Description
A newly discovered database containing 24 billion stolen records is a reminder that personal information from data breaches, phishing campaigns, and infostealer infections continues to circulate online.
The collection was briefly exposed on the internet before being taken offline. While researchers can't confirm exactly whose information was included, the discovery is a good opportunity to check whether your email addresses, passwords, or other personal data have already been exposed.
The best place to start is with Malwarebytes Digital Footprint Portal (DFP), which can show you whether your information has appeared in known data exposures and breaches.
## What happened?
Researchers at Cybernews found a publicly exposed Elasticsearch cluster holding more than 8.3 TB of data.
The data, consisting of 24 billion credential records, reportedly came from 36 sources, including numerous Telegram channels, prior breach compilations, collections of infostealer logs, and some datasets apparently exported directly from live servers.
Because the data came from different sources there are some differences in what the records contain and how they are organized.
Some records were structured infostealer logs containing usernames, email addresses, and plaintext passwords, and the associated login URL. Roughly 1.7 billion records came from hacking-related Telegram channels, mainly English and Russian, including at least one focused on stolen credit card data.
The exposed database was hosted on an Elasticsearch cluster. Elasticsearch is a tool used to quickly store and search lots of data. If an Elasticsearch server lacks passwords, authentication, or network restrictions, it can be accessed by anyone who finds it online. Without protections such as passwords or a firewall, anyone can read, copy, change, or even delete its data.
Other documents in the dataset contained information about known vulnerabilities, articles about breaches, and social media posts about cyberattacks. This suggests the owner actively monitors security news and vulnerabilities and enriches the credential hoard with fresh breach information, either for a commercial “monitoring” service or for offensive use.
A few years ago, we wrote about what was called the Mother of All Breaches, where the source of the dataset has been identified as data breach search engine Leak-Lookup.
This newly discovered 24‑billion‑record exposure is in the same league as that previous mega‑dump, but appears more heavily weighted toward fresh infostealer logs, rather than older, static breach data.
An infostealer log from a single infected device can include passwords stored across all browsers, active session cookies and tokens (including those that bypass MFA), autofill data, device fingerprints, and sometimes crypto wallets or messaging accounts. The complete bundle is what ends up in logs such as those seen by the Cybernews researchers.
Since the data was taken out of public view soon after the discovery, the researchers were unable to fully retrace everything they had found or determine how many duplicate records it contained. That’s reassuring because it reduces the chances of cybercriminals finding the database, but reused passwords may still put accounts at risk.
## What to do now
It’s good to be aware of how much information about you is out there and who's gathering it, but it’s even more important to know exactly which information they have, since that is what they can use against you.
Start by checking whether your email address has appeared in known breaches or infostealer logs.
Check whether your data is exposed
If you discover exposed passwords, change them immediately and make sure you aren't reusing the same password across multiple accounts.
If you have reused passwords in the past, prioritize updating important accounts such as email, banking, shopping, and social media accounts. Turn on multi-factor authentication (MFA) wherever possible, since it can help protect accounts even if a password has been exposed.
## How to protect your data
Because infostealers commonly arrive through malvertising, fake browser updates, and one-click downloads, it’s worth treating ads and pop-ups with healthy skepticism. My personal tip: Never click on sponsored ads. Instead, visit official websites directly and download software only from trusted sources such as official vendor sites or app stores.
Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.
Pirated software, game cheats, and cracked tools are some of the most common delivery methods for infostealers. These downloads often come bundled with malware that installs alongside the software you intended to get. The same caution applies to many browser extensions and add-ons that promise extra features or convenience. Stick to extensions from reputable developers, check reviews and permissions carefully, and avoid installing any add-on that asks for more access than it plausibly needs.
Phishing emails are still a major threat, but many can be spotted if you slow down and verify before clicking. Even if an email looks like it comes from a trusted brand, treat unsolicited attachments and links with caution, especially when they urge you to open a file, install something urgently, or fix a billing issue. If you’re unsure, check the sender address, look for typos or odd phrasing, and confirm the request through a separate channel such as the company’s official website rather than the link in the email.
