— Edition 1.247 52 verified trackers
ES EN
Politics · Technology · Digital regulation  ·  where data speaks before headlines
Digital security · Global · Breaches

24 billion credentials in the open: what a giant dump reveals about the infostealer economy

In June, Cybernews researchers found an open database with 24 billion records and 8.3 TB, mostly logs from password-stealing malware. The number is striking, but the finer point is elsewhere: how many are duplicates and how many unique people lie behind them is unknown, and the owner turned out to be a security firm that left it exposed through a misconfiguration.

By Juan D. Gonzáles Data and visualization 9 min read
infostealers credentials Cybernews Elasticsearch data leak MFA password theft Telegram RedLine cybersecurity
Digital security · Global · Breaches 24 billioncredentials,in context Large aggregations of leaked credentials, by number of records "Mother of all breaches" (Jan 2024) 26 bn Dump found by Cybernews (Jun 2026) 24 bn Collection put up for sale (2019) 2.7 bn Counts of records, not people. The composition differs: the 2026 dump skews toward fresh infostealer logs, and the share of duplicates is unknown. Sources: Cybernews and prior public compilations. DIÁLOGO CIUDADANO

The find

It is the kind of figure you read twice. On 12 June 2026, Cybernews researchers found a publicly accessible Elasticsearch cluster with 24 billion records and more than 8.3 terabytes of data, which they described as likely one of the largest databases ever exposed. The cluster went offline around 15 June, and the researchers said they had triple-checked the count.

Most of the records appeared to be infostealer logs: usernames, emails, plaintext passwords and the login URLs those credentials corresponded to. That last detail is what turns a list into a map: the records included the exact address of the service each credential was meant to open, handing an attacker an explicit roadmap.

What was inside

The interior of the dump says more than its size. Cybernews attributed the 24 billion records to 36 sources: around 1.7 billion came from cybercrime-linked Telegram channels, in English and Russian, and some 22.6 billion appeared under a label called “collections” that could not be examined in depth before the database was secured. Among the data, the researchers found an unusual subset: about 17,000 records with vulnerability identifiers (CVEs) and links to GitHub repositories, and more than 5,200 with press articles about recent breaches, one of them from February 2026. That mix suggests whoever maintained the database was tracking security news closely to keep it current.

The twist: not a criminal’s loot

This is where the headline asks for a caveat, and the caveat is the story. After publishing the find, Cybernews learned the database belonged to a threat-intelligence and breach-monitoring platform, used to detect risks affecting its clients, and that the data had been exposed by a misconfiguration during a temporary migration. The same material that, in a defender’s hands, serves to warn a victim, in an attacker’s hands serves to find the next target. The researchers themselves summed up that ambivalence: a company may hoard this data for a monitoring service, and a malicious actor may hoard it to discover new ways in.

The infostealer economy

The dump is a symptom of a market, not an isolated accident. An infostealer log from a single infected device can include the passwords saved across all browsers, active session cookies and tokens — including those that bypass two-step verification — autofill data, device fingerprints and, at times, crypto wallets. Programs such as RedLine operate as malware-as-a-service, letting low-skilled attackers take part in the business. These programs spread through malicious ads, fake browser updates, one-click downloads, social-engineering techniques such as ClickFix, pirated software and dubious extensions.

Why the size is not the most important figure

For a data newsroom, the temptation is to headline the big number; honesty requires deflating it a little. Cybernews could not confirm how many records were duplicates or how many unique people were affected, because the database was taken down soon after the find. Twenty-four billion records do not equal twenty-four billion victims: many credentials repeat, recombine and reappear across collections. The dump sits in the same league as the so-called “mother of all breaches” of 2024, but skews more toward fresh infostealer logs than toward old, static breaches. The real risk is not the abstract magnitude but a concrete practice: password reuse on accounts without two-step verification.

What to do with it

The defense is unglamorous and effective. The researchers stressed that billions of accounts are at risk of takeover if they are not protected with two-step verification, and recommended checking one’s own data exposure and changing reused passwords. At the individual level, the recipe is familiar: unique passwords, a password manager, two-step verification and wariness toward the ads and downloads that open the door to infection. At the organizational level, the case leaves an uncomfortable lesson: a database meant to defend became, through a poorly secured migration, one more leak. Configuration hygiene matters as much as the user’s.

← More analysis Home