24 Billion Exposed Credentials Are in Attacker Hands. Is Your Control Plane Ready?
On June 15, 2026, Cybernews researchers disclosed the responsible takedown of an unsecured Elasticsearch cluster containing 8.3 terabytes of data – 24 billion records of usernames and passwords, aggregated from 36 separate sources predominantly composed of Telegram channels where stolen credential sets circulate among criminal communities. Approximately 22.6 billion of those records came from “collections” – compiled sets of credentials from historical breach events that security teams in most organizations have already addressed through password rotation or system decommissioning. The remaining records, however, came from a different source entirely: infostealer malware logs capturing credentials actively harvested from live enterprise environments.
That distinction – historical collection versus live infostealer output – is the difference between a background threat and an active operational risk. Infostealers like RedLine, Lumma, and Vidar harvest credentials directly from the machines where employees authenticate every day: browsers, desktop applications, password managers, and enterprise SaaS portals. The credentials in those logs are not from a breach five years ago. They are from endpoints currently running in production, and the authentication data they captured is still valid until it is rotated.
For organizations operating under HIPAA compliance requirements, CMMC 2.0 compliance, FedRAMP authorization, or comparable regulatory frameworks, the calculus is straightforward and sobering. A workforce of several thousand employees will, with near statistical certainty, have some fraction of its credentials present in an aggregate of 24 billion records. The question compliance officers and security teams should be asking is not whether those credentials exist in the database. It is: what can an attacker accomplish if they use them successfully, and does your current architecture limit that outcome?
This post addresses that question directly – how infostealer-driven credential exposure works, why regulated industries face asymmetric consequences, and what a Kiteworks control plane for secure data exchange needs to do that a perimeter defense cannot.
Key Takeaways
1. Infostealer-derived records are the actionable threat, not historical collections
The majority of the 24 billion records are recycled historical breach data. The infostealer logs are different – those credentials were harvested from live enterprise machines and may still be valid, making them the actionable subset attackers prioritize.
2. Regulated industries carry asymmetric breach liability per successful login
A single successful account takeover that accesses protected health information, controlled unclassified information, or regulated financial data triggers mandatory breach notification and opens enforcement exposure – regardless of how much data was accessed.
3. Password-layer security has already failed at the scale of 24 billion records
The assumption that password controls adequately protect enterprise data is no longer defensible. Multi-factor authentication, attribute-based access controls, and continuous audit logging are not optional layering – they are the required minimum for environments handling sensitive data.
4. The control plane for secure data exchange is the last meaningful defense after credential theft
Attackers who successfully authenticate using stolen credentials target file transfer portals, secure email platforms, and collaboration environments where sensitive data actually resides. A unified control plane – one policy engine, one audit log, one security posture across all channels – is what bounds what they can reach and what gets recorded.
5. Credential-stuffing risk belongs in compliance risk registers and board-level reporting
The combination of the 24 billion record aggregate, active infostealer campaigns, and the enforcement posture across healthcare, defense, and financial services means that credential-based account takeover is no longer a technical concern – it is a governance priority.
You Trust Your Organization is Secure. But Can You Verify It?
The Two Populations in That 24 Billion Record Count
Security professionals who dismiss large credential aggregates as “old news” are not entirely wrong – for the collections portion. The majority of the 24 billion records Cybernews identified trace to compiled breach datasets that have been moving through underground markets for years. Many of those credentials have already been rotated. Many of the systems they accessed no longer exist. Security teams that apply consistent password hygiene, monitor breach notification services, and enforce periodic credential rotation have likely addressed much of that exposure.
The infostealer-derived records are a fundamentally different problem.
Infostealers are a category of malware specifically engineered to extract authentication data from the machines they infect. They work by reading saved passwords from browser storage, extracting session cookies that allow authentication without a password at all, capturing keystrokes at login prompts, and harvesting credentials from desktop password managers. The output – a structured “log” containing usernames, passwords, and session tokens organized by site and application – is packaged and sold in underground markets, typically within hours or days of the original infection.
The implications for enterprise environments are direct. An employee whose machine is infected by an infostealer has, effectively, handed their entire authentication footprint to an attacker. Every enterprise application they access, every file sharing portal they log into, every secure email platform they authenticate to – all of that is in the log. The enterprise has no visibility into this until either the employee’s device triggers an endpoint detection alert or the attacker attempts to use the stolen credentials.
What makes the FortiBleed campaign disclosed the same week – in which 86,000 confirmed working credentials from FortiGate devices across 194 countries were aggregated and published – a related data point is that it used artificial intelligence for target identification and automated password spraying to extend and validate that credential set. The combination of large credential aggregates and AI-assisted validation is accelerating the conversion of stolen credentials into confirmed working access. Organizations that are not enforcing MFA consistently across all enterprise applications are operating against this reality without adequate controls.