* * *
### ****“One of the best cybersecurity suites on the planet.”** **
According to CNET. Read their review →
* * *
* * *
The collection was briefly exposed on the internet before being taken offline. While researchers can't confirm exactly whose information was included, the discovery is a good opportunity to check whether your email addresses, passwords, or other personal data have already been exposed.
The best place to start is with Malwarebytes Digital Footprint Portal (DFP), which can show you whether your information has appeared in known data exposures and breaches.
## What happened?
Researchers at Cybernews found a publicly exposed Elasticsearch cluster holding more than 8.3 TB of data.
The data, consisting of 24 billion credential records, reportedly came from 36 sources, including numerous Telegram channels, prior breach compilations, collections of infostealer logs, and some datasets apparently exported directly from live servers.
Because the data came from different sources there are some differences in what the records contain and how they are organized.
Some records were structured infostealer logs containing usernames, email addresses, and plaintext passwords, and the associated login URL. Roughly 1.7 billion records came from hacking-related Telegram channels, mainly English and Russian, including at least one focused on stolen credit card data.
The exposed database was hosted on an Elasticsearch cluster. Elasticsearch is a tool used to quickly store and search lots of data. If an Elasticsearch server lacks passwords, authentication, or network restrictions, it can be accessed by anyone who finds it online. Without protections such as passwords or a firewall, anyone can read, copy, change, or even delete its data.
Other documents in the dataset contained information about known vulnerabilities, articles about breaches, and social media posts about cyberattacks. This suggests the owner actively monitors security news and vulnerabilities and enriches the credential hoard with fresh breach information, either for a commercial “monitoring” service or for offensive use.
A few years ago, we wrote about what was called the Mother of All Breaches, where the source of the dataset has been identified as data breach search engine Leak-Lookup.
This newly discovered 24‑billion‑record exposure is in the same league as that previous mega‑dump, but appears more heavily weighted toward fresh infostealer logs, rather than older, static breach data.
An infostealer log from a single infected device can include passwords stored across all browsers, active session cookies and tokens (including those that bypass MFA), autofill data, device fingerprints, and sometimes crypto wallets or messaging accounts. The complete bundle is what ends up in logs such as those seen by the Cybernews researchers.
Since the data was taken out of public view soon after the discovery, the researchers were unable to fully retrace everything they had found or determine how many duplicate records it contained. That’s reassuring because it reduces the chances of cybercriminals finding the database, but reused passwords may still put accounts at risk.
## What to do now
It’s good to be aware of how much information about you is out there and who's gathering it, but it’s even more important to know exactly which information they have, since that is what they can use against you.
Start by checking whether your email address has appeared in known breaches or infostealer logs.
Check whether your data is exposed
If you discover exposed passwords, change them immediately and make sure you aren't reusing the same password across multiple accounts.
If you have reused passwords in the past, prioritize updating important accounts such as email, banking, shopping, and social media accounts. Turn on multi-factor authentication (MFA) wherever possible, since it can help protect accounts even if a password has been exposed.
## How to protect your data
Because infostealers commonly arrive through malvertising, fake browser updates, and one-click downloads, it’s worth treating ads and pop-ups with healthy skepticism. My personal tip: Never click on sponsored ads. Instead, visit official websites directly and download software only from trusted sources such as official vendor sites or app stores.
Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.
Pirated software, game cheats, and cracked tools are some of the most common delivery methods for infostealers. These downloads often come bundled with malware that installs alongside the software you intended to get. The same caution applies to many browser extensions and add-ons that promise extra features or convenience. Stick to extensions from reputable developers, check reviews and permissions carefully, and avoid installing any add-on that asks for more access than it plausibly needs.
Phishing emails are still a major threat, but many can be spotted if you slow down and verify before clicking. Even if an email looks like it comes from a trusted brand, treat unsolicited attachments and links with caution, especially when they urge you to open a file, install something urgently, or fix a billing issue. If you’re unsure, check the sender address, look for typos or odd phrasing, and confirm the request through a separate channel such as the company’s official website rather than the link in the email.
* * *
### ****“One of the best cybersecurity suites on the planet.”** **
According to CNET. Read their review →
* * *
* * *
Basic Information
ID
MALWAREBYTES:D6867A3301AC0C2B46061F7850A926B9
Published
Jun 17, 2026 at 10:56