A database containing roughly 24 billion records, including usernames, email addresses, passwords and login URLs, was left exposed online in what cybersecurity researchers describe as one of the largest credential leaks ever discovered.
Researchers at Cybernews said they uncovered the publicly accessible database on June 12, finding more than 8.3 terabytes of information stored in an unsecured Elasticsearch cluster. The vast majority of the records appeared to be linked to infostealer malware, malicious software designed to steal credentials and other sensitive data from infected devices.
The discovery points to the growing scale of cybercrime operations built around stolen digital identities and raises fresh concerns about account takeovers, identity theft and credential-based attacks affecting individuals and businesses worldwide.
“The credential data leak is dangerous simply because of its enormous size. Since the data leaked online, billions of affected accounts are at serious risk of takeovers, especially if they are not protected with multi-factor authentication,” the Cybernews research team said.
According to researchers, the exposed records included login credentials stored in raw format, with email addresses, usernames and plaintext passwords listed separately. The database also contained URLs linked to the services the credentials were intended to access, providing a roadmap for potential cybercriminals seeking to exploit compromised accounts.
The records originated from 36 separate sources, including Telegram channels associated with cybercrime activity, historical breach compilations, infostealer malware collections and what appeared to be direct exports from compromised servers.
More than 22.6 billion records were categorized as “collections,” a term researchers believe may refer to aggregated datasets compiled from previous breaches and infostealer campaigns. Another 1.7 billion records were linked to Telegram-based sources, many of which appeared to focus on distributing stolen credentials and breached databases.
Researchers said more than 30 of the identified sources were Telegram channels, with datasets ranging from a few thousand records to hundreds of millions. Some channels were in English while others were in Russian.
The database also contained approximately 150 million records labeled “local database dumps,” suggesting that at least part of the information may have been exported directly from compromised systems or servers.
Additional records were linked to well-known credential collections, including the AntiPublic dataset, a massive compilation of stolen usernames and passwords that first surfaced in 2016. Cybernews researchers identified references to at least 195 distinct files, some of which categorized credentials by service type, including streaming platforms and adult-content websites.
Another 146 million records came from a source described as a “breach compilation combo,” likely containing credentials obtained from previous data breaches. Such data remains valuable to cybercriminals because users frequently reuse passwords across multiple online services.
The exposed database also contained a smaller but unusual collection of cybersecurity intelligence. Researchers identified approximately 17,000 records related to software vulnerabilities, cybersecurity news articles and social media posts discussing hacking incidents and ransomware operations.
Among them were more than 9,500 documents containing Common Vulnerabilities and Exposures (CVE) references and links to related code repositories, as well as thousands of records tracking recent breach reports and cybercrime discussions.
The findings suggest that whoever assembled the database was actively monitoring emerging cybersecurity threats and continuously updating the collection with information from new breaches and exploits.
Researchers were unable to determine who owned the database or why it was being maintained. The server was removed from public view shortly after discovery, limiting further analysis.
Cybernews said both commercial entities and threat actors could have reasons for maintaining such a repository.
“Companies could collect this data for a monitoring service or a security check service, and threat actors could be collecting this data to aid in discovering fresh exploits to help them with data breaches,” the researchers said.
The team noted that the scale of the leak makes it difficult to determine how many unique individuals may be affected because the dataset likely contains duplicates from multiple breaches accumulated over several years.
Researchers also could not determine the age of most of the records. However, the presence of cybersecurity news content from as recently as February 2026 suggests the database was actively updated.
The discovery adds to a growing list of massive data exposures identified in recent years. In 2025, Cybernews reported finding multiple datasets containing a combined 16 billion login credentials, while a separate leak uncovered in 2024 exposed more than 26 billion records spanning 12 terabytes of data.
Cybersecurity experts say the latest discovery underscores the importance of unique passwords, multi-factor authentication and regular credential monitoring as increasingly large databases of stolen information continue to circulate among cybercriminals.
For businesses, the leak serves as a reminder that credential theft remains one of the most common entry points for cyberattacks, particularly when employees reuse passwords across multiple systems and services.
