Security researchers have uncovered a massive cache of 24 billion stolen records containing email addresses and passwords, assembled from years of breaches and quietly traded in criminal circles. The collection, nicknamed “Naz.API,” is one of the largest credential dumps ever seen and dramatically raises the odds that a given person’s logins are already exposed. The good news is that there are ways to check whether an account appears in the trove and to lock things down before attackers do more damage.
What researchers actually found in the 24 billion record dump
The newly analyzed data set is a sprawling compilation of old and new breaches that someone has stitched together into a single, searchable bundle. According to security researchers, the 24 billion records include combinations of email addresses, usernames and passwords, many of them in plain text. Some entries appear multiple times, pulled from different incidents, which suggests the database is intended as a one stop shop for credential stuffing attacks.
Instead of stemming from a single hack against one company, the cache appears to aggregate data from hundreds or thousands of sources, including well known breaches of consumer services and obscure forums. Earlier incidents already showed how large those individual leaks can be. A previous exposure of 183 million email and password pairs, which included millions of Gmail accounts, highlighted how a single misconfigured database or compromised service can feed enormous volumes of sensitive data into these collections, according to one detailed report.
Security analysts say Naz.API stands out not just for size but for how neatly it has been organized for criminals. The data is indexed so that attackers can search by email address or domain, then pull matching passwords and related information. That structure makes it easy to plug the results into automated tools that test stolen credentials against major services such as email providers, social networks and banking portals.
Investigators also point out that the cache blends older, widely circulated leaks with fresher data that had not been seen in public dumps before. That mix matters, because even if a person changed a password after a past breach, a newer compromise of the same account might still leave them exposed. The presence of relatively recent records suggests that some of the source breaches are still being discovered or disclosed.
How this changes the risk for everyday users right now
On its own, a single password leak is bad enough. Combined into a 24 billion record database, it becomes a powerful resource for criminals who rely on scale. Attackers typically run credential stuffing campaigns that take known email and password pairs and try them across large numbers of sites, betting that many people reuse the same login details. A cache this large dramatically increases the odds that any given account will match something in the attackers’ list.
Earlier waves of mass leaks have already shown how exposed major platforms can be. One investigation described how 16 billion passwords tied to Apple, Facebook and Google logins ended up in circulation, prompting warnings that users needed to change credentials immediately, especially if they reused them across services, according to a subsequent analysis. The Naz.API data set appears to build on that history, adding even more fuel for similar attacks.
For individuals, the main risk is account takeover. If a criminal can log in to a primary email account, they can often reset passwords for banking, shopping and social media services that rely on that address. That can lead to fraudulent purchases, identity theft and reputational damage if attackers post from hijacked profiles. Some victims only discover the problem after seeing unfamiliar login alerts or charges on their credit card statements.
Security experts also worry about targeted attacks that use leaked credentials as a starting point. A detailed examination of previous credential leaks found that attackers often combine exposed logins with other personal data to craft convincing phishing emails or text messages, according to investigations into credential. With 24 billion records to work from, it becomes easier to tailor scams that reference real accounts or past passwords, which can trick people into revealing even more information.
Another concern is that some of the exposed accounts belong to employees who have access to corporate systems. If an attacker can reuse a personal password that matches a work account, they may be able to pivot into company networks. That risk is especially pronounced for small and midsize businesses that lack strict password policies or multifactor authentication on internal tools.
How to check if your passwords are in the dump and what to do next
Although Naz.API is circulating in criminal spaces, security researchers have used it to update consumer facing tools that let people check whether their email addresses appear in known breaches. Services such as Have I Been Pwned and similar platforms allow users to enter an email address and see if it is linked to exposed credentials. Researchers who analyzed the 24 billion records say they are working with these services so that people can identify affected accounts without exposing their current passwords.
Checking for exposure is only the first step. If a search shows that an email address is present in any breach, the safest assumption is that the associated password is compromised. Security professionals recommend changing passwords for all accounts tied to that email, starting with the primary inbox, financial institutions and any service that stores payment details. Passwords should be long, unique for every site and stored in a reputable password manager rather than reused or written down in plain text.
Multifactor authentication is another key defense. Even if a password appears in a dump, an attacker still needs the second factor, such as a one time code or hardware key, to log in. Many major services now support app based authentication or physical security keys. Analysts say enabling these options on critical accounts significantly reduces the chance that a leaked password will lead to a successful takeover, even when the login appears in large caches like Naz.API.
People who discover that their accounts are listed in previous leaks should also watch for signs of identity abuse. That includes unfamiliar devices in account activity logs, password reset emails they did not request and new accounts opened in their name. In some of the larger leaks, such as an incident that exposed millions of passwords linked to American users, victims later reported seeing targeted phishing messages that referenced their real email providers, according to subsequent reporting. Treating unexpected messages with suspicion and avoiding password entry through email links can blunt those tactics.
For anyone who feels overwhelmed by the scope of the problem, security specialists suggest prioritizing a handful of accounts that would be most damaging to lose. Email, banking, cloud storage and mobile carrier accounts should come first, followed by major social networks and shopping sites that store payment cards. Rotating passwords on those services, turning on multifactor authentication and removing old or unused accounts can quickly reduce the attack surface, even if every single login cannot be changed immediately.
What this massive leak signals about the future of passwords
The discovery of 24 billion stolen records is another sign that the traditional username and password model is straining under the weight of industrial scale cybercrime. Each new mega dump adds to a permanent underground archive of credentials that never truly disappears, even after companies reset passwords or close breached systems. Attackers can continue to mine this data for years, looking for patterns and reusing old combinations against new targets.
Security researchers argue that the industry will need to move further toward passwordless authentication and hardware backed security to break this cycle. Technologies such as passkeys, which tie logins to a specific device and biometric check rather than a memorized string, are designed to resist large scale credential theft. However, adoption is uneven, and many services still rely on passwords as the primary or fallback method.
