Cybersecurity researchers at Cybernews recently discovered an exposed database containing roughly 24 billion stolen credential records, making it one of the largest collections of stolen login data ever found on the internet.
The records, stored in more than 8.3 terabytes of data, included usernames, email addresses, plaintext passwords, and the login URLs the credentials were meant to unlock. The database was hosted on a publicly accessible Elasticsearch cluster, meaning anyone who knew where to look could browse its full contents without any login or authentication.
After the original report was published, researchers learned that the dataset belonged to a threat intelligence and breach monitoring platform. The data was left exposed due to a misconfiguration during a temporary migration of the platform. The cluster was taken offline 3 days after it was discovered on June 15, 2026.
What the Data Contained
The vast majority of the exposed records were structured infostealer logs. Infostealers are a category of malware designed to steal sensitive information from infected devices. A single infostealer log from one compromised device can include passwords stored across all browsers, active session cookies and tokens, autofill data, device fingerprints, and sometimes crypto wallet or messaging account data.
The dataset appears to be a massive aggregation drawn from at least 36 sources. These include cybercrime-related Telegram channels, historical breach compilations, and large collections of previously leaked or combined datasets. Researchers estimate that over 1.7 billion records originated from Telegram channels, many of which specialise in distributing stolen credentials.
The largest portion, around 22.6 billion records, comes from unidentified collections, making it difficult to determine their exact origin. Additional sources include approximately 146 million records from breach compilations, along with smaller datasets linked to malware families such as the RedLine stealer and exports taken directly from live systems.
How It Compares to Past Leaks
The 2024 “Mother of All Breaches” was primarily a static compilation of credentials from past corporate data breaches. The database discovered in June 2026 is more heavily weighted toward fresh infostealer logs, data stolen directly from individual infected devices, often within the past few months, and contains a documented layer of vulnerability intelligence suggesting the operator was using it as an active attack-targeting tool rather than simply archiving historical breach data.
In July 2025, Cybernews researchers also uncovered what was then one of the largest data leaks in history, a total of 16 billion records across 30 exposed datasets. For context, the 2024 “Mother of All Breaches” spanned over 26 billion records across 12 terabytes of data. The June 2026 discovery surpasses the 2025 leak in volume, although researchers note they cannot yet confirm how many of the 24 billion records are duplicates.
What This Means for Everyday Users
The Cybernews research team warned that the credential data leak is dangerous because of its enormous size. Since the data was exposed online, billions of affected accounts are at serious risk of account takeovers, especially those not protected with multi-factor authentication.
Have I Been Pwned added 56.3 million email addresses from the infostealer dataset on June 15, 2026. Users can visit the platform to check whether their email addresses appear in the exposed data.
Security researchers advise changing passwords on critical accounts immediately, starting with email, banking, and workplace systems, using unique passwords for each account managed through a password manager, and turning on multi-factor authentication wherever it is available. For accounts where a device was previously infected with infostealer malware, researchers note that MFA alone may not be enough, as session cookies can be stolen before authentication is triggered.
Credential theft at this scale, drawn from dozens of sources and aggregated and enriched in near real time, means that the infrastructure behind cybercrime has become more organised and more persistent.
