Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

24 billion exposed credentials: what identity teams need to do now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Researchers found a publicly exposed 8.3 TB repository containing roughly 24 billion previously collected credential entries from 36 sources, including infostealer logs, breach datasets, Telegram channels, and leak repositories, according to Securden’s source article. The scale shows that attacker access to recycled credentials, not fresh theft, is now a primary identity risk and demands tighter governance.

NHIMG editorial — based on content published by Securden: 24 billion exposed credentials and what that means for identity security

By the numbers:

Questions worth separating out

Q: What breaks when leaked credentials are searchable in a live repository?

A: When leaked credentials are searchable, attackers can move from discovery to targeting in minutes.

Q: Why do stolen credentials remain such an effective attack path?

A: Stolen credentials work because many systems still treat a successful login as enough evidence of legitimacy.

Q: What problem does ownership attribution solve for service accounts and API keys?

A: It closes the gap between exposure detection and accountable remediation.

Practitioner guidance

  • Inventory externally exposed credential classes Map which passwords, session tokens, cookies, API keys, and login URLs could still be valid across employee, service account, and AI-connected access paths.
  • Revoke standing access tied to leaked identities Remove persistent entitlements from accounts that appear in exposure sets, especially service accounts and shared automation identities.
  • Rotate secrets on a lifecycle basis Use rotation triggers based on exposure, not only age, and align them with offboarding and application ownership.

What's in the full article

Securden's full article covers the operational detail this post intentionally leaves for the source:

  • How the exposed Elasticsearch repository was structured and why that made the data instantly queryable
  • The breakdown of source types behind the 24 billion records, including Telegram channels, infostealer logs, and historical breach datasets
  • Practical examples of how attackers search stolen credential corpora for privileged access paths
  • The article's description of how identity security controls reduce blast radius after exposure

👉 Read Securden's analysis of the 24 billion exposed credential repository →

24 billion exposed credentials: what identity teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Credential exposure has become an identity supply chain problem, not a single-breach problem. The article describes a repository assembled from infostealer logs, historical breaches, Telegram channels, and public leak sources, which means attacker access can begin with any one of many upstream compromises. That changes the governance model: defenders are no longer responding to a discrete incident but to a continuously replenished ecosystem of reusable identity artefacts. The practitioner conclusion is that exposure visibility must span the full credential lifecycle, not just one incident channel.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who is accountable when compromised credentials are used to access personal or infrastructure accounts?

A: Accountability usually spans the identity owner, the platform team, and the programme that allowed the secret to remain valid or reused. For regulated environments, governance expectations also extend to access reviews, incident response, and proof that credential lifecycle controls were in place before exposure occurred.

👉 Read our full editorial: 24 billion exposed credentials expose the real identity attack surface



   
ReplyQuote
Share: