Researchers at Cybernews found a huge database exposed online, containing around 24 billion records. The archive included logins, passwords and authorization page URLs, all stored in plain text. According to the researchers, the database may have been assembled from logs of various infostealers and other leaks.
Cybernews sees the main danger in the sheer scale of the find. Even if some records are duplicates, the collection may still involve billions of accounts at risk of takeover. Users who reuse the same password across multiple services and have not enabled multifactor authentication are especially exposed.
The database was quickly closed after it was discovered, so the researchers could not fully analyze it. Still, they managed to determine that the data came from at least 36 different sources. These included Telegram channels, combined collections of earlier leaks and datasets apparently exported directly from active servers belonging to victims.
The total archive exceeded 8 TB, making it one of the largest datasets of this kind ever found. Cybernews could not determine the exact age of all records, but noted that the archive contained a news article from February 2026. That may suggest the database was not an old abandoned dump, but was being updated regularly.
The owner of the database remains unknown. Most of the Telegram sources inside the collection were in English, while some were in Russian. According to the researchers, about 260 million records came from channels whose names included the word Darkside, a reference to the now-inactive ransomware group known for the Colonial Pipeline attack.
The discovery once again shows that stolen credentials keep circulating in constantly updated collections, even when the original breaches happened long ago. For users, the practical takeaway is still the same: unique passwords for every service, a password manager and multifactor authentication no longer look like extra protection — they are basic hygiene.