
24 Billion Stolen Logins: What a Record Credential Dump Means for Your Defences
In the middle of June 2026, researchers at Cybernews stumbled across an Elasticsearch cluster that nobody had bothered to lock. Inside sat roughly 24 billion records, about 8.3 terabytes of usernames, email addresses, login URLs and, in far too many cases, passwords stored in plain text. It was quietly pulled offline once reported, but by then the point had already been made. The raw material for the next wave of account takeovers is not sitting in some elite hacker's private vault. It is being aggregated, indexed and sold in the open.
A leak this size is not really a new breach. It is a stock-take of everything already stolen, tidied into one searchable pile. That is exactly what makes it dangerous, and it is why credential stuffing deserves a place near the top of your risk register this quarter.
What was actually in the pile
The dataset did not come from a single company being breached. Cybernews traced it back to around 36 separate sources: old breach compilations, dumps posted to hacking forums, and a large volume pulled straight from Telegram channels. Roughly 1.7 billion of the records came from those channels alone, some of them dedicated to trading stolen card data. Bolted onto the credentials was a layer of context that should worry defenders more than the passwords themselves: CVE vulnerability identifiers, GitHub links and social media posts about recent breaches. One article inside the collection was dated February 2026, which tells you the database was not a dusty archive. Someone was still feeding it.
A good chunk of the freshest material came from infostealer logs, and that distinction matters. A breach of one website leaks the credentials for that one website. An infostealer log is the contents of an infected device: every password saved in the browser, autofill data, device fingerprints, and often the active session cookies and tokens that keep a user logged in. In other words, it is not just the key to one door. It is the whole keyring, plus a photograph of the person holding it.
Why a heap of old passwords still hurts
The attack that turns a dump like this into breached accounts is credential stuffing, and it is depressingly simple. Attackers take the leaked email-and-password pairs and replay them, at machine speed, against login pages that had nothing to do with the original theft. Your corporate webmail, your VPN portal, your finance SaaS. They are betting on one human habit that no amount of policy has managed to kill: password reuse. If a member of staff used the same password for a hobbyist forum in 2021 that they still use for a work application today, that forum's breach is now your problem.
The economics favour the attacker. Automated tools can test millions of pairs across thousands of sites, rotating through residential proxies so the traffic looks like ordinary users signing in from ordinary places. Even a success rate well under one percent is worth it when the input list runs to billions. This is a volume game, and the June leak just handed the players a much bigger deck.
The session-token problem
Multi-factor authentication stops most of this. When an attacker replays a valid password, a second factor blocks the login because they cannot produce the code or approve the prompt. That is why MFA remains the single highest-value control against automated stuffing. The catch is the infostealer angle. If the original victim's machine was infected, the attacker may already hold a live session cookie, which represents an already authenticated session. Replaying that token can walk straight past the MFA check, because from the application's point of view the user has already proven who they are. Passwords are the noisy problem. Stolen sessions are the quiet one.
What this looks like when it lands
Picture a mid-sized firm with cloud email and single sign-on. An employee reused a password that appears in the June dump. Overnight, a stuffing bot finds the match against the company's sign-in page. Because the account had MFA, the first attempt stalls, but the attacker also holds a session token lifted from an infostealer log, so a second route in succeeds. From there it is a familiar sequence: read the mailbox quietly, learn who approves invoices, set an inbox rule to hide the replies, and wait for a payment to reroute. No malware alarm ever fires, because nothing was installed. A valid account simply started behaving in a way nobody was watching for.

Controls that actually blunt it
None of this is unbeatable. It responds well to a handful of controls that reinforce one another, so the failure of any single layer does not become a breach.
- Kill password reuse at the root. Push a password manager so every account gets a unique, long, random credential. Reuse is the fuel; remove it and stuffing lists go cold.
- Move towards phishing-resistant authentication. Passkeys and FIDO2 security keys bind the login to the device and the genuine site, so a replayed password or a proxied login page has nothing to work with.
- Check your own credentials against the leaks. Feed known-breached password lists into your identity platform and force a reset on any match. Treat a hit as an incident, not a nag.
- Hunt for the infostealer, not just the password. Endpoint detection, and revoking and rotating session tokens after any suspected compromise, closes the door the second factor cannot.
- Make the login itself hostile to bots. Rate limiting, sensible lockouts, and conditional access that weighs device health, location and impossible-travel all raise the cost of high-volume replay.
- Watch sign-in telemetry. A spike in failed logins from scattered addresses is the signature of a stuffing run. Alert on it and you catch the attempt while it is still an attempt.
CISA and the NCSC both point to the same core measures: unique credentials, strong and ideally phishing-resistant MFA, and monitoring for anomalous authentication. The advice is not new. What the June leak changes is the urgency, because the input list has never been this large or this well maintained.
The human layer decides it
Every control above eventually runs into people. Staff choose the passwords, click the lookalike login page, and approve the prompt they should have questioned. That is why testing and coaching sit alongside the technical fixes rather than beneath them. A short phishing simulation that mimics a credential-harvesting page shows you, in real numbers, who is likely to hand over a password to a convincing fake, and it does so before a real attacker runs the same experiment. Pair that with an easy way to report a suspicious email so that the first person to spot a fake login lure can warn everyone else in one click. And if you want a sense of where you stand overall, a cyber readiness benchmark turns a vague worry about human risk into something you can measure and improve.
The bottom line
The 24 billion figure grabs headlines, but the number is not the story. The story is that credential theft has become an organised supply chain, complete with fresh stock, vulnerability intelligence and a ready market. You cannot un-leak a password that is already in the pile, so the win is to make each leaked credential worthless: unique everywhere, backed by phishing-resistant MFA, watched at the login, and reinforced by staff who know what a credential trap looks like. Do that, and a record-breaking dump becomes a headline you read rather than a breach you report.
Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.
Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.
