top of page
Search

24 Billion Credentials, 9,500 CVEs, and Your Password Manager's Broken Promise

  • Writer: Patrick Duggan
    Patrick Duggan
  • 9 hours ago
  • 4 min read

On June 12, 2026, Cybernews researchers found an exposed Elasticsearch cluster containing 24 billion records and 8.3 terabytes of data. By June 15, it was secured. The headlines called it a colossal leak. That framing is technically correct and strategically wrong.


This was not a pile of old breach data. This was an automated attack-planning system, and someone left the door open.



What Was Actually in There


The 24 billion records came from 36 distinct sources: Telegram channels in English and Russian, breach compilations, and data exported directly from live target servers. Roughly 1.7 billion records originated from hacking-focused Telegram channels. Another 260 million came tagged as a "Darkside" branded feed. The largest share was bundled into unnamed collections.


None of that is surprising. The part that matters is the 17,000 records that don't fit the pattern of a standard breach compilation.


Over 9,500 documents contained CVE identifiers, descriptions, and corresponding GitHub repository URLs — meaning working proof-of-concept links. Another 5,200 documents were logs of news articles about recent data breaches, including one from February 2026 covering a PyPI supply chain attack. The database was being actively updated months before it was discovered.


Read that combination slowly: stolen credentials, cross-referenced with known-exploited vulnerabilities, linked to working exploit code, actively maintained. That is not an archive. That is a targeting pipeline.


The operator was not hoarding. They were building a system to answer a specific question: of all the credentials I have, which ones belong to people who work at organizations running software I can currently exploit? Then: which exploits have working GitHub PoCs right now?


HIBP absorbed the downstream damage on June 15 — 124 million new passwords and 56 million email addresses from the infostealer layer alone. If you have not checked your exposure this week, now is the time.



The Password Manager Problem


Separate from the credential dump, researchers from ETH Zurich published a paper in February 2026 that will be presented at USENIX Security in Baltimore this August. They tested 27 attack scenarios across Bitwarden, LastPass, Dashlane, and 1Password under one assumption: the server is fully malicious.


This is the correct threat model for 2026. A fully malicious server means: what can an attacker do if they control the infrastructure your password manager syncs against? For most people, the answer to that question is supposed to be "nothing, because the encryption is zero-knowledge." The research found that promise does not hold in practice.


1Password faced two specific scenarios. First: vault sharing lacks authentication of public keys, which enables man-in-the-middle attacks on the sharing mechanism. Second: attackers can cause vault items to disappear for the legitimate owner while leaking out to the attacker.


1Password's response was that these represent "known architectural limitations" documented in their public security white paper. That is a careful way of confirming the attacks work while declining to call them vulnerabilities.


The zero-knowledge promise was always conditional. The conditions are now being stress-tested publicly, and the 24 billion credential ecosystem is the adversarial context those conditions sit inside.



What This Convergence Means


The individual stories are notable. Together they describe something more structural.


Infostealer malware infected more than 11 million devices in 2025. Those infections produced credential logs that fed into markets, Telegram channels, and aggregation services. One such aggregation service ran an active CVE cross-reference layer, enriched with live GitHub PoC links, and maintained it through at least February 2026. A credential that looked stale became actionable the moment a new CVE dropped against a product the credential owner uses.


Password managers were supposed to be the mitigation. You stop reusing passwords, you stop being vulnerable to credential stuffing, you trust the encrypted vault. What the ETH Zurich research demonstrates is that the vault itself is an attack surface when the server is hostile. And "hostile server" is no longer a theoretical concern when you are looking at a targeting system that was actively monitoring PyPI supply chain news in real time.


The Pattern 38 through 48 thread we have been tracking — stolen developer credentials feeding supply chain attacks — runs directly through this infrastructure. Developer credentials in the infostealer pool, cross-referenced against vulnerable package managers and CI/CD systems, with PoC links attached. This is the industrialization of that pattern.



What to Do


Rotate credentials that touch anything with a recent KEV entry. This week's additions alone — Arista EOS, Chrome V8, Cisco SD-WAN Manager, Magento deserialization — are all actively exploited. If credentials for systems running those products are in an infostealer log somewhere, the targeting system that just got exposed told someone exactly which exploits to use against them.


For 1Password specifically: the vault sharing attack vector is the most actionable finding. Review which items you have shared and with whom. Shared items with public key authentication gaps are the attack surface the ETH Zurich team demonstrated. The master vault under your own key is not the problem; the sharing mechanism is.


Check HIBP. The June 15 ingest is fresh. If your email is in it, the associated passwords are in the targeting pool whether or not you still use them anywhere.


The database is offline. The credentials and the exploit cross-reference methodology are not.







The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.


bottom of page