24 billion passwords and emails exposed in massive leak

Experts uncover huge credential database built from past breaches and malware thefts

Hackers may access billions of accounts after massive credential leak discovered online. | Towfiqu barbhuiya / Pexels
Hackers may access billions of accounts after massive credential leak discovered online. | Towfiqu barbhuiya / Pexels

Your password may already be in the wrong hands. Cybersecurity experts have uncovered an exposed, unprotected database containing an estimated 24 billion email-password combinations, compiled from past data breaches, dark web sources, and infostealer malware. The dataset represents a powerful tool for cybercriminals, enabling large-scale automated attacks that can quickly compromise active accounts. As this massive cache of stolen credentials circulates, the urgent question remains whether your digital identity is included — and how quickly you can secure it before attackers do.

Table of Contents show

Just how big is the newly discovered data leak?

The sheer size of this digital hoard required experts to check the math three times just to be sure. Cybernews researchers recently discovered a completely open, unprotected database containing an astronomical 24 billion records. Left exposed to the open internet for anyone to see, this massive digital vault contained more than 8.3 terabytes of data — enough information to put billions of everyday online accounts at immediate risk of being hacked.

The dataset was a goldmine for cybercriminals. It contained a highly organized list of usernames, email addresses, and plain-text passwords, with each login neatly paired with the exact website it was meant to unlock.

“The credential data leak is dangerous simply because of its enormous size. Since the data leaked online, billions of affected accounts are at serious risk of takeovers, especially if they are not protected with multi-factor authentication,” the research team explained.

Where did the data come from?

This information didn’t come from a single corporate hack. Instead, it was stitched together like a monster patchwork quilt from 36 different illegal sources.

A massive chunk of the data came from infostealer logs — data stolen by hidden malware (malicious software) that secretly infects computers to swipe passwords as users type them.

The investigators also traced a significant portion back to the dark web’s favorite new trading ground: the messaging app Telegram. More than 30 of the 36 sources were active Telegram chat rooms —written mostly in English and Russian — where cybercriminals openly buy, sell, and trade stolen logins. Over 1.7 billion records came straight from these chats.

Some of the specific sources included:

  • The “Darkside” Syndicate: Nearly 260 million records were tied to channels using the name of Darkside, the notorious ransomware group that famously shut down the U.S. Colonial Pipeline a few years ago.
  • Live Server Dumps: Another 150 million records came from “local database dumps,” which essentially means a hacker successfully broke into a live company server and downloaded everything on it.
  • Breach Compilations: Around 146 million records came from “combos”—packages of old, previously leaked data. Hackers love these because they rely on a simple human habit: people rarely change their passwords and often reuse the same one across multiple websites.

The mystery ‘collections’

The absolute lion’s share of the database — a staggering 22.6 billion records — came from a source the mysterious owner simply labeled as “collections.” Because the database was quickly taken offline shortly after it was discovered, cybersecurity experts couldn’t dig in to see exactly where this specific mountain of data originated.

“The vast majority of the 24 billion exposed records, our researchers believe, were infostealer logs. In other words, stolen usernames, passwords, and services that these credentials were supposed to grant access to,” the report noted. “A staggering 22.6 billion records supposedly came from what the data owner named ‘collections.’ These records could come from various infostealer collections previously leaked online, or they may indicate that the records are grouped by the services they are supposed to provide unauthorized access to.”

A ‘living’ threat to your security

What makes this discovery particularly chilling is that whoever owned this database wasn’t just hoarding old, dusty information. They were keeping it completely up to date.

Mixed into the billions of passwords, researchers found thousands of records tracking active cybersecurity news, social media chatter about recent hacks, and lists of CVE vulnerabilities — which are essentially public alerts detailing newly discovered “weak spots” or flaws in software that hackers can exploit. In fact, one compiled news article in the dataset was published as recently as February 2026.

“One of the vulnerabilities identified in the exposed cluster involved a Valhall GPU Kernel Driver issue [a flaw in specific computer graphics software],” the report revealed. “All of this points to the data owner actively monitoring the cybersecurity landscape, with a likely intent to update their vast collection of credentials with records from the latest data breaches and data leaks.”

While researchers can’t say exactly how many unique people are affected by this leak, the lesson for everyday internet users is clear. The database has been pulled offline, but the data was out there.

How to lock your digital front door

While you can’t stop a corporate data breach, you can protect yourself from the fallout. Because hackers use automated software to rapidly test stolen combinations across the web, a few quick actions will keep your accounts safe:

  • Check Your Exposure: Visit a free, secure site like Have I Been Pwned. Enter your email address to instantly see if your credentials have been leaked in this or past major breaches.
  • Stop Reusing Passwords: Use a dedicated password manager to generate and store unique, strong passwords for every single login. If a hacker gets your password for one minor site, a password manager ensures they can’t use it to break into your bank or primary email.
  • Turn on Two-Factor Authentication (2FA): Treat 2FA like a deadbolt lock. Even if a criminal has your correct email and password, they still cannot access your account without the secondary, real-time code sent directly to your phone or authenticator app.
  • Run a Malware Scan: Because a massive chunk of this data came from hidden password-stealing malware, run a deep scan of your computer and phone using a trusted, updated antivirus program to make sure your devices are clean.

Sources:
Cybernews
Security Afairs