24 Billion Records Exposed is one of those subjects that keeps surfacing in every security conversation. I have been writing about data breaches for years, and every time I think I have seen the worst of it, something bigger comes along. This week, Cybernews researchers uncovered something that genuinely made me stop and stare: an Elasticsearch database containing 24 billion records sitting exposed on the internet, available to anyone who knew where to look.
Twenty-four billion. That is not a typo.
To put that in perspective, that is roughly three records for every single person on Earth. The archive was more than eight terabytes in size and was compiled from 36 different sources, including infostealer malware logs, Telegram channel dumps, and previous data breach collections. It contained usernames, passwords, and login URLs, all stored in plaintext. No encryption, no hashing, just a giant spreadsheet of credentials waiting to be exploited.
What Makes This One Different
We have seen massive credential collections before. The 2024 “Mother of All Breaches” clocked in at 26 billion records. The RockYou2024 leak contained around 10 billion unique passwords. But there are a few things about this one that should worry you more than the usual breach headline.
First, the data came from infostealer malware. That means these credentials were harvested from real infected devices, not just scraped from older database dumps. Infostealers like RedLine, Raccoon, and Vidar run silently on compromised computers, scooping up saved passwords, browser cookies, and session tokens. They upload everything to a command server, and whoever controlled this collection has been aggregating those logs at scale.
Second, it was regularly updated. Cybernews noted that the database was actively maintained, with fresh data being added over time. This was not a static archive from years ago. It was a living collection that someone had been curating.
Third, the data included cookies and session tokens, not just passwords. That is a problem because even if you change your password, an attacker with a valid session token can still access your account. Multi-factor authentication helps, but it is not foolproof when session tokens are in play.
Whose Data Is In There?
The archive contained records from English and Russian-language sources, including 260 million records tied to “Darkside” channels. The identity of the person or group behind it remains unknown. The database was locked down shortly after Cybernews notified the hosting provider, preventing deeper analysis.
But here is what we know for certain: if you have ever saved a password in your browser, logged into a service on a shared computer, or downloaded something from an untrustworthy source, there is a chance your credentials are in this collection. The sheer scale of 24 billion records across 36 sources means the overlap is significant.
What You Should Do Right Now
I am going to keep this practical because there is no point panicking. Here is your action list.
Change your passwords. Not tomorrow, today. Use strong, unique passwords for every service. A password manager is not optional anymore, it is essential. If you are still reusing passwords across sites, stop. This breach is exactly why that habit is dangerous.
Enable multi-factor authentication everywhere it is available. Yes, it is a minor inconvenience. Yes, it is worth it. MFA stops the vast majority of credential-stuffing attacks dead in their tracks.
Check your accounts for suspicious activity. Look for login attempts from unfamiliar locations, password reset emails you did not request, and changes to your recovery details. If you see anything unusual, act immediately.
Run a security scan on your devices. Infostealers often leave traces. A good antivirus scan can catch infections you did not know you had. Keep your operating system and software updated.
Consider using passkeys where available. Apple, Google, and Microsoft all support passkeys now. They use your fingerprint or face scan instead of a password, and they cannot be phished, guessed, or leaked in a credential dump. It is a better model.
The Bigger Picture
This leak is not a wake-up call for the cybersecurity industry. The industry has been wide awake for years. It is a wake-up call for the rest of us. The systems we rely on for everyday digital life have been built on a fragile foundation of passwords that can be stolen, shared, and exploited at a scale that is hard to comprehend.
The risk to individuals is real and immediate. Anyone with access to these 24 billion records can attempt account takeovers across banking, email, social media, healthcare portals, and corporate systems. For people who still use the same password across multiple accounts, the damage can be cascading.
For organisations that lack multi-factor authentication or good credential hygiene, the threat is even more severe. This is not a theoretical risk. It is happening now.
The internet’s security model was designed for a world where breaches were rare and small. We do not live in that world anymore. Twenty-four billion records exposed in plaintext is not a data leak. It is a systemic failure that demands a better system. And until we get one, your best defence is doing the boring stuff: unique passwords, two-factor authentication, and never trusting that a service will protect your data better than you can protect yourself.