TL;DR: Researchers found a publicly exposed 8.3 TB repository containing roughly 24 billion previously collected credential entries from 36 sources, including infostealer logs, breach datasets, Telegram channels, and leak repositories, according to Securden’s source article. The scale shows that attacker access to recycled credentials, not fresh theft, is now a primary identity risk and demands tighter governance.
NHIMG editorial — based on content published by Securden: 24 billion exposed credentials and what that means for identity security
By the numbers:
- Machine identities outnumber human identities by more than 80 to 1 in the average enterprise.
- 24 billion previously collected credential entries were aggregated from 36 distinct sources.
Questions worth separating out
Q: What breaks when leaked credentials are searchable in a live repository?
A: When leaked credentials are searchable, attackers can move from discovery to targeting in minutes.
Q: Why do stolen credentials remain such an effective attack path?
A: Stolen credentials work because many systems still treat a successful login as enough evidence of legitimacy.
Q: What problem does ownership attribution solve for service accounts and API keys?
A: It closes the gap between exposure detection and accountable remediation.
Practitioner guidance
- Inventory externally exposed credential classes Map which passwords, session tokens, cookies, API keys, and login URLs could still be valid across employee, service account, and AI-connected access paths.
- Revoke standing access tied to leaked identities Remove persistent entitlements from accounts that appear in exposure sets, especially service accounts and shared automation identities.
- Rotate secrets on a lifecycle basis Use rotation triggers based on exposure, not only age, and align them with offboarding and application ownership.
What's in the full article
Securden's full article covers the operational detail this post intentionally leaves for the source:
- How the exposed Elasticsearch repository was structured and why that made the data instantly queryable
- The breakdown of source types behind the 24 billion records, including Telegram channels, infostealer logs, and historical breach datasets
- Practical examples of how attackers search stolen credential corpora for privileged access paths
- The article's description of how identity security controls reduce blast radius after exposure
👉 Read Securden's analysis of the 24 billion exposed credential repository →
24 billion exposed credentials: what identity teams need to do now?
Explore further
Credential exposure has become an identity supply chain problem, not a single-breach problem. The article describes a repository assembled from infostealer logs, historical breaches, Telegram channels, and public leak sources, which means attacker access can begin with any one of many upstream compromises. That changes the governance model: defenders are no longer responding to a discrete incident but to a continuously replenished ecosystem of reusable identity artefacts. The practitioner conclusion is that exposure visibility must span the full credential lifecycle, not just one incident channel.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
A: Accountability usually spans the identity owner, the platform team, and the programme that allowed the secret to remain valid or reused. For regulated environments, governance expectations also extend to access reviews, incident response, and proof that credential lifecycle controls were in place before exposure occurred.
👉 Read our full editorial: 24 billion exposed credentials expose the real identity attack surface