A newly discovered database holding roughly 24 billion stolen credential records has surfaced online, one of the largest collections of leaked login data ever found. Researchers at Cybernews uncovered the trove on a publicly exposed Elasticsearch server holding more than 8.3 terabytes of data, left open to anyone who knew where to look before it was pulled offline.
The records were not stolen in a single breach. According to the research, the hoard was assembled from about 36 sources, including dozens of Telegram channels, older breach compilations, and large batches of infostealer logs, with some data apparently exported directly from live servers. Roughly 1.7 billion records came from hacking-focused Telegram channels alone, including at least one dedicated to stolen payment card data.
Why this one is different
Mega-leaks are not new, and this collection sits in the same league as the so-called "Mother of All Breaches" from a few years ago. What makes it more dangerous is its composition: it leans heavily on fresh infostealer logs rather than recycled, years-old breach data. A single infostealer log from one infected computer can contain passwords saved in every browser, active session cookies and tokens that can bypass multi-factor authentication, autofill data, device fingerprints, and sometimes cryptocurrency wallets. In other words, this is not just a list of old passwords but a snapshot of live, usable access.
The dataset also included articles about breaches and posts about cyberattacks, suggesting the owner actively enriches the credential pile with current security news, either to run a commercial "monitoring" service or for outright offensive use. Because the server was taken down quickly, researchers could not fully count how many records were duplicates, so the true number of unique victims is unclear.
How the data leaks out
Most of this material originates from infostealer malware, which commonly spreads through malicious ads, fake browser updates, pirated software, and one-click downloads. A fast-growing technique called ClickFix tricks people into infecting their own machines by copying and running a command they were told would "fix" a problem. IntelFusions has also tracked a steady stream of fake software installers that smuggle infostealers onto victims devices.
What you should do
Check whether your email addresses have appeared in known breaches or stealer logs. If you find exposed passwords, change them immediately and stop reusing the same password across sites, prioritizing email, banking, and other high-value accounts. Turn on multi-factor authentication everywhere it is offered, since it blunts the value of a stolen password. Never run commands or scripts copied from a website, email, or message unless you fully trust and understand them, and download software only from official sources. The discovery is documented in a public writeup.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.