Why Regulated Industries Face a Different Calculation
Every organization faces risk from credential stuffing. But organizations subject to HIPAA, CMMC, FedRAMP, ITAR, or comparable frameworks face a qualitatively different risk profile because the consequence of a single successful authentication event depends entirely on what the compromised account can access – and what reporting obligations that access triggers.
Under HIPAA compliance requirements, unauthorized access to protected health information triggers breach notification obligations regardless of whether the attacker exfiltrated any data. If an employee’s credentials are used to log into a health information system, and the session accesses PHI – even by browsing it – that is a reportable breach under the HIPAA Breach Notification Rule. The covered entity must notify affected individuals, the Department of Health and Human Services, and, for incidents involving 500 or more individuals, notify prominent media outlets in the affected states. The cost of that notification and subsequent investigation can exceed the cost of any firewall or endpoint protection investment by orders of magnitude.
Under CMMC 2.0 compliance requirements, a compromised account that accesses controlled unclassified information (CUI) triggers incident reporting requirements under DFARS 252.204-7012 within 72 hours of discovery. It also potentially triggers a reassessment of the organization’s CMMC certification status. Defense contractors that experience a CUI breach through credential compromise face not only the incident response cost but also the risk of losing or having suspended the CMMC certification that allows them to compete for DoD contracts.
FedRAMP compliance creates similar obligations for cloud service providers and federal agencies, where any unauthorized access to federal data requires immediate incident reporting to the relevant agency and CISA.
The asymmetry is stark: a compromised credential at a consumer retail company may result in fraud liability. The same credential at a healthcare provider, defense contractor, or federal agency triggers mandatory government reporting, potential enforcement action, and certification consequences that go well beyond the cost of the incident itself. Organizations that have not explicitly mapped credential-based account takeover scenarios into their risk assessments under each applicable framework are operating with an unacknowledged gap.
The Credential Stuffing Playbook Against Content Platforms
Understanding how attackers use large credential databases against enterprise content platforms clarifies why the defense architecture matters as much as the authentication layer.
Credential stuffing attacks follow a predictable sequence. An attacker acquires a credential set – from a collection aggregate like the one Cybernews documented, or from purchased infostealer logs, or from targeted phishing – and begins automated testing against the target platforms. Modern credential stuffing tools can test tens of thousands of credential pairs per minute against a web application, rotating through IP addresses and user agents to avoid rate limiting and detection. When a pair succeeds, the tool logs the confirmed access and queues it for manual or automated follow-up.
The follow-up step is where content platforms become the target. An attacker who has confirmed working access to an enterprise account does not immediately exfiltrate everything – that triggers volume-based detection. They establish a pattern of access that mimics normal user behavior. They may sit dormant for days or weeks before searching for high-value files. They may use the access to pivot to additional accounts by accessing internal directories or communication platforms where credentials or session tokens are shared. When they do move, they target documents – contracts, financial records, technical drawings, health records, regulated data – that can be monetized directly or used for extortion. Data classification controls that label and restrict access to sensitive content by sensitivity tier are a direct countermeasure to this targeting behavior.
The Klue supply chain attack disclosed in this same news cycle – in which attackers used compromised OAuth tokens to access Salesforce environments belonging to LastPass, HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, and others – followed exactly this pattern. The credential mechanism differed (OAuth tokens versus passwords), but the goal was the same: authenticated access to document repositories and business data at scale. The supply chain risk management implications are significant: third-party access to enterprise environments creates credential exposure vectors that internal hygiene programs alone cannot close.
For organizations using secure managed file transfer, secure email, SFTP, or collaborative content platforms, the credential stuffing threat is direct. These are exactly the applications where sensitive regulated data lives, and they are exactly the applications where employees’ credentials are stored in browsers and harvested by infostealers.
Why the Password Layer Is Already Defeated
The conceptual problem with treating password-based authentication as a security control is that it assumes the password remains secret. At the scale of 24 billion exposed credentials – with an active infostealer ecosystem continuously harvesting new ones – that assumption is not operationally defensible for large workforces.
Password rotation policies help but cannot close the gap. If an employee’s credentials are harvested by an infostealer and the organization has a 90-day rotation policy, there is a 90-day window during which an attacker can use those credentials freely. If the rotation policy is enforced on a trigger from breach notification services, there is typically a lag of days to weeks between the credential theft and the organization’s awareness. Infostealers are designed to operate inside that gap.
Session token harvesting makes the problem worse. Modern infostealers do not only capture passwords. They capture browser session cookies that allow authentication without a password at all – bypassing even MFA in some configurations, since the session token was issued after a legitimate MFA event. Session hijacking via stolen cookies is a documented attack technique that does not require the attacker to know the victim’s password.
What this means architecturally is that the defense must be designed to work even when credential compromise is assumed. This is the logic behind zero trust security principles: rather than trusting that the authenticating user is who they say they are because they presented a valid credential, the architecture applies continuous validation, behavioral analysis, and policy-based access controls that remain effective even when a credential has been compromised.
Identity and access management at the application layer – not just at the network perimeter – is what determines whether a compromised credential leads to a breach or to a blocked, logged attempt. The difference between an organization that detects a credential stuffing attack within hours and an organization that discovers it months later is the depth and consistency of access controls and monitoring applied across the control plane for secure data exchange. Real-time visibility through a CISO Dashboard that surfaces anomalous access patterns across all content channels is what converts audit logging from a forensic tool into an operational detection capability.
Building a Defense at the Control Plane
The regulatory consequences of credential-based account takeover – particularly in healthcare, defense, and financial services – create a specific architectural requirement: controls must be applied at the level where sensitive data actually moves, not only at the network perimeter or the identity provider.
Perimeter controls are valuable but insufficient for this threat model. A compromised credential authenticates through perimeter controls by definition. The attacker presents a valid token from an IP address that may be consistent with the user’s location, at a time of day consistent with normal usage. Perimeter-based detection cannot reliably distinguish a compromised session from a legitimate one without additional context.
What zero trust architecture provides is exactly that additional context. By applying attribute-based access controls (ABAC) through the control plane, the architecture enforces fine-grained policies based on data sensitivity, user role, device compliance status, and behavioral context – not just on whether a valid token was presented. A user whose credential has been compromised may authenticate successfully, but if their subsequent behavior deviates from baseline or if they attempt to access data outside the scope of their role, the ABAC policy prevents access and generates an alert.
Continuous audit logging is the evidentiary component that makes this architecture compliance-defensible. When a regulator or a plaintiff asks “what did the compromised account access, and when,” the answer must be a specific, timestamped, immutable record – not a general representation that access controls were in place. Organizations that cannot produce that record face the same evidentiary problem that regulators have increasingly identified in enforcement actions – including the FTC’s action against Illuminate Education: awareness of risk without verifiable controls is itself a compliance failure.
DLP within the control plane provides a final containment layer: policies that inspect outbound data for regulated types – PHI, CUI, PII, financial records – and block, quarantine, or alert on transmission that falls outside approved channels. Even in a scenario where a compromised account successfully accesses sensitive data, DLP policies can prevent exfiltration from completing. Data minimization principles applied at the control plane level further reduce blast radius by ensuring accounts are provisioned with access to only the data they require for their specific role – not the maximum data their permissions might allow.
Kiteworks operates as the control plane for secure data exchange – combining ABAC enforcement, end-to-end encryption, immutable audit logging, and DLP into a unified governance layer across every channel through which sensitive data moves: email, file sharing, SFTP, MFT, APIs, and AI integrations. This is the architecture that allows regulated organizations to answer the question: “If a credential is compromised and an attacker authenticates successfully, what can they actually access, what controls prevent exfiltration, and what record exists of what happened?”
What Compliance Teams Need to Do Now
The 24 billion record aggregate is a useful forcing function for a conversation that compliance, legal, and security teams should be having regardless of any single disclosure.
First, credential exposure monitoring should be treated as an ongoing risk assessment function, not a reactive response to disclosures. Commercial breach notification services can provide near-real-time alerts when employee credentials appear in known breach aggregates. That intelligence should trigger immediate password rotation and account review – not wait for the next scheduled rotation cycle.
Second, MFA enforcement should be verified across every application that accesses regulated data, not just the primary identity provider. Many organizations have strong MFA at the network edge but have not enforced it consistently across every downstream application their employees use. File transfer portals, email platforms, and document collaboration environments are common gaps.
Third, HIPAA compliance, CMMC 2.0 compliance, and FedRAMP compliance programs should include explicit coverage of the credential stuffing threat in their risk assessments. The standard risk assessment question – “what are the threats to our regulated data?” – should include a specific analysis of what happens when employee credentials are compromised, what data those credentials provide access to, and whether the access controls and audit logging in place are sufficient to detect and contain the incident.
