Have you also received an email with the following message “You’re one of 70,840,771 people pwned in the Naz.API data breach“? Well, know that you are not alone. The message comes from Have I been pwned, the well-known service that keeps track of computer incidents for which some evidence has emerged and which have led to the theft of personal datasuch as usernames, passwords and other sensitive information.
What are the credential stuffing list
Troy Hunt, creator and manager of the service Have I been pwned, explains that in the last few hours he received a report which immediately proved to be extremely promising. The author of the letter invited Hunt to examine the contents of a rich letter credential stuffing list. This is what the collections of are called login credentials obtained as a result of cyber attacks and previously committed breaches.
Lists that host other people’s usernames and passwords are sold on the “black market” with the specific aim of allowing malicious users to log in with someone else’s credentials to various online services. Since, still today, many users unfortunately they share the same passwords between multiple platforms, one credential stuffing list updated it becomes a precious and valuable resource for cyber criminals. Choosing a secure password and avoiding sharing it between multiple services is one of the basic rules. Using two-factor authentication (2FA) is another useful tool for protect yourself. Sometimes, however, it may happen that passwords are stolen directly from the systems that are supposed to protect them (for example on web platform servers). In fact, in another article we invited our readers to ask themselves how websites store passwords.
The Naz.API list: check if you are there too
The administrator of Have I been pwned note that the list Naz.API contains 319 files for a total of 104 GB of data. These objects host, in turn, something like quasi 71 million email addresses unique, along with a set of matching passwords.
This time the data theft appears to have occurred on individual users’ systems. The analysis carried out by Hunt made it possible to ascertain that this fat credential stuffing list it is the daughter of the action of malware who stole credentials from infected and compromised machines.
To further investigate the incident, Hunt reached out to some users of Have I been pwned to verify thereliability some data. Many of them have confirmed that those indicated in the list are passwords actually used by them to access various online services, currently or in the past.
Since this is a list that looks new, not a collage of lists already widely in circulation in the past, Hunt set up the mail server of Have I been pwned to contact the subjects involved and inform them about their presence in the credential stuffing list.
Given the importance of the Naz.API list, all passwords found have been included in Pwned Passwords, a free service that allows users to check whether their passwords have been compromised. We suggest checking violated and insecure passwords using Pwned Passwords because – for obvious security reasons – they are completely independent of the corresponding usernames.