← Back to Blog

Leak of 24 Billion Passwords: How the Account Substitution Industry Operates

On June 12, 2026, Cybernews researchers found an unprotected server with 8.3 TB containing 24 billion stolen accounts. We analyze what’s inside, how account substitution works through residential and mobile proxies, and why the shadow market for stolen passwords even impacts legal web scraping and multi-accounting.

πŸ“…July 7, 2026
Leak of 24 Billion Passwords: How the Account Substitution Industry Operates

24 billion stolen logins and passwords have been gathered in one place β€” on an open server that anyone could connect to. The discovery by Cybernews researchers is not just another "leak of N million." It showcases an entire industry: info stealers are stealing credentials, combo lists aggregate them, and armies of bots run them through websites, disguising each attempt as a real user with the help of residential and mobile proxies. Let's break down what was found, how credential stuffing works, and why this shadow market also impacts legitimate web scraping and multi-accounting.

What happened: 8.3 TB and 24 billion records on one server

On June 12, 2026, Cybernews researchers discovered an open Elasticsearch cluster with a volume of 8.3 terabytes, containing 24 billion records of credentials. The database was not protected by a password or any authentication β€” anyone who knew the address could read it. Shortly after the discovery was published, the server was taken offline, so the researchers did not have time to trace the owner.

The dataset was compiled from 36 sources, which is a key detail. Most of it consists of so-called "collections" (about 22.6 billion records), but the structure of the rest is particularly revealing:

  • over 1.7 billion records were pulled directly from Telegram channels β€” more than 30 out of 36 sources turned out to be channels openly trading stolen data;
  • around 260 million records came from channels referencing "Darkside";
  • about 150 million were local dumps of databases;
  • approximately 146 million were compilations from past leaks (combo lists).

Inside, it's not just "email and password." A significant portion of the dataset consists of logs from info stealers: malware like RedLine, Lumma, and Vidar that extract everything from the infected browser. In more complete logs, there are saved passwords, session cookies and tokens β€” including those that allow bypassing two-factor authentication, autofill data, device fingerprints, and sometimes cryptocurrency wallets. Each record is usually accompanied by a URL of the service for which the password is valid β€” essentially a ready-made instruction on "where to log in."

Another alarming detail: indirect evidence (links to fresh materials found within the dataset up to 2026) indicates that the owner regularly updated the database. This is not an archival dump, but a living, updated tool.

How stolen passwords are monetized: credential stuffing

A list of "login-password" pairs is useless until it is tested on real websites. This is done through credential stuffing: automated bots take stolen pairs and attempt to log in en masse to hundreds of services, hoping that people use the same password in multiple places.

The scale of the problem is evident in Verizon's DBIR data for 2025. Credential stuffing accounted for a median of 19% of all daily login attempts in SSO provider logs, with large enterprises seeing rates as high as 25%, and on the worst recorded day β€” up to 44% of all login traffic. Stolen credentials were the initial vector in 22% of confirmed breaches. In 2025 alone, around 2 billion unique pairs were gathered from dark web combo lists β€” and now, 24 billion records were sitting on one server.

This is where the proxy industry comes into play. To avoid detection on the first attempts, attackers route requests through pools of residential and mobile proxies: each login attempt comes from a new IP address of a real provider or mobile operator. For the website's protection, this does not appear as one suspicious machine trying a thousand times, but as a thousand different "ordinary users" from various cities. Classic request frequency protection from a single IP is nearly useless with such rotation.

Why this impacts legitimate scraping and multi-accounting

What does this have to do with those engaged in honest data collection, SMM automation, or managing multiple accounts for business? The fact is that anti-bot systems do not differentiate intentions β€” they differentiate patterns. The more actively malicious actors disguise credential stuffing as legitimate traffic through residential IPs, the more aggressively Cloudflare, Akamai, DataDome, and AWS WAF tighten the screws for everyone.

This leads to a shift in detection from the IP level to the identity level. Today, filters look not just at the address but at how the client behaves and what their network fingerprint looks like:

  • TLS and HTTP fingerprinting (JA3/JA4) β€” if the handshake does not match the claimed browser, the client is marked as suspicious;
  • behavioral timing analysis β€” a real person has variable pauses between actions, while scripts often produce nearly identical intervals;
  • anomalies in success ratios β€” rare successful logins spread across multiple accounts are a characteristic signature of stuffing;
  • gaps in headers and JavaScript β€” bots that do not fully render the page lose cookies and values set by JS.

This is why in 2026, scraping increasingly becomes a game of identities rather than a race for the number of IPs β€” we have discussed the mechanics of TLS and JA4 fingerprinting separately. For a legitimate project, the takeaway is simple: the quality and "cleanliness" of proxies are now more important than their quantity. An IP that was used yesterday for password guessing is already in the blacklists of reputation systems β€” and drags your legitimate traffic down with it.

There is also a reputational dimension. Scandals surrounding botnets from hacked Smart TVs and the recent dismantling of shadow proxy networks have shown that part of the "residential" market is fed by dubious sources. For businesses, this is a signal to choose a provider with transparent IP origins and clear KYC, rather than the cheapest pool of unknown quality. Legitimate residential proxies and mobile proxies from verified networks provide the "clean" reputation that everything is about β€” without the risk of being in the same segment as credential-stuffing traffic.

What to do right now

For the average user, the main protection against such leaks is not the password itself, but its uniqueness. An info stealer who has stolen your forum password is only dangerous to the extent that the same password works for your email and bank.

  • A unique password for each service and a password manager to keep them in mind. Credential stuffing thrives solely on reuse.
  • Two-factor authentication or passkeys on critical accounts β€” email, bank, stores, social networks. Even with a leaked password, it is harder to log in without a second factor.
  • Be aware of session tokens. Info stealers steal cookies that survive password entry and 2FA β€” so if you suspect infection, it is essential not only to change your password but also to end active sessions on all devices.
  • Don't run random things. Info stealers spread through malicious ads, fake "browser updates," hacked software, game cheats, suspicious extensions, and ClickFix attacks, where the victim is persuaded to execute a command themselves.

For those who automate work with websites legally, the lesson is different: separate identities and do not mix them. A separate set of accounts β€” a separate clean IP, a separate browser profile with a consistent fingerprint. This is how anti-detect scenarios are built, and this is why a cheap "gray" proxy pool is now more dangerous for a project than having none at all.

Conclusion

24 billion records on one unprotected server is not a record for the sake of a record, but a snapshot of a functioning economy: info stealers at the entrance, combo lists in the middle, credential stuffing through residential proxies at the exit. As long as people reuse passwords, this conveyor will remain profitable, and anti-bot protection will become increasingly stringent. The one who ignores hygiene will lose: the average user without unique passwords and 2FA β€” and businesses that try to save on infrastructure cleanliness. In a world where detection is based on identity rather than IP, betting on transparency and quality ceases to be a luxury.