Researchers have uncovered an unsecured Elasticsearch cluster holding approximately 24 billion stolen credential records — a discovery that lays bare the scale at which threat actors now aggregate and weaponise compromised data.
According to a report by Security Affairs, researchers at Cybernews identified the publicly accessible database on 12 June 2026. The cluster stored more than 8.3 terabytes of data, including passwords, email addresses, and other sensitive account information sourced from infostealer malware, Telegram channels, and previously documented breach compilations. The team carried out three independent rounds of verification to confirm the figures before disclosing the finding.
Aggregation Is the Real Threat
The significance of this exposure extends well beyond its headline number. The database served as a searchable, consolidated repository of credentials collected from disparate origins over time — effectively turning individually leaked passwords into a ready-made toolkit for large-scale credential-stuffing campaigns, in which bots test stolen username-password pairs across thousands of services in rapid succession.
It remains unclear who operated the Elasticsearch cluster or whether it has since been secured. The origin of the compiled data and whether any portion was exploited before discovery are also undetermined.
A Familiar Failure Pattern
Unsecured Elasticsearch instances have surfaced repeatedly in major leak incidents. Despite well-established best practices for locking down database deployments, clusters exposed to the open internet without authentication continue to appear at the centre of exposures measured in billions of records.
The persistence of stolen credentials compounds the problem. Even after a breach is contained and affected users reset their passwords, the underlying data endures. Threat actors routinely repackage and resell older credential sets, merging them with freshly harvested information. Credentials stolen years ago therefore retain their usefulness to attackers indefinitely — especially where users have recycled passwords across multiple services.
Guidance for IT and Security Leaders
This incident reinforces several operational priorities for organisations reassessing their exposure:
- Audit externally accessible infrastructure. Unsecured database deployments — Elasticsearch, MongoDB, and others — remain a persistent blind spot. Routine scanning of publicly accessible assets should be a baseline discipline.
- Mandate multi-factor authentication (MFA) everywhere. MFA is among the most effective countermeasures against credential-stuffing, making stolen passwords alone insufficient for account takeover.
- Monitor for credential exposure proactively. Services that alert when corporate email domains surface in breach compilations enable faster response and password resets.
- Assume no credential is inherently trustworthy. Adopting a zero-trust posture toward authentication limits the damage any single leak can cause.
The broader lesson is clear. The greatest risk to organisations is no longer any individual breach but the industrial-scale aggregation and commoditisation of stolen identity data. Treating credential security as a continuous operational discipline — rather than a one-off compliance checkbox — is now essential.
研究人員發現一個未受保護的 Elasticsearch 叢集,其中存有約240億筆遭盜取的帳戶憑證記錄——這一發現充分暴露了威脅行為者目前整合並武器化受損數據的規模。
根據 Security Affairs 的一份報告,Cybernews 的研究人員於2026年6月12日識別出這個可公開存取的數據庫。該叢集儲存了超過8.3 TB的數據,其中包括來自惡意竊取軟件(infostealer malware)、Telegram 頻道及先前記錄在案的洩露數據合集的密碼、電郵地址及其他敏感帳戶資訊。研究團隊在公佈發現前,進行了三輪獨立的驗證以確認相關數字。
整合才是真正威脅
此次洩露的嚴重性遠超其表面數字。該數據庫猶如一個可搜索的整合式憑證倉庫,長期收集來自不同來源的數據——實質上將個別洩露的密碼轉化為現成的工具包,用於大規模的「憑證填充」攻擊。在這類攻擊中,機械人會快速地將盜取的用戶名密碼組合,在數以千計的服務中進行測試。
目前尚不清楚是誰運作該 Elasticsearch 叢集,以及它是否已獲安全處理。合集數據的來源,以及其任何部分在被發現前是否已被利用,亦未有定論。
熟悉的失敗模式
未受保護的 Elasticsearch 實例在多宗重大洩露事件中反覆出現。儘管已存在完善的數據庫部署安全最佳實踐,但未經驗證、直接暴露於公開互聯網的叢集,仍然是數十億級記錄洩露事件的核心。
被盜憑證的持續存在使問題雪上加霜。即使在洩露事件受控、受影響用戶重設密碼後,底層數據依然留存。威脅行為者會定期重新打包並轉售較舊的憑證集,將其與新獲取的資訊合併。因此,數年前被盜的憑證對攻擊者而言無限期有效——尤其當用戶在多個服務間重複使用相同密碼時。
給IT及安全主管的指引
此次事件強化了組織在重新評估其風險敞口時需關注的幾個操作重點:
- 審計對外開放的基礎設施。 未受保護的數據庫部署——如 Elasticsearch、MongoDB 等——仍然是一個持續存在的盲點。對可公開存取的資產進行定期掃描應是基本紀律。
- 強制在所有地方實施多重要素驗證(MFA)。 MFA 是對抗憑證填充最有效的反制措施之一,它使得單憑被盜密碼不足以接管帳戶。
- 主動監控憑證洩露情況。 當企業電郵域名出現在洩露數據合集中時,能夠發出警報的服務,有助於更快回應並重設密碼。
- 假設沒有任何憑證本質上是可信的。 採用零信任的驗證姿態,可以限制任何單次洩露所能造成的損害。
更廣泛的教訓非常清楚。對組織而言,最大的風險不再是任何單一洩露事件,而是被盜身份數據的工業級規模整合與商品化。將憑證安全視為持續的操作紀律——而非一次性的合規檢查——現已至關重要。