“The leak of credentials is dangerous simply because of its enormity”: Experts warn of “colossal” breach exposes 24 billion records including personal information

Cybernews found exposed Elasticsearch database with 24 billion plaintext credentials from 36 sources
Archives (~8TB) compiled infostealer logs, Telegram leaks and past breach data; continuously updated
Owner unknown; mix of English/Russian sources, including 260 million entries linked to “Darkside” channels

A colossal database containing 24 billion records was found sitting on the Internet, available to anyone who knew where to look, including usernames, passwords and login URLs, all stored in plain text.

The Elasticsearch database was discovered earlier this month by security researchers from Cyber newswhich believes that it is a collection of different log files generated by different infostealers.

“The credential leak is dangerous simply because of its enormity,” Cyber news said. “Since the data was leaked online, billions of affected accounts are at serious risk of takeovers, especially if they are not protected with multi-factor authentication.”

Identity unknown

The archive was locked down shortly after being discovered, preventing the Cybernews team from doing any deeper analysis – although they did manage to determine that the information came from 36 different sources, “ranging from Telegram channels to combined data collections of previous data breaches and datasets exported directly from live target servers.”

The archive was more than eight terabytes in size, making it among the largest archives ever discovered. Unfortunately, it is impossible to determine how many of the records are duplicates, although it is safe to assume that at least some of them are.

Cybernews was also unable to determine the age of the findings, but emphasized that based on the February 2026 news article contained in the data leak, it could conclude that the cluster was updated regularly.

The identity of the database’s owner remains a mystery. Most of the Telegram sources listed inside were in English, but some were in Russian as well. Also, about 260 million records came from Telegram channels with the work “Darkside” in them, referring to a now-defunct ransomware group that was responsible for the disastrous attack on the Colonial Pipeline a few years ago.

Whoever it is, they seem to be actively monitoring the cybersecurity landscape and update the collection frequently.