A newly discovered database containing 24 billion stolen records is a reminder that personal information from data breaches, phishing campaigns, and infostealer infections continues to circulate online.
The collection was exposed on the internet before being taken offline. While researchers can’t confirm exactly whose information was included, the discovery is a good opportunity to check whether your email addresses, passwords, or other personal data have already been exposed.
What happened?
Researchers at Cybernews found a publicly exposed database holding more than 8.3 TB of data.
The data, consisting of 24 billion credential records, reportedly came from 36 sources, including numerous Telegram channels, prior breach compilations, collections of infostealer logs, and some datasets apparently exported directly from live servers.
Because the data came from different sources there are some differences in what the records contain and how they are organized.
Some records were structured infostealer logs containing usernames, email addresses, and plaintext passwords, and the associated login URL. Infostealers are a type of malware designed to steal sensitive information from infected devices, such as your home computer.
An infostealer log from a single infected device can include passwords stored across all browsers, active session cookies and tokens (including those that bypass multi-factor authentication), autofill data, device fingerprints, and sometimes crypto wallets or messaging accounts. The complete bundle is what ends up in logs such as those seen by the Cybernews researchers.
Roughly 1.7 billion of the records came from hacking-related Telegram channels, mainly English and Russian, including at least one that was focused on stolen credit card data.
The exposed database was hosted on an Elasticsearch cluster. Elasticsearch is a tool used to quickly store and search lots of data. If an Elasticsearch server lacks passwords, authentication, or network restrictions, it can be accessed by anyone who finds it online. Without protections such as passwords or a firewall, anyone can read, copy, change, or even delete its data.
Other documents in the dataset contained information about known vulnerabilities, articles about breaches, and social media posts about cyberattacks. This suggests the owner actively monitors security news and vulnerabilities and enriches the credential hoard with fresh breach information, either for a commercial “monitoring” service or for offensive use.
A few years ago, we wrote about what was called the “mother of all breaches,” where the source of the dataset was later identified as data breach search engine Leak-Lookup.
This newly discovered 24 billion record exposure is in the same league as that previous mega‑dump, but appears more heavily weighted toward fresh infostealer logs, rather than older, static breach data.
Since the data was taken out of public view soon after the discovery, the researchers were unable to fully retrace everything they had found or determine how many duplicate records it contained. That’s reassuring because it reduces the chances of cybercriminals finding the database, but reused passwords may still put accounts at risk. And we still don’t know the purpose for the data collection in the first place.
What to do now
It’s good to be aware of how much information about you is out there and who’s gathering it, but it’s even more important to know exactly which information they have, since that is what they can use against you.
1. Check if your data has been exposed online using our Digital Footprint Portal.
2. If you discover exposed passwords, change them immediately and make sure you aren’t reusing the same password across multiple accounts. Prioritize updating your important accounts such as email, banking, shopping, and social media accounts.
3. Turn on multi-factor authentication (MFA) wherever possible, since it can help protect accounts even if a password has been exposed.
How to protect your data
Infostealers often spread through malicious ads, fake browser updates, and one-click downloads. Avoid clicking sponsored ads, and instead visit official websites directly. Download software only from trusted sources such as official vendor sites or app stores.
Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand what they do.
Pirated software, game cheats, cracked tools, and shady browser extensions remain common sources of infostealer infections. Stick to reputable software and extensions, and be wary of anything asking for excessive permissions.
Lastly, phishing emails are still a major threat. Be cautious of unexpected attachments, links, and urgent requests. If you’re unsure whether a message is legitimate, verify it through the company’s official website rather than the link in the message.
You can also use Malwarebytes Scam Guard to check individual messages. Just upload a screenshot and we’ll let you know if it’s a scam.
