Massive Data Dump Containing Millions Of Passwords Sparks Security Alert
Arthur T Knackerbracket has processed the following story:
Researcher Uncovers One Of The Biggest Password Dumps In Recent HistoryNews of the dataset comes from Troy Hunt, operator of the Have I Been Pwned service used to identify emails that appear in data breaches.
Hunt writes that a well-known tech company contacted him about Naz.API, a collection of one billion credentials. "Unlike similar lists that are merely collections of login names and passwords from previous data breaches, this dataset includes 25 million passwords that had never been leaked before," he writes.
[...] Hunt found that Naz.API contained 319 files totaling 104GB and 70,840,771 unique email addresses. It impacted 427,308 individual HIBP subscribers, and 65.03% of the addresses are already in HIBP (based on a random sample set of 1,000).
The fact a third of the email addresses have never been seen in previous leaks is significant. In the forum post that included the database, the poster stated that it was created by extracting data from stealer logs. This form of malware attempts to steal data from infected machines, such as passwords, credit card details, crypto wallets, and more.
Hunt posted a screenshot of the dataset that showed some of the stolen data. The passwords appear in plaintext rather than being hashed and many are incredibly simple, commonly used strings. As we've seen so many times before and often warned against, there's a huge number of people using the same password/email address combo across multiple services.
Hunt contacted some people on the list to confirm that their credentials are or were at one time accurate. He also confirmed that a selection of emails were associated with the named websites, which include Facebook, Roblox, Coinbase, Yammer, and Yahoo.
Not all of the data comes from stealer malware. A large percentage are the result of credential stuffing, which collates data from previous breaches. One of Hunt's own passwords appeared in the data, though he hasn't used it since pre-2011.
"Some of this data does not come from malware and has been around for a significant period of time," he wrote. "My own email address, for example, accompanied a password not used for well over a decade and did not accompany a website indicating it was sourced from malware."
To check whether your data appears in the Naz.API dataset or in any previous breach, visit Have I Been Pwned.
Arthur T Knackerbracket has processed the following story:
Nearly 71 million unique credentials stolen for logging into websites such as Facebook, Roblox, eBay, and Yahoo have been circulating on the Internet for at least four months, a researcher said Wednesday.
Troy Hunt, operator of the Have I Been Pwned? breach notification service, said the massive amount of data was posted to a well-known underground market that brokers sales of compromised credentials. Hunt said he often pays little attention to dumps like these because they simply compile and repackage previously published passwords taken in earlier campaigns.
Some glaring things prevented Hunt from dismissing this one, specifically the contents indicating that nearly 25 million of the passwords had never been leaked before:
That last number was the real kicker," Hunt wrote. When a third of the email addresses have never been seen before, that's statistically significant. This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data. When you look at the above forum post the data accompanied, the reason why becomes clear: it's from stealer logs' or in other words, malware that has grabbed credentials from compromised machines."
Data collected by Have I Been Pwned indicates this password weakness runs rampant. Of the 100 million unique passwords amassed, they have appeared 1.3 billion times.
Original Submission #1 Original Submission #2
Read more of this story at SoylentNews.