Over 70 million Compromised Credentials Added to ‘Have I Been Pwned’ Database
January 19, 2024
Have I Been Pwned (HIBP) recently added 71 million entries to its extensive database, consisting of email addresses linked to stolen accounts, part of the Naz.API dataset.
Naz.API is a gargantuan collection allegedly comprising 1 billion credentials assembled from credential stuffing lists and data harvested with infostealer malware.
Credential Stuffing and Infostealer Logs
Credential stuffing attacks use lists of passwords leaked in previous data breaches to break into other accounts on different websites. Newly confirmed matching credentials get added to the list, contributing to its expansion and increasing the odds of the attack.
Infostealer-harvested data encompasses a broad range of information stolen from compromised devices, including credentials from various services, cookies, credit card information, SSH keys, and crypto-wallets.
71 Million Email Addresses Involved
Yesterday, Have I Been Pwned creator Troy Hunt announced the addition of the Naz.API dataset to the data breach notification service. Hunt pointed out that the 109 GB dataset consists of 319 files with 70,840,771 unique email addresses.
“This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data,” Hunt’s blog post reads. “When you look at the above forum post the data accompanied, the reason why becomes clear: it's from ‘stealer logs’ or in other words, malware that has grabbed credentials from compromised machines.”
Likely Old Data Included in Dataset
As Hunt clarifies, the Naz.API dataset contains email addresses from both stealer logs and credential stuffing lists.
Therefore, finding out that an email address has been associated with the Naz.API dataset on HIBP doesn’t necessarily mean you were infected with info stealer malware; you might’ve been the target of a credential-stuffing attack or a different type of security incident that led to the leak.
Some information in the dataset is likely old, as Hunt points out that he even found one of his old passwords used in 2011.
Protecting Against Data Leaks
Such a massive dataset is guaranteed to spark concerns. Data leaks can have devastating consequences, especially if the information falls into the wrong hands. However, good cybersecurity hygiene and specialized tools can help avoid such scenarios.
- Bitdefender Digital Identity Protection – helps you keep an eye on your digital footprint, including traces from no-longer-used services, notifies you of breaches involving your data, and lets you patch weak spots instantly
- Bitdefender Password Manager – helps you generate, manage, and store unique passwords for all of your online accounts, to avoid credential-stuffing attacks
- Bitdefender Ultimate Security – 24/7, comprehensive detection and protection against infostealer malware, viruses, Trojans, worms, spyware, ransomware, rootkits, zero-day exploits, and other digital threats
tags
Author
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsRight now Top posts
Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware
November 14, 2024
What Key Cyberthreats Do Small Businesses Face?
September 06, 2024
FOLLOW US ON SOCIAL MEDIA
You might also like
Bookmarks
