The numbers are almost too large to comprehend.

Cybernews researchers have discovered an exposed database containing 24 billion records, including usernames, email addresses, plaintext passwords, and login URLs.

Discovered on June 12, 2026, this isn't a theoretical future threat — it is happening right now, and your organisation's credentials may already be circulating inside criminal networks. For IT leaders, CISOs, and security teams, the window to act is narrow and the stakes couldn't be higher.

This post breaks down exactly what happened, why it matters to your business, and the concrete steps you need to take immediately.

What Happened: The Anatomy of a 24-Billion-Record Leak

Researchers uncovered the publicly accessible database on June 12, finding more than 8.3 terabytes of information stored in an unsecured Elasticsearch cluster.

To put the scale in perspective,

with roughly 5.5 billion internet users worldwide and 24 billion records in this database — acknowledging that duplicates are likely significant — there is a credible probability that any person who has used online services for more than a few years has at least one set of credentials somewhere in this dataset.

Evidence strongly indicates this is a central repository for "infostealer log databases." Infostealer malware is a type of malicious software secretly downloaded by users through corrupted files, infected PDFs, or pirated software. Once a device is compromised, the malware silently extracts autofill data, stored credentials, credit card details and crypto wallet keys from web browsers without the victim's knowledge.

The records originated from 36 separate sources, including Telegram channels associated with cybercrime activity, historical breach compilations, infostealer malware collections, and what appeared to be direct exports from compromised servers. More than 22.6 billion records were categorised as "collections," a term researchers believe may refer to aggregated datasets compiled from previous breaches and infostealer campaigns. Another 1.7 billion records were linked to Telegram-based sources.

The database has since been taken offline — but that is not the end of the story.

The database is no longer publicly exposed, but reused passwords may still put accounts at risk.

Why This Is Different From Ordinary Data Breaches

Security professionals have seen large breach compilations before. What makes this event uniquely dangerous is the freshness and specificity of the data.

The records stored in the cluster were primarily infostealer logs — structured output files automatically generated by malware designed to harvest credentials silently from infected computers. Each log typically contains the victim's usernames, email addresses, plaintext passwords, the login URLs those credentials were supposed to unlock, and sometimes active browser session cookies and device fingerprints.

That last detail is critical.

MFA alone is no longer sufficient protection. 276 million of the credentials indexed in 2025 included active session cookies, meaning attackers can bypass multi-factor authentication entirely. This represents 31% of all malware-sourced credentials.

Infostealer malware operates as a subscription service in the criminal underground, a model known as malware-as-a-service (MaaS). A developer builds the malware infrastructure; customers — including people with no significant technical skill — pay subscription fees ranging from roughly $130 to $750 per month to access the system, deploy campaigns, and receive the harvested credential logs.

This industrialisation of credential theft means the pipeline from infected device to criminal marketplace is frighteningly efficient.

Over half of all credentials (53%) were indexed within one week of exfiltration, and 36.4% within 24 hours. Organisations that act on intelligence quickly can intervene before stolen credentials are exploited.

The Business Cost of Inaction

If the sheer scale of the leak doesn't move the needle in your boardroom, the financial data should.

The average cost of a data breach in 2025 is $4.44 million globally. However, in the United States, the average cost of a data breach reached a record high of $10.22 million, up 9% year-over-year.

According to the Verizon Data Breach Investigations Report (DBIR) 2025, human error directly caused 60% of all breaches, making it the single largest driver of successful attacks.

The costs are not just financial, either.

Organisations face reputational damage if customer or employee information is exposed, regulatory fines under laws such as GDPR for failing to protect personal data, operational disruption from account takeovers or targeted attacks, and fraud losses if stolen credentials are used for unauthorised transactions.

The real-world consequences are visible in 2025's headline breaches.

The data breaches at Ticketmaster, Advanced Auto Parts, Change Healthcare, and AT&T saw hackers gain access to their networks using compromised credentials for accounts that did not have multifactor authentication enabled — representing more than 1.24 billion preventable record exposures across those four breaches alone.

Meanwhile,

remote workers and BYOD users blur personal and work credentials, making them prime targets — 46% of infostealer-infected devices were personal or BYOD devices used for work. Small and mid-sized businesses are heavily hit, with detections jumping 104% year-over-year.

