• Researchers found an open database — no lock, no password — holding ~24 billion records and 8.3 TB of stolen login data.
• It was a mega-mashup of 36 different sources: old breaches, hacker Telegram channels, and fresh infostealer logs.
• Over 1.7 billion records came straight from Telegram channels that exist purely to hand out stolen logins.
• It had emails, usernames, the websites you log into, AND passwords — a lot of them in plaintext (readable, not scrambled).
• Found June 12, secured June 15. Three days. But the file was downloadable that whole time, and probably long before anyone noticed.

Buried inside was a 9,500-record stash that paired CVEs (known software holes) with links to GitHub repos holding the actual exploit code.

Translation: someone bolted a “how to break in” toolkit onto the “whose door to break into” list.

• Plus 5,200+ saved news articles about recent breaches — basically a hacker keeping tabs on what’s freshly broken.
• Plus 2,900 social media posts tracking security incidents in real time.
• One saved article was from February 2026, about a poisoned-software attack on PyPI (the place Python coders download tools).

Whoever built this wasn’t hoarding. They were operating. This is a working attack pipeline, not a dusty archive.

Every few months you see “16 billion passwords leaked!!” and your eyes glaze over. Fair. Most of that is recycled old junk.

But the reuse problem is brutally real: tons of people use the same password on their email, their bank, and some random forum from 2014. A combolist this size means attackers can run credential stuffing at industrial scale — auto-trying your old leaked password on hundreds of sites until one opens.

The fix is annoyingly simple and almost nobody does it: stop reusing passwords, turn on the 6-digit text/app code (2FA). Go check your email at Have I Been Pwned right now. I’ll wait.

Small shops — the dentist, the local accountant, the family restaurant chain — have ZERO IT person and zero clue if their staff emails are floating in this dump. You become their early-warning bird.

Have I Been Pwned lets you monitor an ENTIRE company domain (like @joesplumbing.com) for free once you verify you control it — or you partner with the owner who does. You watch, you alert, you force a reset the second a staff login leaks.

Example: Priya, 24, a comp-sci student in Pune, India, DMs 15 local clinics on WhatsApp offering “leak watch.” She verifies their domains, sets up free HIBP monitoring, and sends a 1-page monthly “all clear or red alert” PDF. Charges ₹2,000/clinic/month. 9 signed = ~$220/month for maybe 3 hours of work.

Timeline: First paying client in ~10 days (fear sells fast right now). Plateaus around 15-20 clients before you’d need to actually automate the alerts or burn out.

That dump literally paired bugs with working exploit code. You can ride the SAME logic — legally and on the defense side. When a new exploit goes public, there’s a brutal 2–4 week gap where attackers are spraying it but small businesses haven’t patched yet.

Watch CISA’s Known Exploited Vulnerabilities list (free, updated constantly). When a bug hits gear that local shops run (old routers, mail servers, that ancient WordPress), you offer same-week emergency patching.

Example: Tomasz, 27, in Kraków, Poland, watches the KEV feed every morning. When a Fortinet VPN bug blew up, he cold-called 30 local firms with “you have a 2-week window.” Patched 6 at €400 each in one week. €2,400.

Timeline: Cash within the first hot CVE (days). The honest catch: it’s feast-or-famine — dead weeks between juicy public exploits. Pair it with the Canary play for steady income.

Here’s a gap: 95% of the “you got leaked, here’s the fix” guides are in English and written like a legal document. Billions of people don’t read English well and just… panic and do nothing.

Be the FIRST to write the dead-simple “Your password leaked? Here’s the 10-minute fix” guide in YOUR language — Tagalog, Urdu, Portuguese, whatever’s underserved. Plain words, screenshots, zero jargon. It becomes the thing people share in every family group chat.

Monetize with honest affiliate links to a password manager like Bitwarden or Proton Pass (both have free tiers + referral payouts).

Example: Andile, 22, in Durban, South Africa, writes the guide in isiZulu + English, posts it free, and pins the affiliate links. It ranks #1 on Google for the local search within 6 weeks. ~$15/signup × steady trickle = beer-and-rent money on autopilot.

Timeline: First search traffic in 3-6 weeks (Google’s slow). The win compounds — but a copycat shows up in ~4 months, so be first and be the friendliest.

Owners don’t believe their staff reuse leaked passwords — until you prove it. So prove it (with written permission, always).

Use GoPhish — a free, open-source tool that sends a fake harmless “test” phishing email and shows who clicks and who hands over a password. You run a controlled test, hand the boss a scary little report, and suddenly they’re paying for the fix.

Example: Mei, 26, in Kuala Lumpur, Malaysia, offers free 1-page “phish reports” to SMBs, gets written sign-off, runs GoPhish, and shows the owner that 7 of 12 staff clicked. Upsells a $300 “fix + train your team” package. Closes 1 in 4. ~$900/month part-time.

Timeline: First paid upsell in ~2 weeks. Honest warning: you MUST have written permission — no sign-off = sketchy and possibly illegal. Stay white-hat.

Forget businesses for a sec. Your neighbors, your aunties, every non-techy person over 40 is terrified right now and has no idea what a password manager even is. They will happily pay a calm human to just… set it up for them.

Go door-to-door, post on local Nextdoor / Facebook groups: “I’ll set up a password vault + the 6-digit security code on all your accounts, in person, in one visit.” Use the free tier of Bitwarden or Proton Pass. Flat fee per household.

Example: Lucas, 23, in São Paulo, Brazil, charges R$150 per home visit to install a vault + 2FA for retirees and walk them through it. Word-of-mouth in one apartment building got him 11 visits in a month. ~$300, plus they call him for everything now (recurring tips).

Timeline: First visit within DAYS (just post in one local group). Scales by word-of-mouth in your area; caps out at whatever you can physically drive to — so train a friend and split the territory.