HomeIntelligenceBrief
BREACH BRIEF🔴 Critical Breach

24 Billion Stolen Credential Records Exposed in an Unsecured Elasticsearch Dump

Researchers discovered an 8.3 TB Elasticsearch cluster publicly accessible that contained 24 billion credential records from multiple breach sources. The dump includes plaintext passwords, MFA‑bypass tokens and crypto‑wallet data, underscoring the need for strict access‑control policies and continuous compliance monitoring.

LiveThreat™ Intelligence · 📅 June 17, 2026· 📰 malwarebytes.com
🔴
Severity
Critical
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
malwarebytes.com

24 Billion Stolen Credential Records Exposed in an Unsecured Elasticsearch Dump

What Happened — Researchers uncovered an 8.3 TB Elasticsearch cluster that was publicly reachable and contained roughly 24 billion credential records sourced from 36 different breaches, infostealer logs, and Telegram channels. The data set included usernames, email addresses, plaintext passwords, session cookies, MFA‑bypass tokens and even crypto‑wallet identifiers.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates a failure of SOC 2 CC6.1 (Logical Access) and CC6.2 (User Access Management) – controls that require strong authentication, least‑privilege access, and network segmentation for data stores.
  • Provides a concrete example of why continuous control monitoring and immutable audit evidence (e.g., access‑log reviews, configuration baselines) are essential to prove that sensitive repositories are locked down.
  • Highlights the need for documented security‑awareness processes; many of the records originated from infostealer infections that could have been mitigated with robust user training and MFA enforcement.

Who Is Affected — Any organization whose employees, customers or partners may have had credentials harvested by the listed sources – spanning SaaS providers, financial services, retail/e‑commerce, healthcare, and other data‑intensive sectors.

Recommended Actions

  • Immediately verify whether any of your user credentials appear in the dump (use reputable breach‑checking services).
  • Enforce MFA and force password resets for any accounts that may be compromised.
  • Review and harden all Elasticsearch (or similar search) deployments: enable authentication, enforce TLS, apply network‑level firewalls, and maintain configuration‑as‑code baselines.
  • Incorporate continuous monitoring of cloud‑service configurations into your SOC 2 evidence collection pipeline.
  • Document the incident response steps and update your access‑control policies to reflect lessons learned.

Source: Malwarebytes Labs – 24 Billion Stolen Records Found in Giant Data Dump

Technical Notes — The exposure resulted from an Elasticsearch misconfiguration (no password, no network restrictions). Data types included plaintext passwords, session cookies, MFA‑bypass tokens, device fingerprints, and crypto‑wallet identifiers. Attack vector: unsecured data store combined with credential harvesting via infostealer malware. Source: same as above

📰 Original Source
https://www.malwarebytes.com/blog/news/2026/06/24-billion-stolen-records-found-in-giant-data-dump-check-if-youre-affected

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →