Massive 24 Billion Credential Leak Exposes Global Password Security Crisis

A massive collection of exposed login credentials containing around 24 billion records was recently discovered online by cybersecurity researchers, raising serious concerns about global password security and data reuse risks.

According to researchers at Cybernews, the exposed Elasticsearch database contained usernames, email addresses, plaintext passwords, and login URLs tied to a wide range of online services. Although the database was quickly taken offline after discovery, its size and contents suggest a significant aggregation of stolen or leaked data circulating within cybercrime ecosystems.

What the dataset contained

Investigators reported that the data appeared to come from multiple sources, including infostealer malware logs, leaked databases, and data compiled from cybercrime channels. Infostealer malware is designed to extract saved credentials, browser data, and sometimes session tokens from infected devices.

A major portion of the dataset—billions of records—was linked to Telegram channels known for distributing stolen credentials and financial information. Another large section, labeled as “collections,” appeared to combine previously leaked datasets and newly gathered logs, though its exact origin remains unclear.

The records reportedly came from at least dozens of sources, making it difficult to determine how many unique users were affected, as duplication is likely widespread.

Additional findings

Beyond login credentials, researchers also found cybersecurity-related material such as vulnerability references, GitHub links, cyber incident discussions, and posts related to ransomware activity. This suggests the dataset may have been actively maintained and continuously updated by whoever controlled it.

Despite its removal from public access, security experts warn that the data still poses a threat, since stolen credentials often remain in circulation across underground networks.

Why it matters

The main risk comes from credential reuse. If users reuse the same passwords across multiple platforms, attackers can use automated credential stuffing techniques to break into accounts at scale.

Experts stress that even if the dataset is no longer online, the credentials may already have been copied and redistributed.

Security advice

Cybersecurity professionals recommend that users assume reused passwords may already be compromised. Key protective steps include:

• Changing passwords, especially for email, banking, and social media accounts
• Using unique passwords for every service
• Enabling multi-factor authentication wherever possible
• Using password managers to generate and store secure credentials
• Being cautious of phishing messages claiming to verify data exposure

Security experts also warn that attackers often use fake “data breach check” emails or messages to trick users into revealing additional credentials.