This might be the biggest password leak we’ve ever seen
Story by
Data leaks happen so often these days that most of us just shrug and move on. But every once in a while, one comes along that actually makes you stop and check your own passwords. This is one of those times.
Cybernews researchers found an exposed Elasticsearch cluster sitting wide open on the internet, packed with 24 billion records and more than 8.3TB of data. The team says they triple-checked the numbers because even they couldn’t quite believe it at first.
Most of what’s in there are infostealer logs. That means usernames, emails, and plaintext passwords pulled straight off infected devices, along with the login URLs those credentials unlock. The data came from 36 different sources, including more than 30 Telegram channels dedicated to trading stolen credentials, plus old breach compilations and a massive bucket simply labeled “collections” that accounts for over 22 billion records on its own.
A few details stood out to me. Nearly 260 million records came from channels referencing the old Darkside ransomware gang, the same group behind the Colonial Pipeline attack years back. There’s also a chunk of data tied to the AntiPublic combo list that’s been floating around since 2016, and researchers even found CVE entries and news articles referencing a recent PyPI supply chain attack, suggesting whoever’s hoarding this stuff is actively tracking the security world to keep their collection fresh.
The database has since been taken offline, but that doesn’t really undo the damage. If you’ve reused a password anywhere over the last few years, there’s a real chance it’s sitting in this pile right now.
What can you do to protect yourself?
This isn’t even the first time we’ve seen something on this scale. Cybernews flagged a 16 billion record leak just last year, and the infamous “26 billion record” mother of all breaches from 2024 is still the only thing that comes close to this new discovery.
So what should you actually do? Stop reusing passwords, for starters. Grab a proper password manager if you haven’t already, and turn on two-factor authentication everywhere it’s offered. It’s not glamorous advice, but it’s the difference between this leak being someone else’s problem and it becoming yours.
The post This Might Be the Biggest Password Leak We’ve Ever Seen appeared first on Android Headlines.
