24 Billion Credentials Exposed: Check Your Dark Web Exposure Now

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
An exposed Elasticsearch database discovered on June 12, 2026 contained 24 billion stolen credentials spanning 8.3 terabytes across 36 sources and was actively used as an attack-targeting platform. Cybernews researchers found the cluster completely unauthenticated with no password, no firewall, and no access controls of any kind. The database aggregated records from infostealer malware logs, Telegram cybercrime channels, prior breach compilations, and direct exports from live production servers.
The 24 billion credentials exposed in this database represent a qualitative shift from prior large-scale dumps. The operator did not simply archive stolen data. The cluster contained 9,500 documents pairing credential records with CVE IDs, CVSS scores, and GitHub exploit repository URLs, and 5,200 documents containing recent data breach news articles. The most recent news article in the dataset covered a PyPI supply chain attack published in February 2026. This means the database was being maintained and updated as recently as weeks before its discovery.
For security teams, the immediate risk is twofold. First, any corporate email address present in this database is now a known target for credential stuffing campaigns running against SaaS platforms, VPNs, and remote access portals. Second, infostealer logs in the dataset capture active session cookies, not just passwords, enabling attackers to bypass multi-factor authentication entirely by hijacking existing authenticated sessions. On June 15, three days after discovery, Have I Been Pwned added 56.3 million email addresses sourced from this dataset. If your organization's domain has not been checked, the window to act before attackers begin exploitation is closing.
How Did 24 Billion Credentials End Up in One Database?
The 24 billion credentials exposed in this Elasticsearch cluster came from 36 distinct collection pipelines operated by the database's unknown owner. Cybernews documented three primary source categories when they analyzed the cluster structure.
Approximately 260 million records originated from Telegram channels operating under syndicate names containing the word 'Darkside,' consistent with the naming conventions of organized Russian-speaking cybercrime communities. These records were shared in bulk across multiple channels and compiled into the database. Another 150 million records came from what the operator labeled 'local database dumps,' a term in threat actor terminology for credentials extracted directly from the backend databases of compromised web applications. These are not recycled breach compilations but fresh data pulled from live servers at the moment of compromise.
The remaining records came from two additional pipelines: 146 million records from breach compilation packages aggregating prior major breaches, and the bulk of the 24 billion from infostealer malware logs. Infostealer logs represent the most dangerous portion of the dataset because they include data harvested directly from infected endpoints in real time, including browser session cookies, saved form data, and keylogging output from users who had not yet been notified of any breach.
The 9,500 documents linking credential records to specific CVEs and their GitHub exploit code confirm the database was not simply a passive credential store. The operator used it as an active attack-planning resource, pairing stolen access credentials with known vulnerabilities in the products those credentials authenticated.
Who Is at Risk: Sectors and Organizations in the Dataset
The 24 billion credentials exposed span virtually every industry sector because the primary collection mechanism, infostealer malware, infects consumer and corporate devices indiscriminately. The infostealer logs in this dataset do not filter by employer or sector. Any employee who opened a malicious attachment, downloaded a trojanized application, or visited a drive-by exploit page on a device where corporate credentials were stored contributed records to the database.
TechRepublic and Security Affairs confirmed the dataset includes records tied to financial services, government agencies, healthcare systems, technology companies, and critical infrastructure operators. The cross-sector contamination is a direct result of the database's infostealer-log-heavy composition.
The CVE-linked documents in the database sharpen the targeting picture. By pairing stolen credentials with known vulnerabilities in the same cluster, the operator effectively created a prioritized attack queue: organizations with exposed credentials and unpatched software become the highest-priority targets. This operational approach mirrors the methodology of initial access brokers, who sell verified credential-plus-vulnerability combinations as premium access packages on criminal forums.
Technical teams should assume that any corporate email address that has ever been used on a personal device, stored in a browser password manager on a shared or compromised device, or submitted to a third-party SaaS platform that subsequently suffered a breach is potentially present in this dataset. The scope of 24 billion records makes statistical exclusion implausible for organizations with more than a few hundred employees.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Infostealer Threat: Why This Leak Bypasses MFA
The most operationally significant threat from the 24 billion credentials exposed is not the plaintext passwords. It is the session cookies.
Infostealer malware targets browser profile directories where Chromium-based browsers store authentication cookies. These cookies represent already-authenticated sessions. When an attacker replays a stolen session cookie against a web application, they are not logging in. They are impersonating a session that the application already considers active and trusted. Time-based one-time password MFA systems cannot detect this because the authentication challenge was completed at session initiation. The stolen cookie arrives after authentication, not before.
