- Cybernews found an exposed Elasticsearch database with 24 billion credentials in plain text from 36 sources
- Archive (~8TB) compiled records of data thefts, Telegram leaks and data from previous breaches; periodically updated
- Unknown owner; mix of English and Russian sources, including 260 million records linked to “Darkside” channels
A colossal database containing 24 billion records was found on the Internet, available to anyone who knew where to look, including usernames, passwords, and login URLs, all stored in plain text.
The Elasticsearch database was discovered earlier this month by security researchers from cyber newswho believe that it is a compilation of different records generated by various information thieves.
“The credential data breach is dangerous simply because of its sheer size.” cyber news saying. “Since the data was leaked online, billions of affected accounts are at serious risk of takeover, especially if they are not protected with multi-factor authentication.”
Unknown identity
The file was blocked shortly after being discovered, preventing the Cybernews team from conducting further analysis, although they managed to determine that the information came from 36 different sources, “ranging from Telegram channels to combined data collections from previous data breaches and data sets exported directly from live target servers.”
The file was over eight terabytes in size, making it one of the largest files ever discovered. Unfortunately, it is impossible to determine how many entries are duplicates, although it is safe to assume that at least some of them are.
Cybernews was also unable to determine the age of the findings, but emphasized that based on the February 2026 news article contained in the data leak, it could conclude that the group was updated periodically.
The identity of the owner of the database remains a mystery. Most of the Telegram feeds listed inside were in English, but some were also in Russian. Additionally, around 260 million records come from Telegram channels with the word “Darkside”, in reference to a now-defunct ransomware group that was responsible for the catastrophic attack on Colonial Pipeline a few years ago.
Whoever it is, they appear to be actively monitoring the cybersecurity landscape and updating the collection frequently.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
