Security researchers have uncovered an enormous exposed collection of stolen credentials, with roughly 24 billion records of usernames, passwords and other sensitive account data found sitting online.
The Scale of the Exposure
The discovery, reported in June 2026, ranks among the largest credential troves ever surfaced. Such databases are typically assembled from many separate breaches and from credentials harvested by information-stealing malware, then aggregated into a single searchable collection that criminals can mine.
While aggregated dumps often contain duplicate and recycled entries, even a fraction of 24 billion records represents an extraordinary volume of login data that can fuel account takeovers and follow-on attacks.
A Year of Major Incidents
The exposure caps a turbulent stretch for cybersecurity in 2026. Several high-profile organizations reported breaches during the first half of the year.
- Match Group, owner of Tinder and Hinge, was claimed as a target early in 2026
- NYC Health + Hospitals suffered a breach affecting at least 1.8 million people
- Instructure's Canvas platform saw data on 275 million students and staff copied
- Medical technology firm Stryker faced a destructive attack that wiped computers
How Credential Dumps Are Used
Attackers commonly take leaked username and password pairs and try them across many other services in a technique known as credential stuffing. Because people frequently reuse passwords, a single compromised credential can unlock accounts far beyond the site it originally came from. That makes large aggregated dumps especially valuable to criminals and dangerous to ordinary users.
Protective Steps
Security experts consistently recommend a few core defenses against this kind of threat. Using a unique password for every account, ideally generated and stored by a password manager, limits the damage when any single service is compromised. Turning on multi-factor authentication adds a second barrier that stolen passwords alone cannot bypass, and monitoring services can alert users when their credentials appear in known leaks.
A Persistent Threat
The find underscores how stolen credentials circulate and accumulate over time, long after the original breaches occur. With nation-state actors and ransomware gangs growing bolder, basic credential hygiene remains one of the most effective and accessible defenses available to individuals and organizations alike.