This technique, sometimes called cookie hijacking or pass-the-cookie, has been confirmed in attacks against Google Workspace, Microsoft 365, Salesforce, and major VPN platforms. Mandiant documented multiple threat groups using infostealer-derived session cookies to bypass MFA at Fortune 500 targets throughout 2025 and early 2026.
The only MFA methods resistant to cookie hijacking are those bound to the originating domain at the cryptographic level, specifically FIDO2/WebAuthn hardware security keys and passkeys. These standards embed the authentication origin in the signed credential assertion. A cookie stolen from app.company.com cannot be replayed as a new authentication at the same origin because the browser validates domain binding before presenting the credential.
Organizations that have deployed TOTP-based MFA universally and believe they are protected against credential-based attacks should treat this dataset's discovery as a direct prompt to audit their session management policies and upgrade high-risk accounts to phishing-resistant MFA.
“Infostealers that harvest active session cookies can bypass multi-factor authentication entirely because the attacker is not logging in with your password. They are impersonating an already-authenticated session.”
Cybernews, June 2026
How to Verify Your Exposure Right Now
Security teams have three immediate verification paths for the 24 billion credentials exposed in this database.
Have I Been Pwned is the fastest starting point. On June 15, 2026, Troy Hunt's service added 56.3 million email addresses sourced from infostealer logs corresponding to this discovery period. Submit your corporate domain at haveibeenpwned.com/domain-search to receive a full count of exposed addresses without revealing individual credentials to the search interface. The domain search returns aggregate totals and breach source names, sufficient for triage prioritization.
For enterprise identity platforms, pull authentication logs for the past 30 days and filter for logins from new geographic regions, new device fingerprints, or impossible travel events. Infostealer-derived credential use often appears as a first login from a previously unseen location within days of the data being sold on criminal markets, which typically occurs within 72 hours of collection.
Enterprise dark web monitoring platforms, including services from Recorded Future, Cybersixgill, and Flare, ingest new credential dumps within hours of dark web posting. If your organization subscribes to these services, request an ad hoc scan against the June 12 Elasticsearch dataset specifically. Many vendors have already loaded the dataset into their monitoring pipelines.
For the 16 billion credentials exposed last year, the verification steps were similar, but this dataset's infostealer-log composition means exposure verification must go beyond email address matching to include session revocation and active MFA audit. See also our breakdown of the Infutor and Verisk 676 million SSN exposure for comparison on how large-scale dark web datasets translate to organizational risk.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How Attackers Operationalize Credential Dumps at Scale
The 24 billion credentials exposed in this database translate to attacker revenue through two primary monetization paths: credential stuffing automation and targeted access brokering.
Credential stuffing attacks use automated tools to test username and password pairs from stolen databases against high-value login endpoints. Tools like Snipr, Bulletproof, and Centry run tens of thousands of login attempts per minute against consumer portals, corporate VPNs, and SaaS applications. Modern stuffing infrastructure routes requests through residential proxy networks to blend malicious traffic with legitimate user activity. Commercially available stuffing kits on criminal forums include pre-configured templates for over 300 web applications, including major identity providers, banking platforms, and e-commerce sites.
The credential stuffing economics are compelling for attackers. A single database purchase of tens of millions of records costs between USD 200 and USD 2,000 on established criminal markets. A successful takeover of a business email account with payment authorization access can yield thousands to hundreds of thousands of dollars through business email compromise, depending on the target's authority and available financial instruments.
The second monetization path, targeted access brokering, is more relevant for the CVE-linked documents found in this cluster. Initial access brokers package verified credentials alongside vulnerability intelligence for the specific network they authenticate into. A verified VPN credential for a manufacturing company paired with an unpatched remote code execution vulnerability in that company's exposed application stack sells for USD 1,000 to USD 15,000 on criminal forums per Recorded Future's Q1 2026 initial access pricing survey.
For organizations, this means the risk from the June 12 Elasticsearch database is not theoretical. It is a time-sensitive operational threat.
Why 24 Billion Credentials Exposed Matters for Your Organization
Security teams frequently dismiss large-scale credential dumps as abstract risk, reasoning that their organization is unlikely to be specifically targeted. The CVE intelligence embedded in this database eliminates that reasoning.
An attacker with both a credential for your network and knowledge of an unpatched vulnerability in your exposed infrastructure does not need to make a judgment about whether you are worth targeting. The database makes that determination automatically, and it made it as recently as weeks before discovery. The February 2026 PyPI breach news article found in the cluster confirms the operator was actively maintaining and updating the targeting intelligence.
