PUBLIC Elasticsearch servers exposed a staggering 9.8 billion credential records across enterprise, cloud, and AI platforms, according to SOCRadar. In total, three publicly accessible Elasticsearch instances contained 9,879,060,029 records, with server 1 housing 3,926,010,491 records, server 2 holding 4,606,063,150, and server 3 containing 1,346,986,388, all described as including URL, email and password data or similar combinations.
The datasets reveal that roughly 2.39 billion of the total emails were corporate, representing about 52% of the exposed credentials. Identity provider exposure was notable, with domains such as microsoftonline[.]com, auth0[.]com and okta[.]com appearing in the leakage, potentially impacting authentication workflows across organisations. Exposed platforms also included Zendesk, Atlassian and Salesforce, while AI services showed credentials linked to openai[.]com, huggingface[.]co and leonardo[.]ai.
Following responsible disclosure, all identified servers were secured and taken offline, underscoring the ongoing risk posed by misconfigured databases and credential reuse at scale.