24 Billion Stolen Records Found in Exposed Elasticsearch Cluster — Largest Credential Dump of 2026
Researchers discovered a publicly exposed Elasticsearch cluster containing 24 billion credential records from infostealer logs, Telegram channels, and prior breaches, posing massive account takeover risks.
A newly discovered database containing 24 billion stolen records is a reminder that personal information from data breaches, phishing campaigns, and infostealer infections continues to circulate online. The collection was briefly exposed on the internet before being taken offline. While researchers can't confirm exactly whose information was included, the discovery is a good opportunity to check whether your email addresses, passwords, or other personal data have already been exposed.
Researchers at Cybernews found a publicly exposed Elasticsearch cluster holding more than 8.3 TB of data. The data, consisting of 24 billion credential records, reportedly came from 36 sources, including numerous Telegram channels, prior breach compilations, collections of infostealer logs, and some datasets apparently exported directly from live servers. Because the data came from different sources there are some differences in what the records contain and how they are organized. Some records were structured infostealer logs containing usernames, email addresses, and plaintext passwords, and the associated login URL. Roughly 1.7 billion records came from hacking-related Telegram channels, mainly English and Russian, including at least one focused on stolen credit card data.
The exposed database was hosted on an Elasticsearch cluster. Elasticsearch is a tool used to quickly store and search lots of data. If an Elasticsearch server lacks passwords, authentication, or network restrictions, it can be accessed by anyone who finds it online. Without protections such as passwords or a firewall, anyone can read, copy, change, or even delete its data. Other documents in the dataset contained information about known vulnerabilities, articles about breaches, and social media posts about cyberattacks. This suggests the owner actively monitors security news and vulnerabilities and enriches the credential hoard with fresh breach information, either for a commercial "monitoring" service or for offensive use.
A few years ago, we wrote about what was called the Mother of All Breaches, where the source of the dataset has been identified as data breach search engine Leak-Lookup. This newly discovered 24‑billion‑record exposure is in the same league as that previous mega‑dump, but appears more heavily weighted toward fresh infostealer logs, rather than older, static breach data. An infostealer log from a single infected device can include passwords stored across all browsers, active session cookies and tokens (including those that bypass MFA), autofill data, device fingerprints, and sometimes crypto wallets or messaging accounts. The complete bundle is what ends up in logs such as those seen by the Cybernews researchers.
Since the data was taken out of public view soon after the discovery, the researchers were unable to fully retrace everything they had found or determine how many duplicate records it contained. That's reassuring because it reduces the chances of cybercriminals finding the database, but reused passwords may still put accounts at risk. The best place to start is with Malwarebytes Digital Footprint Portal (DFP), which can show you whether your information has appeared in known data exposures and breaches.
Because infostealers commonly arrive through malvertising, fake browser updates, and one-click downloads, it's worth treating ads and pop-ups with healthy skepticism. Never click on sponsored ads. Instead, visit official websites directly and download software only from trusted sources such as official vendor sites or app stores. Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand the action's purpose.
If you discover exposed passwords, change them immediately and make sure you aren't reusing the same password across multiple accounts. If you have reused passwords in the past, prioritize updating important accounts such as email, banking, shopping, and social media accounts. Turn on multi-factor authentication (MFA) wherever possible, since it can help protect accounts even if a password has been exposed. Phishing emails are still a major threat, but many can be spotted if you slow down and verify before clicking. Even if an email looks like it comes from a trusted brand, treat unsolicited attachments and links with caution, especially when they urge you to open a file, install something urgently, or fix a billing issue.