TL;DR: Researchers found a publicly exposed 8.3 TB repository containing roughly 24 billion previously collected credential entries from 36 sources, including infostealer logs, breach datasets, Telegram channels, and leak repositories, according to Securden’s source article. The scale shows that attacker access to recycled credentials, not fresh theft, is now a primary identity risk and demands tighter governance.
At a glance
What this is: A publicly exposed repository held about 24 billion credential records, showing how recycled stolen identities have become a large, queryable attack surface.
Why it matters: For IAM and NHI teams, the issue is less about a single leak and more about how long-lived, reused, and overexposed credentials turn into reusable access paths across human and machine identities.
By the numbers:
- Machine identities outnumber human identities by more than 80 to 1 in the average enterprise.
- 24 billion previously collected credential entries were aggregated from 36 distinct sources.
👉 Read Securden's analysis of the 24 billion exposed credential repository
Context
Credential exposure has moved from isolated breach events to a persistent ecosystem of reused usernames, passwords, cookies, and tokens. In practice, that means the security problem is no longer only whether a single account was compromised, but whether stolen credentials are still circulating, searchable, and usable across cloud, SaaS, and AI-connected services.
For identity teams, this changes the unit of defence. A credential dump becomes a live targeting asset when it is indexed, searchable, and linked to company domains or privileged account names. That creates direct implications for NHI governance, standing privilege removal, and the way organisations monitor exposure across human and machine identities.
Key questions
Q: What breaks when leaked credentials are searchable in a live repository?
A: When leaked credentials are searchable, attackers can move from discovery to targeting in minutes. They can filter by domain, privilege labels, or application names and focus immediately on accounts that still matter. That turns exposure monitoring into an access-risk problem, not a record-keeping exercise.
Q: Why do stolen credentials remain such an effective attack path?
A: Stolen credentials work because many systems still treat a successful login as enough evidence of legitimacy. Once an attacker has valid access, they inherit the subject’s trust context and can often blend in with normal activity. That makes credential theft far more efficient than direct exploitation in many environments.
Q: What problem does ownership attribution solve for service accounts and API keys?
A: It closes the gap between exposure detection and accountable remediation. Many organisations can find the secret, but not the human who introduced it, maintains it, or can safely replace it. Ownership attribution gives security teams a practical way to assign action without relying on informal knowledge that disappears during staff changes.
A: Accountability usually spans the identity owner, the platform team, and the programme that allowed the secret to remain valid or reused. For regulated environments, governance expectations also extend to access reviews, incident response, and proof that credential lifecycle controls were in place before exposure occurred.
Technical breakdown
Why indexed credential dumps are more dangerous than raw breach files
A raw breach file is damaging, but an indexed repository is operationally worse because it turns stolen identity material into a searchable targeting system. Attackers can query by domain, username pattern, privilege label, or application name and quickly surface reusable access. When the repository includes passwords, cookies, login URLs, and tokens, it collapses the time needed to identify viable entry points. That is why the presence of old records matters less than whether they are still valid, still linked to active services, and still accepted by downstream systems. The architectural risk is not storage alone, but discoverability plus persistence.
Practical implication: Treat searchable exposure repositories as active threat infrastructure and prioritise revocation of any credential class that may still authenticate.
How infostealer logs change the identity risk model
Infostealer malware does more than harvest passwords. It can capture browser cookies, session tokens, autofill data, and stored credentials, which means attackers often bypass the password entirely and inherit a live session. That shifts the identity problem from simple credential theft to session replay and trusted-browser abuse. In NHI environments, similar failure modes appear when service account secrets, API tokens, and automation cookies remain valid far beyond their intended lifetime. The practical difference is that detection must account for both secret reuse and session artefacts, not just password compromise.
Practical implication: Extend identity monitoring to session tokens, browser artefacts, and workload secrets, not just passwords.
Standing privilege turns exposure into lateral movement
Once an attacker can authenticate with a compromised credential, the next issue is not login success. It is whether that identity has standing access, broad role scope, or unmanaged entitlements that can be used to move laterally and escalate. In cloud-first environments, identities are the control plane, so a single exposed token can open paths into storage, admin consoles, CI/CD systems, or developer platforms. For NHIs, the absence of lifecycle offboarding and rotation makes this worse because access remains usable long after the original purpose ends. The governing question is whether the exposed identity still has anything worth taking.
Practical implication: Map exposed credentials to privilege scope and remove standing access before an attacker can reuse them.
Threat narrative
Attacker objective: The attacker aims to turn recycled identity material into authenticated access that can be reused for privilege escalation, persistence, and broader compromise.
- Entry occurs when attackers obtain a usable credential from the exposed repository or from a parallel infostealer dataset.
- Escalation follows when the credential is tied to standing privilege, broad roles, or session artefacts that enable broader access than intended.
- Impact comes from reuse of valid identities across cloud, SaaS, developer, or AI-connected systems, allowing lateral movement and account takeover.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- GitHub Dependabot Breach — GitHub Dependabot tokens stolen and abused to push malicious commits to repositories.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Credential exposure has become an identity supply chain problem, not a single-breach problem. The article describes a repository assembled from infostealer logs, historical breaches, Telegram channels, and public leak sources, which means attacker access can begin with any one of many upstream compromises. That changes the governance model: defenders are no longer responding to a discrete incident but to a continuously replenished ecosystem of reusable identity artefacts. The practitioner conclusion is that exposure visibility must span the full credential lifecycle, not just one incident channel.
