Pierluigi Paganini
June 19, 2026
Exposed database with 24 Billion records revealed stolen credentials from infostealers, Telegram channels, and breach collections, risking account takeovers.
Cybernews researchers found an exposed Elasticsearch cluster on June 12th containing 24 billion records and more than 8.3 terabytes of data. They triple-checked the numbers. The numbers held up.
“The vast majority of the 24 billion exposed records, our researchers believe, were infostealer logs. In other words, stolen usernames, passwords, and services that these credentials were supposed to grant access to.” reads the report published by Cybernews. “The credential data leak is dangerous simply because of its enormous size. Since the data leaked online, billions of affected accounts are at serious risk of takeovers, especially if they are not protected with multi-factor authentication,” the team explained.”
The vast majority of records were infostealer logs: usernames, email addresses, and plaintext passwords, each credential saved separately alongside the URL it was supposed to unlock. Twenty-four billion is not a typo.
The data came from 36 distinct sources. Over 1.7 billion records traced back to Telegram channels, most of them openly involved in cybercrime and trading stolen credentials. More than 30 of the 36 sources were Telegram channels, with records ranging from a few thousand to hundreds of millions each, written in English and Russian.
The biggest chunk, 22.6 billion records, came from what the owner labeled “collections.” That term is deliberately vague.
“A staggering 22.6 billion records supposedly came from what the data owner named “collections.” These records could come from various infostealer collections previously leaked online, or they may indicate that the records are grouped by the services they are supposed to provide unauthorized access to.” continues the report. “Since the data was taken out of public view soon after the discovery, our researchers could not further investigate the origin of the information within the so-called “collection” source.”
Because the database was taken offline shortly after discovery, researchers couldn’t dig further into what’s actually inside those collections.
Interestingly, nearly 260 million records came from Telegram channels with “Darkside” in the name — yes, the same Darkside ransomware group that knocked out the Colonial Pipeline. Another 150 million records came from a source labeled “local database dumps,” which typically means someone downloaded the contents of a live server. Another 146 million came from a “breach compilation combo,” which is exactly what it sounds like: old breach data repackaged because people reuse passwords and rarely change them.
The researchers also found something unusual mixed in: around 17,000 records containing CVE vulnerability IDs with GitHub links, over 5,200 logs of news articles about recent data breaches, and nearly 2,900 logs of social media posts about cybersecurity incidents. One news article in the dataset was published as recently as February 2026.
“One of the vulnerabilities identified in the exposed cluster involved a Valhall GPU Kernel Driver issue.” states Cybernews. “All of this points to the data owner actively monitoring the cybersecurity landscape, with a likely intent to update their vast collection of credentials with records from the latest data breaches and data leaks.”
Someone isn’t just hoarding old data; they’re keeping it current.
The researchers can’t say how many records are duplicates, how old most of the data is, or who owns the database. They also can’t confirm exactly how many people are affected. What they can say is that the database is no longer publicly accessible, which doesn’t help anyone whose password was already in there. If you reuse passwords and don’t have two-factor authentication turned on, that’s the problem worth fixing today.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, 24 Billion data leak)
