Another day, another exposure to credentials, but an unthinkable one.
The discovery of a database with 24 billion compromised records is a reminder that sensitive information is still being disseminated online by phishing scams, infostealer software, and data breaches. Researchers could identify the records as usernames, passwords, email addresses, and login URLs, but couldn't determine how many were duplicates or how many real people were affected. Reports state the data was gathered from a number of sources.
This is not the result of a single company's credentials being made public; rather, it is the outcome of a massively exposed repository that contains an absurdly large collection of previously compromised credentials gathered over a number of years from infostealer logs, historical breaches, underground forums, and public leak repositories. The event brings to light a developing reality of contemporary cybersecurity: attackers only need access to the ever-increasing ecosystem of stolen identities already in circulation online; they no longer need to steal credentials themselves.
Inside the 24 Billion Records
This incident exposing 8.3 TB of data was brought to light by the researchers from Cybernews. The repository contained approximately 24 billion previously collected credential entries aggregated from 36 distinct sources, including Telegram channels, historical breach datasets, infostealer malware logs, and large unattributed collections. Unlike traditional breaches, infostealer malwares steal browser cookies, session tokens, autofill data, cryptocurrency wallets, stored passwords which is highly dangerous. Approximately 1.7 billion of the records originated from hacking-related Telegram channels with at least one channel dedicated to credit card data theft.
A Search Engine for Stolen Credentials
The database belonged to a threat intelligence and breach-monitoring platform, which had aggregated this data to track credential exposure for its own clients. It was left publicly accessible on an Elasticsearch cluster after a migration was misconfigured. Elasticsearch is a distributed, open-source storage for huge amount of data. Anyone who discovers an Elasticsearch server online can access it if there are no network constraints, passwords, or authentication. Anybody can view, copy, modify, or even remove its data in the absence of safeguards like a firewall or passwords.
Elasticsearch is a search engine, so the data wasn't just sitting there in a dump someone would have to sift through for weeks. It was indexed and instantly queryable. An attacker who found the server could search it the way you'd search anything else: by company domain to pull every exposed account tied to one organisation, or by keywords like "admin," "VPN," or "root" to surface privileged logins specifically. That turns a pile of stolen credentials into a targeting tool.
Identities Are the New Attack Surface
Identities have begun to become the new attack surface in this obsessive AI boom. The more identities we use, risk of identity attack surface expands. Nearly all AI tools, SaaS apps, cloud services, developer platforms, browser extensions, and collaboration apps generate new accounts, credentials, API keys, and access tokens that employees utilise on a daily basis. A single credential, whether obtained through phishing, infostealer software, or a third-party breach, ends up in dark web repositories. AI is producing more machine and human identities than ever before and speeding up the use of digital technology. This implies that organisations and users must see each credential as a valuable asset that requires ongoing governance, preservation, and monitoring.
The scale of this is easy to underestimate. Machine identities — service accounts, API keys, tokens, AI agents now outnumber human ones by more than 80 to 1 in the average enterprise. Every AI tool, SaaS app, and cloud service a team adopts spins up more of them, and most are created fast, scoped loosely, and rarely retired. Each one is a credential that can leak, and unlike a person, no one notices when a service account's password hasn't changed in three years.
How One Credential Becomes a Breach
Modern attacks are closely tied to identities far more than to the network vulnerabilities attackers relied on in earlier eras. In addition to usernames and passwords, other identification information such as session cookies, authentication tokens, login URLs, and browser-stored credentials were also present in the exposed repository. Identities are now effectively the new security border in cloud-first and zero trust infrastructures, and access decisions are enforced by authorisation and authentication processes rather than network barriers.
The risk lies not just in the disclosure of credentials but also in what comes next. After gaining initial access, attackers frequently use lateral movement, privilege escalation, and misuse of standing privileges to expand their presence in the environment with the help of compromised credentials, tokens or cookies.
The number of identities that require administration is always increasing as businesses add AI technologies, cloud services, APIs, and machine identities. With real-time credential exposure monitoring, privileged access controls, just-in-time access provisioning, multi-factor authentication, session monitoring, and least privilege enforcement, identity security helps reduce these risks by preventing a single compromised credential from turning into a serious enterprise compromise.
Containing the Damage Before It Spreads
Organisations use a large number of identities on a daily basis for a variety of objectives, but they can never be sure that they will always be safe. Everyday access to cloud services, AI tools, and apps may need users to create new identities and credentials. The challenge is not to prevent every credential exposure, but rather to ensure that a single compromised identity does not turn into a business-wide security crisis.
In practice, that means a few specific things: knowing where your privileged accounts actually are, removing standing access that no one is using, vaulting and rotating credentials so a stolen one expires quickly, granting elevated access only when it's needed and only for as long as it's needed, and recording privileged sessions so misuse is visible. These are the controls that decide whether a leaked password is a non-event or the first step in a breach.
This is the core of what Securden does as an identity security platform. It discovers and vaults privileged credentials, eliminates standing privileged access by granting it just-in-time, enforces least privilege, and monitors privileged sessions across human, machine, and AI identities. The result is a smaller blast radius: less of your environment exposed to any single stolen credential, and the credentials that do leak are vaulted and rotated, so a stolen one is far more likely to be expired or useless by the time an attacker tries it.
Frequently Asked Questions
What is the 24 billion credential exposure and what all was compromised?
Like any other breach, this is not a new breach but a dump of dark web data breach collection that was exposed accidentally by a threat intelligence platform during migration. Compromised data includes usernames and passwords, the database contained session tokens, browser cookies, autofill data, login URLs, and other credential-adjacent data harvested primarily by infostealer malware.
What are non-human identities (NHIs)?
Machine credentials like API keys, AI agents, OAuth tokens, and service account credentials are examples of non-human identities (NHIs). These machine credentials, which outnumber human identities, are used extensively in most organisations. These machine identities need to be handled equally, monitored often, and not over-provisioned with access permissions.
Why are machine identities riskier than human ones in practice?
Human identities are examined, least privilege access is granted, and any anomalous conduct is investigated. Machine identities, on the other hand, typically float within the company without anyone monitoring it. These machine credentials are frequently over-provisioned with access rights, which presents a serious risk to the company.
How can organizations tell if their own credentials are part of exposures like this?
Passwords that have been compromised in several data breaches across the globe are publicly accessible as a data dump. Password managers like Securden can routinely analyse the dump to see if any of the product's passwords match those that have been made public in known data breaches to stop similar occurrences.