24 Billion Stolen Records, Explained: What the Leak Actually Means for You

Another week, another terrifying number. This one is 24 billion. Researchers at Cybernews found a database sitting wide open on the internet, 8.3 terabytes of it, with roughly 24 billion records inside: usernames, email addresses, passwords in plain text, and the exact sites those logins open. It went up, got noticed, and came down between June 12 and June 15.

The headline is real, and it is also doing a great deal of work to scare you. The honest reaction lives somewhere between panic and a shrug, and to get there you have to know what this pile of data actually is.

What actually leaked

The database lived on an Elasticsearch cluster, which is just a fast search server. It was left online with no password and no firewall, so anyone who stumbled onto it could read the whole thing.

Almost all of it was infostealer logs. An infostealer is malware that gets onto someone's device and quietly scrapes off everything worth stealing: every password saved in the browser, the autofill data, and the session cookies and tokens that keep you logged in to your accounts. Whoever built this hoard pulled it from 36 places, mostly Telegram channels where criminals trade stolen credentials, plus old breach compilations and giant bundles labeled, helpfully, "collections."

So no, this was not one company getting hacked. It was a collector's stockpile, put together from a lot of separate thefts over a long stretch of time.

Is the 24 billion number real?

Yes and no.

Twenty-four billion is the raw count of records. The researchers said plainly that they could not tell how many were duplicates, or how many actual human beings were behind them. Around 22.6 billion of them sat in those vague "collections," which are almost certainly the same credentials repeated over and over and recycled from older leaks. The whole thing was taken offline before anyone could really pull it apart.

We have seen this before, too. A nearly identical 26 billion record dump made the rounds in 2024 and turned out to be sourced from a breach search engine. A 16 billion record version showed up in July 2025.

So read 24 billion as "an enormous, heavily duplicated pile," not "24 billion fresh victims."

Why the boring half is the dangerous half

Here is what the big number hides. The records worth worrying about are not the recycled old passwords. They are the fresh infostealer logs, and they are a different animal than the breach you are used to.

When a company gets breached, you change your password and you are mostly done. An infostealer log does not work that way. It came off a device that is, or recently was, infected. Sitting right next to the password is the live session token, the little file that tells a website you are already logged in. With that token, an attacker can sometimes walk straight into your account with no password at all, sailing right past the multi-factor prompt you set up to stop exactly this. The collector also looked like he was topping the pile up with new breach data, so treat it as a living thing, not a museum piece.

That is why "just change your password" is not enough here. If your credentials are in an infostealer log, the password was never the real problem. The infected device is.

Breaches are not the crime. They are the fuel.

A dump like this is almost never the end of a story. It is the raw material at the start of one.

Stolen credentials get sorted, sold, and poured into the frauds you actually feel: the account takeover that empties a bank login, the "your account has been compromised" phone call that knows just enough real detail to sound legitimate, the credential stuffing that turns one reused password into ten broken accounts. The person who steals the data is hardly ever the person who uses it. It moves down a supply chain, and at the far end is a call or a text or an email that lands on someone who never knew their information was loose in the first place.

Following that chain, from the open database to the knock on the door, is the whole difference between flinching at headlines and actually getting in front of the thing that hurts you.

What to actually do

Skip the part where you stare at a breach tracker. Do this instead.

Find out what is actually exposed. Run your email through a reputable checker. Have I Been Pwned is the standard, and Cybernews and Malwarebytes run their own. It tells you which of your logins have turned up in known leaks, which is where you aim.

Assume the device might be the problem. These logs come off infected machines, so scan your computer and your phone. If something turns up, clean it before you change a single password. Otherwise you are handing the fresh password right back to whoever is watching.

Change the passwords that matter, from a device you trust. Email first, because it unlocks everything else, then your bank, then anything that touches money. Never use the same password twice. A password manager is what makes that realistic instead of a nice idea you never follow.

Sign out everywhere. In the security settings of your important accounts, hit "log out of all devices." Almost nobody does this, and it is the one step that actually kills a stolen session token.

Turn on multi-factor authentication, and use an app or a hardware key, not text messages. Texted codes are the weakest version of a good idea.

How to keep your credentials out of the next dump

Infostealers come through a few predictable doors, and shutting those is most of the battle. They ride in on malicious search ads and fake "update your browser" pop-ups, so reach software through the real site instead of clicking the sponsored result. They hide in pirated software, game cheats, and junk browser extensions, which is how the free download turns out to be the expensive one. And a newer trick called ClickFix talks you into infecting your own machine by having you copy and paste a "fix" or run a command. Do not run a command or a script you copied off a website, an email, or a message unless you truly know what it does. When in doubt, don't do it.

The short version

Twenty-four billion is a real number and a misleading one, mostly duplicated and recycled. The part that deserves your attention is the fresh infostealer data, because that is what feeds the takeovers and scams that come next. Check what is exposed, make sure your devices are clean, change the passwords that count from a machine you trust, sign out of your old sessions, and turn on real multi-factor authentication. Then go live your life.

Frequently asked

Was I in the 24 billion record leak? Maybe, and nobody can tell you for certain, because it was pulled offline before it could be fully analyzed and the records were never tied to a clean list of names. Run your email through an exposure checker and act on whatever it shows you.

Do I have to change every password? Change the ones that matter and any you have reused, ideally from a device you have already scanned. Reuse is the real danger, because one stolen login quietly becomes ten.

Is multi-factor authentication still worth it if a token can skip it? Yes. Token theft is a narrower attack that needs an infected device, and solid MFA still shuts down the large majority of account takeovers. Use an app or a hardware key rather than texted codes.

The Fraud Codex is an educational project. Nothing here is legal advice, and this article is not an advertisement for, or a solicitation of, legal services.