Have I Been Pwned (HIBP) recently added 71 million entries to its extensive database, consisting of email addresses linked to stolen accounts, part of the Naz.API dataset.
Naz.API is a gargantuan collection allegedly comprising 1 billion credentials assembled from credential stuffing lists and data harvested with infostealer malware.
Credential stuffing attacks use lists of passwords leaked in previous data breaches to break into other accounts on different websites. Newly confirmed matching credentials get added to the list, contributing to its expansion and increasing the odds of the attack.
Infostealer-harvested data encompasses a broad range of information stolen from compromised devices, including credentials from various services, cookies, credit card information, SSH keys, and crypto-wallets.
Yesterday, Have I Been Pwned creator Troy Hunt announced the addition of the Naz.API dataset to the data breach notification service. Hunt pointed out that the 109 GB dataset consists of 319 files with 70,840,771 unique email addresses.
“This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data,” Hunt’s blog post reads. “When you look at the above forum post the data accompanied, the reason why becomes clear: it's from ‘stealer logs’ or in other words, malware that has grabbed credentials from compromised machines.”
As Hunt clarifies, the Naz.API dataset contains email addresses from both stealer logs and credential stuffing lists.
Therefore, finding out that an email address has been associated with the Naz.API dataset on HIBP doesn’t necessarily mean you were infected with info stealer malware; you might’ve been the target of a credential-stuffing attack or a different type of security incident that led to the leak.
Some information in the dataset is likely old, as Hunt points out that he even found one of his old passwords used in 2011.
Such a massive dataset is guaranteed to spark concerns. Data leaks can have devastating consequences, especially if the information falls into the wrong hands. However, good cybersecurity hygiene and specialized tools can help avoid such scenarios.