24 Billion Stolen Credentials Found in a Single Database: The Infostealer Economy Has Won
24 billion stolen credentials in one database. 8.3TB of plaintext passwords and login URLs harvested by infostealers. The credential economy has scaled.

In June 2026, Cybernews researchers discovered a publicly exposed Elasticsearch database containing over 24 billion stolen credential records. The database held more than 8.3 terabytes of data, including usernames, email addresses, plaintext passwords, login URLs, and source details tied to each record. Most records appeared to originate from infostealer malware logs, Telegram cybercrime channels, previous breach compilations, and datasets exported from live criminal servers.
This is not the largest credential leak in history by record count alone. But it may be the most dangerous, because of what it represents: the industrial consolidation of the credential theft economy into searchable, structured databases that enable automated account takeover at planetary scale.
The Infostealer Pipeline
The 24 billion credentials in this database did not come from a single breach. They were harvested over time by infostealer malware, primarily Lumma Stealer, RedLine, Raccoon, and their variants, running silently on millions of infected devices worldwide.
The pipeline works like this: a user downloads a cracked game, a fake software update, or a malicious browser extension. The infostealer activates, harvesting every saved password from every browser, every session cookie, every autofilled credential. The data is packaged and transmitted to a command-and-control server. From there, it is sold in bulk on Telegram channels and criminal marketplaces, aggregated into compilation databases, and eventually used for credential stuffing attacks against high-value targets.
The Vercel breach started this way. A Context.ai employee downloaded Roblox cheats, got infected with Lumma Stealer, and the stolen credentials eventually enabled a chain of compromises that reached Vercel's customer environment variables. The Mercor breach flowed from the same infostealer-to-supply-chain pipeline. This is not a theoretical attack path. It is the dominant initial access vector in 2026.
What makes this particular database significant is the inclusion of login URLs alongside credentials. An attacker does not need to guess which service a credential belongs to. The database tells them exactly where to use each password. Automated tools can consume this data and attempt logins across thousands of services simultaneously, prioritizing corporate email, cloud consoles, VPN portals, and SaaS platforms.
What This Means for Authentication
When building the CIAM platform that served over a billion users, we invested heavily in credential security: proper hashing algorithms, breach detection integrations, and compromised credential checking at login. But the scale of this database challenges every assumption about password-based authentication.
Twenty-four billion records means that a meaningful percentage of every password ever created is already in attacker hands. Password rotation does not help when infostealers harvest the new password within hours of it being set. Password complexity requirements are irrelevant when the actual password, regardless of complexity, is stolen from the browser's credential store.
The only durable defense is to eliminate passwords as an authentication factor entirely. Passkeys and FIDO2 security keys are cryptographically bound to the relying party and cannot be phished, replayed, or harvested by infostealers. They represent the authentication architecture that the infostealer economy cannot defeat.
For organizations that cannot immediately transition to passwordless authentication, the minimum viable defense is enforcing MFA on every account, monitoring for credential stuffing patterns, and subscribing to breach notification services that detect when employee credentials appear in criminal databases. The month-long gap between the Context.ai credential theft and the Vercel breach demonstrates that early detection can break the attack chain.
Key Takeaways
- An exposed Elasticsearch database containing 24 billion stolen credentials (8.3TB) was discovered in June 2026
- Records include usernames, plaintext passwords, login URLs, and source details, primarily from infostealer malware
- Login URLs paired with credentials enable automated, targeted credential stuffing at massive scale
- The infostealer-to-enterprise breach pipeline is now the dominant initial access vector (Vercel, Mercor, LiteLLM all trace back to stolen credentials)
- Passwordless authentication via passkeys/FIDO2 is the only architecture that eliminates the credential theft attack surface
Deepak Gupta is the co-founder and CEO of GrackerAI. He previously founded a CIAM platform that scaled to serve over 1B+ users globally. He writes about AI, cybersecurity, and digital identity at guptadeepak.com.
Get the newsletter
New writing on identity, AI security, and building software, delivered when it ships. No tracking pixels, no funnels, unsubscribe with one click.