Finally, the event logging and monitoring infrastructure in regulated environments needs to be reviewed against the specific threat of authenticated-but-malicious sessions. This is different from monitoring for failed login attempts. It requires behavioral analysis of authenticated sessions to detect access patterns inconsistent with normal user activity – a capability that sits within the control plane for secure data exchange, not at the network perimeter. Organizations should also ensure their incident response plan explicitly covers credential-based account takeover scenarios, with documented runbooks for each applicable regulatory framework’s reporting obligations.
The 24 billion record aggregate will be eclipsed by a larger one within months. The infostealer ecosystem that contributes the most dangerous records to these collections is not slowing down. The correct response is not alarm about any single disclosure – it is building the architecture that makes credential compromise a contained incident rather than a data breach.
To learn more about how Kiteworks addresses credential-based account takeover risk in regulated environments, schedule a custom demo today.
Frequently Asked Questions
A credential “collection” is a compiled dataset of username-and-password pairs aggregated from multiple historical data breaches – typically events that occurred months or years in the past. The credentials in a collection may have already been rotated or the systems they accessed decommissioned. Infostealer logs are qualitatively different: they are the output of malware actively running on infected machines, capturing credentials as they are used in real time. Infostealer logs contain freshly harvested credentials that are more likely to still be valid. For security teams assessing breach aggregates, the collection fraction represents historical exposure, while the infostealer fraction represents active operational risk. Zero trust security principles are designed specifically for environments where credential validity cannot be assumed, providing continuous validation that does not rely on the credential alone. Organizations should incorporate infostealer-specific scenarios into their security risk management frameworks to ensure detection and response capabilities are calibrated to the speed of this threat.
Credential stuffing is an automated attack technique that tests username-and-password pairs from breach aggregates against target web applications. Modern credential stuffing tools rotate through distributed IP addresses and vary their request patterns to avoid triggering rate-limiting or IP-blocking defenses, making volume-based detection unreliable. The attack succeeds when a stolen credential pair is still valid on the target application – typically because the user reuses passwords across multiple services or hasn’t rotated the credential since the original breach. Detection requires behavioral analysis of authenticated sessions, not just monitoring for failed login attempts. Audit logs that record every access event with device, location, and behavioral context are essential for identifying compromised sessions after the fact. Feeding those logs into a SIEM with behavioral analytics gives security teams the real-time alerting needed to respond before a credential stuffing session escalates to data exfiltration.
MFA significantly raises the cost of credential stuffing attacks and blocks the majority of attempts that rely on static username-and-password pairs. However, MFA is not an absolute defense. Modern infostealers capture browser session cookies that were issued after a legitimate MFA event – allowing session hijacking that bypasses the MFA requirement entirely. Additionally, some MFA implementations can be bypassed through SIM-swapping attacks, real-time phishing frameworks, or social engineering. MFA enforcement is an essential control, but it should be treated as one layer of a defense-in-depth architecture rather than a complete solution. ABAC controls at the control plane level remain effective even when authentication has been compromised, enforcing policy-based constraints on what a compromised session can reach. Pairing MFA with data governance policies that restrict what data any given role can access limits the damage a bypassed MFA event can cause.
The obligations depend on what regulated data the compromised account accessed. Under HIPAA compliance, unauthorized access to protected health information (PHI) by an unauthorized person is a presumptive breach requiring notification to affected individuals and the Department of Health and Human Services, unless the covered entity can demonstrate low probability of compromise using a four-factor risk assessment. Under CMMC 2.0 compliance, unauthorized access to CUI triggers a 72-hour incident report to the DoD under DFARS 252.204-7012. Under FedRAMP, unauthorized access to federal data triggers incident reporting to the relevant agency and CISA. HIPAA compliance and CMMC 2.0 compliance programs should explicitly address credential-based account takeover in their incident response plans. Organizations subject to GDPR face a parallel 72-hour notification requirement to the relevant supervisory authority when personal data is involved.
The response should be tiered by the risk profile of the exposed credentials. Employees with access to regulated data – PHI, CUI, PII, financial records – should be prioritized for immediate credential rotation and account review when breach notification services flag their credentials. The next priority is enforcing MFA across every application those employees use to access regulated content, not just the primary identity provider. The medium-term priority is verifying that access controls and monitoring at the content layer – not only at the network perimeter – are sufficient to detect and contain compromised sessions before they result in data exfiltration. For organizations subject to HIPAA or CMMC, this verification should be documented as part of the ongoing risk assessment process required by those frameworks. A third-party risk management review of vendors with access to regulated data environments should run in parallel, since infostealer infections on vendor endpoints create the same credential exposure as infections on internal endpoints.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
- Blog Post How to Secure Classified Data Once DSPM Flags It
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders