Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: credential-leak (4 articles)Clear

Exposed database leaks 24 billion stolen credentials from infostealer logs

Cybernews researchers found an unprotected Elasticsearch database holding 24 billion records and over 8 terabytes of data, most of it infostealer logs: stolen usernames, passwords, and the services they unlock. The collection also pulls from Telegram channels and older breach dumps. Oddly, it included thousands of records tracking CVE vulnerabilities, breach news articles, and social-media posts about cyber incidents, with content as recent as 2026, suggesting the owner is actively curating and refreshing the stash with new leaks. The researchers could not determine how many records are duplicates, how old the data is, or who owns it.

Check
Check whether your email or domains appear in breach-tracking services, watch for credential-stuffing and account-takeover attempts, and look for infostealer infections on endpoints that could feed such collections.
Affected
Anyone whose credentials were captured by infostealer malware or exposed in past breaches; reused passwords are especially dangerous given the dataset's scale and the attacker's apparent effort to keep it current.
Fix
Reset reused passwords from clean devices, adopt a password manager with unique passwords, enable phishing-resistant MFA everywhere, and run endpoint scans to find and remove infostealer infections at the source.

FortiBleed leak exposes VPN credentials for nearly 74,000 Fortinet firewalls

A newly surfaced dataset dubbed FortiBleed exposes what appear to be Fortinet and FortiGate VPN credentials tied to 73,932 firewall URLs at organizations around the world. Separately, researchers at SOCRadar report roughly 30,000 compromised Fortinet firewalls exposing networks to attack. Exposed VPN credentials are a direct route into corporate networks, letting attackers log in as legitimate users, bypass perimeter defenses, and stage ransomware or data theft. Fortinet gear is a perennial target, with many of these exposures stemming from past unpatched flaws and credential harvesting. Organizations cannot assume old Fortinet credentials are safe just because devices were later patched.

Check
Check whether your Fortinet or FortiGate VPN appliances appear in the exposed dataset, review VPN authentication logs for logins from unfamiliar locations, and confirm whether previously exposed devices were fully remediated.
Affected
Organizations running internet-facing Fortinet and FortiGate VPNs whose credentials appear among the 73,932 exposed firewall URLs; reused or never-rotated VPN passwords are most at risk.
Fix
Force-reset all Fortinet VPN credentials, enable phishing-resistant MFA on VPN access, restrict management interfaces, and fully patch or replace appliances, treating any potentially exposed device as compromised until verified.

Lawmakers demand answers from CISA over GitHub credential leak; agency still hasn't rotated all exposed keys a week later

A week after CISA was first notified of credentials leaking from its Private-CISA GitHub repository, the agency is still working to invalidate and replace many of the exposed keys, according to TruffleHog creator Dylan Ayrey. On May 19, Senator Maggie Hassan and Representatives Bennie Thompson and Delia Ramirez sent letters demanding answers, noting CISA has lost a third of its workforce and almost all senior leaders to forced retirements and buyouts. An RSA private key giving full read access to every CISA-IT GitHub repository was still active when Ayrey re-tested on May 20; CISA rotated it after KrebsOnSecurity's notification, but other critical credentials reportedly remain unrotated.

Check
If you are a Federal civilian agency, check whether CISA has reissued any credentials, tokens, or runner registrations that integrate with your environment. Treat shared secrets as still potentially exposed.
Affected
Any organization that integrates with CISA's GitHub estate, GitHub Apps owned by the CISA enterprise account, or CISA-IT internal CI/CD pipelines. Federal civilian agencies are primary.
Fix
Rotate any tokens or webhooks shared with CISA-IT systems pending the agency's full remediation. Use TruffleHog or GitGuardian to scan your own GitHub estate for the same class of leak.

CISA contractor leaked AWS GovCloud admin keys and dozens of plaintext passwords on public GitHub

A contractor with administrative access at CISA, the US agency that tells everyone else how to do cybersecurity, ran a public GitHub repository called Private-CISA that exposed administrative AWS GovCloud keys, plaintext passwords in CSVs for internal CISA systems, and credentials to the agency's internal artifactory. The owner had even disabled GitHub's default secret-scanning protections. Researcher Philippe Caturegli of Seralys validated that the AWS keys still worked against three high-privilege GovCloud accounts and could have given an attacker a launchpad to deploy backdoors into CISA's internal build pipelines. CISA says it is investigating and has seen no evidence of compromise.

Check
Search your GitHub org for repos named after internal projects, scan public-fork history with TruffleHog or GitGuardian, and verify GitHub push-protection is enabled at the org level.
Affected
Any organization where individual administrators can publish secrets to public GitHub repositories and override the default push-protection settings. CISA itself was the named victim.
Fix
Enforce GitHub Advanced Security push-protection and secret scanning at the org level. Rotate any AWS keys whose hashes appear in public commits. Treat developer GitHub accounts as Tier-0 identities.