More recently, earlier this month, HIBP added the accounts of 12 million Zacks Investment users whose sensitive data (including names, usernames, email addresses, IP addresses, physical addresses, and phone numbers) was exposed in a security breach. Using newly added APIs (allowing up to 1000 email address searches per minute and stealer log searchers), domain owners and website operators (who pay for a monthly subscription) can now identify customers whose credentials were stolen by querying the added stealer logs by email domain or website domain. Two years ago, in June 2023, the breach notification service added another database with the email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, and full names of another 8.8 million individuals using Zacks' platform. Before adding the stolen accounts to HIBP's database, Troy confirmed their authenticity by checking if a password reset attempt using the stolen email addresses triggered the service to send a password reset email. The Have I Been Pwned data breach notification service has added over 284 million accounts stolen by information stealer malware and found on a Telegram channel. "They contain 23 billion rows with 493 million unique website and email address pairs, affecting 284M unique email addresses," Hunt stated in a Tuesday blog. In December 2021, HIBP also added 441,000 accounts stolen in an information-stealing campaign using RedLine malware, one of the most widely used infostealers at the time.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 25 Feb 2025 22:10:23 +0000