The Evolving Threat: AI Is Now on the Attacker's Side

The threat landscape isn't just growing in size — it's growing in sophistication.

The IBM report reveals that 1 in 6 breaches involved attackers using AI, most commonly for phishing (37%) and deepfake impersonation (35%). Generative AI enables adversaries to craft convincing phishing messages in minutes, not hours, making social engineering more dangerous than ever.

At the same time, the tools meant to protect organisations are creating new vulnerabilities.

Shadow AI — the unsanctioned use of AI by employees — was a factor in 20% of breaches, adding $670,000 to average costs and exposing large amounts of personally identifiable information (PII).

VPNs, remote monitoring and management (RMM) tools, cloud platforms, and detection software all featured prominently in stolen credential targets — meaning attackers are often going directly for the systems that provide the broadest access.

Practical Tips: What IT Leaders Must Do Right Now

This is no time for a passive response. Here is a prioritised action plan for security and IT leadership:

1. Immediately Audit Credential Exposure

On June 15, 2026, the breach notification service Have I Been Pwned added 56.3 million email addresses and 124 million unique passwords from infostealer malware logs to its searchable database.

Run all corporate email domains and accounts through Have I Been Pwned and similar services immediately.

2. Enforce Phishing-Resistant MFA — But Don't Stop There

Standard MFA can be bypassed via stolen session cookies.

Implementing strong operational controls for non-human identities and adopting modern, phishing-resistant authentication methods, such as passkeys, can significantly reduce the risk of credential abuse.

3. Deploy Endpoint Detection Tuned for Infostealer Behaviour

Security teams must treat infostealers as a pervasive threat. Prioritise endpoint detection tuned to credential theft behaviours, harden browsers to limit or encrypt saved passwords, enforce strong password hygiene and MFA, and monitor for your users' credentials appearing in stealer logs.

4. Eliminate Password Reuse at the Enterprise Level

For businesses, the leak serves as a reminder that credential theft remains one of the most common entry points for cyberattacks, particularly when employees reuse passwords across multiple systems and services.

Enforce unique credential policies through a centralised password manager and monitor for dark web exposure continuously.

5. Control and Audit Your Third-Party Access

Many recent data breaches started with identity abuse or third parties, which turned one weak control into a massive incident.

Implement regular security assessments and right-to-audit clauses for all data processors — third-party risk is enterprise risk, even when internal defences are strong.

6. Build and Test Your Incident Response Plan

Effective crisis response means regularly testing incident response plans and backups, defining clear roles in the event of a breach, and conducting crisis simulations.

Speed is everything —

faster detection is one of the most effective ways to reduce breach-related financial impact.

7. Establish AI Governance Policies Now

97% of AI-related breaches occurred in companies lacking proper access controls, and 63% had no formal AI governance policies in place.

Bring shadow AI out of the shadows by auditing all AI tool usage, establishing approval workflows, and integrating AI oversight into your existing security frameworks.

8. Run Targeted Security Awareness Training

Conduct regular security awareness training to help staff recognise phishing attempts and infostealer malware risks, and remind everyone to report suspicious activity or potential breaches immediately.

Conclusion: The Threat Is Live — Your Response Must Be Too

The 24-billion-record leak is not just another headline. It is a live operational threat that could be delivering credential-stuffing attacks against your organisation's systems right now.

The gap between when credentials are stolen and when a security team finds out is where breaches happen. Most organisations discover compromised credentials days or weeks after the fact — through a public breach disclosure, a tip from law enforcement, or an incident that's already underway.

The good news?

Organisations using AI tools extensively cut their breach lifecycle by 80 days and saved nearly $1.9 million on average, driven by faster detection and containment.

The technology to fight back is available — but only if leadership acts decisively.

Don't wait for a breach notification to start your security review. Audit your credentials, enforce phishing-resistant authentication, lock down your endpoints, and engage your security team in a full incident-readiness assessment today. Your organisation's data, reputation, and bottom line depend on it. If you need expert guidance on building a resilient, breach-ready security posture, reach out to a qualified cybersecurity partner — the time to act is now, not after the breach.