Searchable credential repositories create an identity blast radius that conventional breach response does not measure. A dump that can be queried by domain, username, or privilege label is more dangerous than a static archive because it directly supports targeting. This is where NHI governance and human IAM converge: if a single repository can surface both employee logins and machine secrets, then identity classification becomes a response priority, not a taxonomy exercise. Practitioners should assume that indexed exposure accelerates exploitation rather than merely recording it.
Standing privilege is the failure mode that turns old stolen credentials into current enterprise risk. The article makes clear that a stolen credential is only the entry point. What matters next is whether the identity still has live access, broad entitlements, or unmanaged reuse across systems. That is exactly why NHI governance cannot stop at secret storage. The practitioner conclusion is to tie exposure response to privilege scope and lifecycle status, especially for service accounts, API keys, and automation credentials.
Identity security now has to govern the intersection of human credentials, machine identities, and AI-connected access paths. The article notes that modern tools, SaaS apps, cloud services, and AI systems all create more identities, which means the same exposure pool can affect employees and workloads alike. That does not make every system autonomous, but it does mean the control problem is shared. The practitioner conclusion is to design one exposure-response model that covers passwords, session tokens, and non-human credentials together.
Identity attack surface is the right concept for this class of exposure. The repository is not merely a leak catalogue; it is an operational surface that attackers can search, sort, and weaponise. Naming it this way matters because it shifts the programme conversation from breach recovery to continuous identity reduction. The practitioner conclusion is to measure how much searchable, reusable identity material remains externally reachable at any point in time.
From our research:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 52 NHI Breaches Analysis shows how exposure, reuse, and weak offboarding repeatedly turn identity material into breach paths.
What this signals
Identity exposure monitoring is now a programme-level control, not a hygiene task. When a credential dump can be searched by domain or privilege marker, exposure becomes operationally actionable for attackers. Teams should assume that externally visible identity material is being indexed against their environment continuously, which makes revocation speed and scope reduction more important than breach volume alone.
With 79% of organisations already reporting secrets leaks, the gap is not whether exposure happens but whether it is still useful when discovered. That is the governance test for modern IAM and NHI programmes. If a leaked credential can still authenticate five days later, the incident response problem has already become an access governance problem.
Attackers do not need to steal every credential when the ecosystem already leaks them for them. That means the reader’s programme should focus on reducing reusable identity surface across human accounts, service accounts, and tokens together. The more those identities are vaulted, rotated, and offboarded on time, the less value exposure repositories retain for adversaries.
For practitioners
- Inventory externally exposed credential classes Map which passwords, session tokens, cookies, API keys, and login URLs could still be valid across employee, service account, and AI-connected access paths. Prioritise credentials tied to privileged or third-party systems first.
- Revoke standing access tied to leaked identities Remove persistent entitlements from accounts that appear in exposure sets, especially service accounts and shared automation identities. Treat broad roles as a containment issue, not just an access review issue.
- Rotate secrets on a lifecycle basis Use rotation triggers based on exposure, not only age, and align them with offboarding and application ownership. If a secret is found in a leak repository, assume the credential has a shortened trust window.
- Expand monitoring to session artefacts Detect reuse of cookies, bearer tokens, and browser-stored credentials alongside password checks. Session replay is often the faster path to access when infostealer data is involved.
- Correlate exposure with privilege before remediation Join breach-monitoring data to entitlement and asset inventories so the team can see whether an exposed identity still has access worth abusing. That reduces wasted effort on low-value accounts and speeds containment for high-risk ones.
Key takeaways
- A 24 billion record credential repository shows that recycled identity material has become a searchable attack surface, not just a breach archive.
- The operational risk is not the number of exposed records alone, but whether those identities still authenticate, still hold privilege, and still create lateral movement paths.
- IAM and NHI teams should respond by reducing reusable credential surface through revocation, rotation, offboarding, and exposure-aware monitoring.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | The article centers on exposed credentials and secret sprawl across identities. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential management is central to limiting reuse of exposed access. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management governs rotation and invalidation of compromised secrets. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumes continuous verification after credential exposure. | |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The article describes credential reuse and the follow-on movement enabled by valid identities. |
Use NHI-01 to inventory exposed credentials and remove any secrets still reachable outside approved vaulting.
Key terms
- Credential Exposure Repository: A credential exposure repository is a searchable collection of previously stolen or leaked identity material. It may contain passwords, cookies, tokens, login URLs, and other access artefacts. The security issue is not only that the data exists, but that it can still be queried and reused against active systems.
- Identity Attack Surface: Identity attack surface is the total set of accounts, tokens, login endpoints, trust paths, and supporting systems that can be probed for access. For password spraying, the risk grows with every externally reachable authentication path and every dormant or weakly protected identity.
- Standing Privilege: Standing privilege is persistent access that remains available outside the moment of actual need. In NHI and IAM programmes, it is dangerous because a leaked credential or session can inherit broad rights long after the original use case has ended.
- Verification Artefact: A verification artefact is any record created during identity proofing, including images, scores, approval notes, or vendor returns. These artefacts are valuable for audit and fraud review, but they also create privacy and breach risk if they are retained too long or exposed broadly.
What's in the full article
Securden's full article covers the operational detail this post intentionally leaves for the source:
- How the exposed Elasticsearch repository was structured and why that made the data instantly queryable
- The breakdown of source types behind the 24 billion records, including Telegram channels, infostealer logs, and historical breach datasets
- Practical examples of how attackers search stolen credential corpora for privileged access paths
- The article's description of how identity security controls reduce blast radius after exposure
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity security programme, it is worth exploring.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org