The disclosure timeline also matters. Cybernews found the database on June 12. The cluster went offline after responsible disclosure, but the data does not disappear. Credential databases of this scale are downloaded, mirrored, and redistributed across criminal forums and dark web markets within hours of initial distribution. By the time a database is taken offline, the data has typically been sold to 50 to 100 buyers. Each buyer runs their own stuffing campaigns independently.
For organizations in regulated industries, the exposure also triggers compliance obligations. If employee or customer credentials are present in a publicly accessible database, most breach notification frameworks, including GDPR and US state privacy laws, require disclosure once the organization becomes aware. The June 15 HIBP update, combined with widely covered press reporting, may constitute constructive awareness for legal purposes depending on jurisdiction.
The actionable reality: run the domain exposure check today, revoke active sessions across your identity platform, and upgrade privileged accounts to phishing-resistant MFA before credential stuffing campaigns exploit this dataset reach your login pages.
The bottom line
24 billion credentials exposed in a single Elasticsearch cluster represents the largest documented credential dump and an active attack-targeting platform, not a passive archive. Every organization with a corporate email domain has statistical exposure. Three actions before end of day: check your domain at haveibeenpwned.com, force-revoke all active sessions in your identity platform, and upgrade administrator accounts to FIDO2 MFA. The attackers who downloaded this database before it went offline are already running stuffing campaigns.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
How do I check if my email is in the 24 billion credential leak?
Visit haveibeenpwned.com and enter your email address. The service added 56.3 million email addresses from infostealer logs on June 15, 2026, the same period this database was active. For corporate domains, use the domain search feature at haveibeenpwned.com/domain-search to scan your entire email domain at once and receive a full count of exposed accounts.
What is the Elasticsearch credential database discovered in June 2026?
On June 12, 2026, Cybernews researchers found an exposed, unauthenticated Elasticsearch cluster containing 24 billion stolen credential records across 8.3 terabytes. The database aggregated data from 36 distinct sources including infostealer malware logs, Telegram cybercrime channels, prior breach compilations, and direct exports from live servers. It also contained 9,500 documents with CVE intelligence linked to GitHub exploit code, indicating active use as an attack-targeting tool.
Can infostealers bypass multi-factor authentication?
Yes. Infostealers harvest active browser session cookies in addition to stored passwords. An attacker who steals your session cookie can impersonate your already-authenticated session on web applications without needing your password or your MFA code. This renders standard time-based one-time password (TOTP) MFA ineffective against cookie-stealing attacks. Phishing-resistant MFA methods such as hardware security keys (FIDO2/WebAuthn) prevent this because authentication is bound to the originating domain.
What is credential stuffing and how does it work?
Credential stuffing is an automated attack that takes username and password pairs from breach databases and tries them against login forms at other services, exploiting the common behavior of password reuse. Attackers use rotating proxy networks to avoid rate limiting and IP blocking. Against a database of 24 billion credentials, automated tools can test millions of login attempts per hour. Organizations exposed by this breach face a significantly elevated credential stuffing risk, particularly for services where employees reused corporate email addresses and passwords.
Which organizations were affected by the 24 billion record database?
The database aggregated credentials from 36 sources, meaning exposure is broad and cross-sector. TechRepublic confirmed the data includes records from financial services, government agencies, healthcare, technology firms, and critical infrastructure operators. Because the dataset pulls from infostealer logs across infected consumer and corporate devices, organizational affiliation of victims spans virtually every industry vertical with a corporate email domain present.
How were 24 billion credentials aggregated into one database?
The operator combined multiple collection methods: approximately 260 million records came from Telegram channels with criminal syndicate names, 150 million from direct exports of live server databases, and 146 million from breach compilation packages. The remaining records came from infostealer malware logs, which capture credentials in real time from infected machines. The operator then enriched the credential data with CVE intelligence and recent breach news, transforming it from a passive archive into an active attack-targeting platform.
What is infostealer malware and how does it steal passwords?
Infostealer malware is a category of credential-harvesting software that executes on a victim's device after delivery via phishing, malicious downloads, or compromised software. Once running, it extracts stored passwords from browser credential managers, copies active session cookies from browser profile directories, screenshots the desktop, and captures keystrokes. The stolen data is sent to attacker-controlled infrastructure and sold on dark web markets or pooled into databases like the one discovered on June 12.
What should I do if my credentials are in a dark web database?
Rotate the affected password immediately on the breached service and on any other service where you used the same credentials. Enable phishing-resistant MFA (FIDO2 hardware key or passkey) on all critical accounts. Audit your organization's active sessions and revoke any sessions older than 24 hours on identity platforms. Deploy an identity threat detection solution that monitors for anomalous login patterns characteristic of credential stuffing. Enroll corporate domains in breach monitoring services like Have I Been Pwned's domain search.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
