24 Billion Credentials Exposed in Massive Infostealer Dump
5 min read · Security News
Key Takeaways
- • Cybernews researchers found 8.3 TB of stolen data in a publicly exposed Elasticsearch cluster on June 12, 2026
- • 24 billion credential records aggregated from 36 sources: Telegram channels, infostealer logs, and breach compilations
- • Stolen data includes email addresses, plaintext passwords, session cookies, MFA bypass tokens, and device fingerprints
- • Session cookies let attackers bypass multi factor authentication entirely — no password required
- • Check your exposure at Malwarebytes Digital Footprint Portal, then change passwords and enable MFA
The Discovery: 8.3 Terabytes Left Open to Anyone
On June 12, 2026, researchers at Cybernews found an Elasticsearch cluster that required no authentication to access. Inside: 24 billion credential records packed into 8.3 terabytes of data. The database was publicly reachable — no password, no key, no firewall — until it was taken offline by June 15.
Elasticsearch is a search engine commonly used to index and retrieve large datasets quickly. When misconfigured or intentionally left open, these clusters become visible to tools like Shodan, which continuously scan the internet for exposed services. This particular cluster appears to have been deliberately assembled by a threat actor using it as a live attack targeting platform, not merely an archive of old breach data.
What made the find alarming was not just the scale — it was the freshness. Researchers found CVE vulnerability intelligence and recent cybersecurity articles embedded alongside the credentials, indicating the operator was actively cross referencing known software vulnerabilities with stolen credentials to identify exploitable targets in real time.
What Was Inside the Database?
The database aggregated data from 36 distinct sources. The breakdown reveals how modern credential theft works at scale:
| Source Type | Record Count |
|---|---|
| Infostealer compilations and breach collections | 22.6 billion |
| Telegram hacking channels (30+ channels) | 1.7 billion |
| Local database dumps | 150 million |
| Breach compilation combos | 146 million |
The Telegram channel data — roughly 1.7 billion records from over 30 channels — included material from Darkside branded channels that specialize in distributing stolen payment card data alongside login credentials. Approximately 260 million records traced directly to these channels.
Beyond usernames and passwords, the database contained login URLs, active browser session cookies, multi factor authentication bypass tokens, device fingerprints, browser autofill data, and cryptocurrency wallet credentials.
Why Session Cookies Are the Real Threat
Most breach coverage focuses on passwords. This dump should shift attention to session cookies — and here is why that matters for your email account specifically.
When you log into Gmail or any web service, your browser stores a session cookie. This cookie is what keeps you logged in between visits. Infostealers are purpose built to harvest these cookies directly from browser storage on infected devices, often alongside saved passwords and autofill data.
An attacker who imports your session cookie into their own browser does not need to know your password. They do not need to defeat your two factor authentication. They are not logging in — they are impersonating an already authenticated session. Gmail, Outlook, and most email providers cannot reliably distinguish a stolen session from normal activity.
This is why dumps that include session tokens are treated as a more acute threat than plain password lists. The attack vector bypasses the defenses most people have been told to rely on.
What This Means for Your Email Inbox
Email addresses appear throughout this database as the primary account identifier. Most online services use your email as your username, which means an exposed email address combined with a reused or weak password grants access to every service linked to that address.
A compromised inbox becomes the master key to the rest of your digital life. Attackers use it to trigger password resets across banking, shopping, social media, and work accounts. In 2026, with phishing emails increasingly indistinguishable from legitimate correspondence, a compromised inbox also becomes a launchpad for attacks against your contacts.
There is a tracking dimension here as well. Senders who embed tracking pixels in emails build a behavioral profile of you: when you read messages, what device you are on, your approximate location. This data aggregates into the same kind of profile that infostealer logs build from the device side — attackers and marketers are assembling the same picture from different angles.
Was Your Data Included?
The database has been taken offline, but that does not mean the data has disappeared. Copies of large credential compilations circulate on dark web forums and Telegram channels for months or years after the original discovery.
The most practical first step is to check your exposure using the Malwarebytes Digital Footprint Portal — a free tool that shows whether your personal data has appeared in known breach databases. Have I Been Pwned (haveibeenpwned.com) is a widely used alternative with breach notification alerts.
Neither tool can confirm your data was specifically in this Elasticsearch cluster, since the database was private before going public. But they will tell you whether your credentials have surfaced in prior related breaches and compilations.
What To Do Now
Four actions in priority order:
- Check your exposure — Run your primary email address through Malwarebytes Digital Footprint Portal or Have I Been Pwned.
- Change reused passwords immediately — If you use the same password across multiple sites, treat every account as compromised. Use a password manager to generate unique credentials for each service.
- Enable multi factor authentication — Even though session cookies can bypass it in targeted attacks, MFA still blocks the vast majority of automated credential stuffing attempts that do not use stolen cookies.
- Reduce your tracking surface — Infostealers harvest data from infected devices, but your inbox is also a collection point. Blocking tracking pixels in Gmail limits the behavioral profile senders build about you and cuts off one source of data that feeds the broader surveillance ecosystem.
The Bigger Pattern
This database is large by any measure, but it is not an anomaly. It is the logical endpoint of an infostealer economy that has operated at scale for years. Infostealer malware is sold as a service on Telegram and dark web markets — a full kit for as little as $100 a month. Each infected device contributes a complete package of credentials, cookies, and device data to the seller's inventory, which then flows into compilations like the one Cybernews found.
The most useful response is not panic — it is methodically reducing the number of places your credentials and behavioral data accumulate. Fewer exposed surfaces means less to harvest, whether from a device compromised by an infostealer or from the email tracking pixels that log your inbox behavior without your knowledge.