A database containing approximately 24 billion credential records has been discovered exposed on the public internet. The data includes plaintext usernames and passwords drawn from dozens of sources, and it is already circulating among threat actors. For UK businesses in regulated sectors, the question is not whether this affects them. It is how much, and how fast they can act.
According to CyberNews researchers, the exposed database was hosted on an Elasticsearch cluster and totalled more than 8.3 terabytes of data. Approximately 24 billion credential records were contained within it, drawn from 36 distinct sources. Approximately 1.7 billion records originated from hacking-related Telegram channels, where stolen data is routinely traded and shared. Passwords throughout the dataset were stored in plaintext.
Subsequent reporting confirmed that the exposure resulted from a misconfiguration during a temporary migration. The data was not the product of a single breach. It represents a compilation of credentials harvested across numerous previous incidents, aggregated in one location and left accessible without authentication controls.
This is not the first compilation of this scale. CyberNews and multiple outlets reported on RockYou2024 in July 2024, which contained approximately 10 billion unique plaintext passwords, and the Mother of All Breaches in January 2024, which comprised 26 billion records. Each of these events reflects an escalating trend: credentials stolen across years of separate incidents are being consolidated into increasingly large, searchable databases that lower the cost and effort of launching automated attacks.
A significant proportion of credentials in compilations like this one arrive via infostealer malware. These are lightweight programmes, often delivered through phishing emails or malicious downloads, that run silently on an infected device and extract saved passwords, session tokens, and authentication cookies from browsers, email clients, and business applications.
The harvested data is then exfiltrated to attacker-controlled infrastructure and either sold on criminal marketplaces or published to channels like those referenced in this dataset. The entire process, from infection to exfiltration, can complete in minutes.
Infostealer infections are often undetected for days or weeks. By the time an organisation identifies the compromise, the credentials are already in circulation.
The volume of a leak like this matters less than what attackers do with it. Credential stuffing is the primary exploitation method. Attackers take username and password pairs and test them systematically across hundreds of services. According to Akamai's 2024 Securing Apps Report, more than 26 billion credential stuffing attempts occur globally each month.
Organisations in financial services, legal, and professional services are attractive targets for two reasons. First, the value of the data they hold is higher. Client records, transaction data, legal files, and privileged communications carry significant resale value and can be used for fraud, extortion, or competitive intelligence. Second, regulatory frameworks including those set by the Financial Conduct Authority and the Information Commissioner's Office impose reporting obligations and financial penalties when a breach results from inadequate access controls.
Password reuse compounds the risk substantially. An employee who uses the same credentials for a personal account and a business system creates a direct pathway from a personal breach into a corporate environment.
Several legitimate services allow organisations to check whether their domain has appeared in known breach datasets. Have I Been Pwned (haveibeenpwned.com) provides domain-level searches and email notification alerts. A breach monitoring service operating in this space also aggregates data from compiled datasets, though any service used for this purpose should be evaluated against your data handling obligations before use.
Checking a domain name does not confirm that individual accounts are secure. It confirms only that credentials associated with that domain have appeared in known public datasets. Credentials from corporate systems that do not use a business domain may not surface through these tools.
This compilation is a consequence of incidents that occurred months or years before the database was discovered. Reducing future exposure means addressing the conditions that allow credentials to be stolen in the first place.
The NCSC updated its authentication guidance in April 2026 to formally recommend passkeys as the preferred replacement for traditional passwords. Passkeys are cryptographic credentials tied to a specific device and cannot be phished or reused across services. Organisations beginning a transition away from password-based authentication now are reducing their exposure to the next compilation, not just the current one.
Beyond authentication architecture, the consistent absence of multi-factor authentication remains the variable that converts a leaked credential into a successful breach. Credential theft is consistently ranked as the leading initial access vector in major breach investigations, including the Verizon Data Breach Investigations Report. That finding has not changed materially in years. The credential in this compilation was already stolen. Whether it opens a door into a business depends on what controls are behind it.
What is the 24 billion credential leak?
According to CyberNews researchers, approximately 24 billion credential records were found exposed in a publicly accessible Elasticsearch database totalling more than 8.3 terabytes. The data was drawn from 36 distinct sources and included plaintext passwords. Subsequent reporting confirmed the exposure resulted from a misconfiguration during a temporary migration rather than a targeted intrusion.
Does this leak affect UK businesses?
Any organisation whose employees reuse passwords across personal and business accounts, or whose credentials have appeared in earlier breaches that fed this compilation, faces elevated risk. UK businesses in financial services, legal, and professional services are particularly attractive targets because of the value of their data and the regulatory consequences of a breach resulting from weak access controls.
What is infostealer malware and how does it work?
Infostealer malware is typically delivered via phishing emails or malicious downloads. Once installed on a device, it silently extracts saved passwords, browser session tokens, and authentication cookies before exfiltrating the data to attacker-controlled infrastructure. The process can complete in minutes, and infections often go undetected for days or weeks.
What should my IT team do right now?
Check your domain against Have I Been Pwned, force password resets for affected and high-privilege accounts, enforce multi-factor authentication across email, VPN, and cloud services, review endpoint detection coverage, and implement account lockout and rate limiting on externally accessible systems. The NCSC advises all of these measures as part of standard authentication hardening.
How does this differ from a traditional data breach?
A traditional breach involves an attacker gaining unauthorised access to a specific organisation's systems and exfiltrating data. This compilation is an aggregation of credentials from dozens of separate earlier incidents, brought together in one database. No single organisation was breached to create it. The risk to any one business comes from whether its employees' credentials appeared in any of the contributing incidents.
Can multi-factor authentication stop credential stuffing attacks?
Multi-factor authentication significantly reduces the risk. Even if an attacker holds a valid username and password, they cannot complete authentication without the second factor. It does not make an account impenetrable, but it converts a straightforward credential stuffing attempt into a substantially harder problem. The NCSC recommends MFA as a primary control, and its April 2026 guidance goes further by recommending passkeys as the preferred long-term replacement for passwords entirely.