Here’s how to check.
Don’t Pass Go
A gigantic trove of passwords has been released by bad actors, and there’s a very good chance that yours is on there.
According to Troy Hunt, the man behind the excellent breach notification site “Have I Been Pwned” — which allows users to look up your email and see if and where your passwords and other user information have been compromised — it’s one of the largest collections of breached data he’s ever seen appear online.
To a data defender like Hunt, “large” is not an understatement. The cache of files, dubbed “Naz.API,” contains more than 71 million email addresses and 100 million passwords. Thus far, more than 400,000 Have I Been Pwned (HIBP) subscribers have been impacted.
New breach: The Naz.API stealer logs and cred stuffing lists were posted to a hacking forum in Sep. Data included 71M email addresses and 100M plain text passwords, often alongside the service they were used for. 67% were already in @haveibeenpwned. More: https://t.co/Uef4G7gOei
— Have I Been Pwned (@haveibeenpwned) January 17, 2024
It’s not all fresh. The researcher said in his blog post that more than 65 percent of the email addresses in the breach had already been seen before in other HIBP datasets. This suggests, Hunt explained, that although a majority of the stolen data has already been floating around, over a third of it appears to be newly harvested.
“When a third of the email addresses have never been seen before, that’s statistically significant,” he wrote. “This isn’t just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it’s a significant volume of new data.”
Logged On
As Hunt explains, much of the data is from what’s known as “stealer logs,” or malware installed on someone’s device that captures their login info. In the case of Naz.API, these lists were believed to have been gleaned from illicit.services, a now-defunct site that easily allowed bad actors to search for data based on someone’s name or email address.
When trawling through the compromised data for his own, Hunt discovered a password he’d used before the year 2011, which seems to indicate that some of the info is very old indeed.
Perhaps the biggest takeaway, especially considering the more than decade-old password of his own that Hunt found in the dataset, is that reusing passwords across years and sites is a very insecure data practice. Citing the recent 23andme breach, the researcher pointed out that as long as “password reuse remain[s] rampant,” so too will fallout from these kinds of hacks.
His advice?
“Definitely get out in front of this one as early as you can” by replacing your recycled credentials with a password manager.
More on massive hacks: Oops! 23andMe Admits Hackers Stole 7 Million Customers’ Genetic Data
Share This Article