Public Elasticsearch Servers Expose 9.8 Billion Credential Records Across Enterprise, Cloud, and AI Platforms

Misconfigured Elasticsearch servers continue to expose massive volumes of sensitive data. This time, SOCRadar’s AI-powered Sensitive Data Exposure Monitoring service identified three publicly accessible Elasticsearch instances containing more than 9.8 billion credential records spread across separate datasets.

The exposed data included both simple email-password combinations and more detailed ULP records linking credentials to specific services and login URLs. In aggregate, these datasets demonstrate a critical shift in the threat landscape; credential exposure is no longer confined to isolated breach dumps. Instead, it reflects a sophisticated data ecosystem that facilitates large-scale credential stuffing, account takeover (ATO), enterprise compromise, and unauthorized infrastructure access.

What Was Found in Publicly Exposed Elasticsearch Servers?

Across the three servers, the exposed data totaled more than 9,879,060,029 records. Our team analyzed these exposed servers, reviewed the structure of the data, and notified the relevant parties. Following responsible disclosure, all identified servers were secured and taken offline.

The datasets were distributed as follows:

Server #1 – ULP Dataset

• Records: 3,926,010,491
• Size: Approximately 818 GB
• Data type: URL + Email + Password

Server #2 – Credential Dataset

• Records: 4,606,063,150
• Size: Approximately 496 GB
• Data type: Email + Password pairs

Server #3 – ULP Dataset

• Records: 1,346,986,388
• Size: Approximately 229 GB
• Data type: URL + Email + Password

The two ULP datasets are especially valuable from a threat intelligence perspective because they do not just expose credentials. They also connect those credentials to specific target services through URLs, which makes the records more useful for service-level analysis and more actionable for attackers.

The sections below outline the main findings from our investigation, including enterprise credential exposure, identity provider risks, platform targeting patterns, and the broader implications for organizations.

1. More Than Half of the Exposed Credentials Were Corporate Accounts

One of the most concerning findings came from the second dataset. Analysis showed that out of 4.6 billion total email records, roughly 2.39 billion were corporate email addresses, representing about 52% of the exposed credentials.

Corporate accounts often serve as entry points into much larger environments. When exposed credentials belong to enterprise users, the risk extends beyond personal account compromise. Attackers can test reused passwords against VPNs, cloud portals, collaboration tools, and internal platforms.

This makes credential reuse a direct enterprise risk, especially in environments where employees use the same or similar passwords across business and personal services.

2. Identity Provider Exposure Raises the Risk to the Authentication Layer

The first ULP dataset revealed a significant number of records tied directly to enterprise identity services, including:

• microsoftonline.com: 2.6 million+
• auth0.com: around 200,000
• okta.com: around 29,000

These domains are central to identity and access management across modern organizations. They are commonly used for Microsoft Entra ID, Okta, and Auth0 authentication workflows.

This is a more serious scenario than a standard credential leak affecting a single website. Credentials tied to identity providers can expose the authentication layer itself. If attackers gain access there, they may reach multiple connected services, not just one application. In practice, that can mean broader lateral movement, persistent access, and faster enterprise compromise.

3. Internal Platforms and Supply Chain Systems Were Also Exposed

The datasets also included credentials associated with widely used business platforms such as:

• zendesk.com: 143,000
• atlassian.com: 75,000
• salesforce.com: 74,000

These platforms often contain customer records, internal support workflows, development projects, and collaboration data. Exposure at this level can affect daily operations and business continuity, not just user accounts.

Attackers with access to these systems may gain visibility into customer issues, internal documentation, project environments, and service processes. That turns credential exposure into a supply chain and operational risk.

4. AI Platforms Are Becoming Part of the Credential Exposure Problem

Another notable finding was the presence of credentials linked to modern AI services:

• openai.com: 620,000+
• huggingface.co: 24,000+
• leonardo.ai: 18,000+

This shows that AI platforms are already part of large-scale credential reuse patterns. As organizations increasingly integrate AI services into internal workflows, these accounts may provide access to prompts, proprietary data, automation pipelines, and business logic.

This is an emerging attack surface. Many organizations still focus credential monitoring on email, cloud, and remote access systems, while AI services may not yet receive the same level of security attention.

5. Cloud and Infrastructure Credentials Increase the Impact

The exposed records also referenced cloud and infrastructure-related platforms, including:

• amazon.com: around 178,000
• windowsazure.com: around 26,000
• fortinet.com: around 21,000

These services are commonly linked to cloud resource management, hosting, VPN connectivity, and remote access. That expands the impact of the exposure from account abuse to potential infrastructure compromise.

At the same time, the most frequently targeted services in the first ULP dataset included google.com, facebook.com, live.com, discord.com, netflix.com, amazon.com, and paypal.com, reflecting the same platforms often abused in credential stuffing and account takeover campaigns.

ULP records showing credentials mapped to different online services

6. Weak Passwords Still Dominate at Billion-Record Scale

Despite years of awareness efforts, weak passwords remain widespread. The most common passwords observed included:

• 123456: 28 million+
• 123456789: 16 million+
• password: 13 million+
• qwerty: 10 million+
• qwerty123: 7 million+

These patterns explain why credential stuffing remains effective. Even at this scale, poor password hygiene continues to fuel automated abuse.

What Do These Exposed Credential Datasets Mean for Organizations?

The combined datasets strongly suggest aggregation from multiple sources, including infostealer logs, historical breach collections, and credential stuffing lists. The repeated patterns, massive record counts, and mixed data structures all support that assessment.

For organizations, the risks are broad and immediate:

• Widespread account compromise across consumer and enterprise services
• Unauthorized access to corporate environments
• Exposure of internal systems and business operations
• Greater risk from credential reuse and automated attacks
• Expansion of attack surface into AI, cloud, and identity platforms

This is also where external visibility becomes critical. Many of these exposures happen outside the traditional security perimeter, which means internal controls alone may not detect them early enough. Publicly exposed databases, credential reuse patterns, and third-party platform access often remain invisible until attackers begin exploiting them.

How Can SOCRadar Help?

SOCRadar Threat Intelligence helps close the gap by combining Attack Surface Management, Digital Risk Protection, and Cyber Threat Intelligence to identify exposed services and sensitive data before they are weaponized. When credential datasets surface in exposed databases or other public-facing sources, SOCRadar helps security teams understand what was exposed, which platforms are affected, and how the data could be used in real-world attacks.

This gives organizations a more actionable view of risk. Security teams can detect whether exposed credentials are tied to identity providers, internal business platforms, cloud services, or emerging AI tools, then prioritize response based on business impact. That visibility supports faster remediation, stronger credential monitoring, better executive and enterprise protection, and a more proactive response to account takeover and fraud risks.

Organizations can use external threat visibility to identify the warning signs earlier and reduce the chance that exposed data turns into a full-scale incident.