24 Billion Exposed Records: Inside the Colossal Infostealer Credential Leak

A credential hoard of historic scale

On June 12, 2026, Cybernews researchers discovered a publicly exposed Elasticsearch cluster holding 24 billion credential records — more than 8.3 terabytes of stolen usernames, email addresses, plaintext passwords, and login URLs assembled from 36 distinct sources.cybernews +1 The data is primarily infostealer logs: structured files silently generated by malware that sweeps infected devices clean of every saved password and active session cookie within seconds of execution.cybernews The database was taken offline by June 15, but the credentials it contained remain in circulation.techtimes

The cluster drew from a wide array of sources. Over 1.7 billion records came from hacking-related Telegram channels — most in English, some in Russian — while 22.6 billion were labeled as "collections" aggregated from previous breaches.cybernews Nearly 260 million records traced to channels bearing the name "Darkside," the ransomware group behind the 2021 Colonial Pipeline attack.msn Cybernews later learned the database belonged to a threat intelligence company whose cluster was accidentally exposed during a routine server migration.cybernews

More than a static dump — an active attack toolkit

What distinguishes this discovery from ordinary breach compilations is roughly 9,500 embedded documents containing CVE vulnerability identifiers linked to active GitHub repositories, alongside 5,200 logs of breach news articles — one dated February 2026.techtimes +1 The combination suggests the operator was cross-referencing known unpatched flaws with stolen credentials, building a framework to prioritize targets where credentials are valid and exploits already exist.techtimes

Session cookies add another layer of danger. Infostealer logs routinely include active browser tokens that bypass multi-factor authentication entirely, since the attacker is impersonating an already-authenticated session rather than entering a password.malwarebytes That means MFA-protected accounts can still be at risk if the underlying device was silently compromised before a login session was harvested.malwarebytes

The infostealer economy and what to do next

Infostealers operate as a subscription service in the criminal underground, letting low-skilled actors pay monthly fees to deploy campaigns and receive harvested logs.techtimes Once a device is compromised through phishing, malicious ads, or pirated software, the malware exfiltrates its payload and often self-deletes without any visible trace.malwarebytes +1 The downstream threat is credential stuffing — automated injection of stolen pairs into login forms across hundreds of services at once — a mechanism that turned one set of combolists into AUD 500,000 in losses for members of Australian retirement funds in March 2025.techtimes

On June 15, the same day the cluster went offline, Have I Been Pwned added 56.3 million email addresses and 124 million passwords from related infostealer logs to its searchable database.techtimes Researchers recommend checking email addresses there immediately, changing passwords on critical accounts — email, banking, and healthcare first — enabling MFA wherever possible, and performing those changes from a device confirmed clean of malware, since an active infostealer will harvest any newly typed credentials.cybernews +1