bank Accordbank, which included users’ full names, birthdates, birthplaces, addresses, phone numbers, national ID numbers, passport numbers, and tax codes. Independent cybersecurity researcher Anurag Sen was the first to identify the exposed server and report its existence to the media. The server’s index information confirmed the scale of the exposure, with over 6.19 billion records available for anyone to access. Screenshots from the server revealed that the data was stored in JSON format and included detailed personally identifiable information (PII) from various sources. The database also contained files referencing Accordbank, which were later observed being peddled by the user "tRex_Prime" on DarkForums, indicating that the data may have already been accessed and distributed by other threat actors. The leak included not only banking and contact information but also records from other breaches and data scraped from websites, making the exposure particularly broad and damaging. The server was eventually taken offline, but it remains unclear how long the data was accessible or how many unauthorized parties may have downloaded the information. Previous incidents involving hacking groups such as ShinyHunters and Nemesis were also mentioned, as they had leaked stolen data and hacking tools from other exposed cloud storage resources in the past. The incident highlights the ongoing risks associated with misconfigured cloud infrastructure and the potential for large-scale data aggregation to amplify the impact of breaches. Security experts warn that such exposed databases are prime targets for cybercriminals seeking to exploit PII for identity theft, fraud, and further attacks. The presence of both old and new breach data, as well as scraped information, demonstrates the evolving tactics of threat actors in collecting and monetizing sensitive information. Organizations are urged to regularly audit their cloud configurations and monitor for unauthorized data exposures to prevent similar incidents. The scale and sensitivity of the leaked data underscore the urgent need for improved security practices in managing large datasets, especially those containing PII from multiple sources. The incident serves as a stark reminder of the consequences of failing to secure cloud-based data storage and the far-reaching impact such exposures can have on individuals and organizations worldwide.
Mar 21, 2026