Almost 71 million sets of unique credentials have leaked, via an unnamed firm's bug bounty program.
Nicknamed Naz.API, the leak is making waves.
The site's majordomo, Troy Hunt, sounds astounded.
Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches.
Information-stealing malware attempts to steal a wide variety of data from an infected computer, including credentials saved in browsers.
This dataset has been floating around the data breach community for quite a while but rose to notoriety after it was used to fuel an open-source intelligence platform called illicit.
Services, which allows visitors to search a database of stolen information, including names, phone numbers, email addresses, and other personal data.
It] shut down in July 2023 out of concerns it was being used for Doxxing and SIM-swapping attacks.
Even if HIBP warns you that your email was in the Naz.API, it does not tell you for what specific website credentials were stolen, [so] it's recommended to change passwords for all your saved accounts.
This includes passwords for corporate VPNs, email accounts, bank accounts, and any other personal accounts.
A large percentage are the result of credential stuffing, which collates data from previous breaches.
News of the dataset comes from Troy Hunt, operator of the Have I Been Pwned service used to identify emails that appear in data breaches.
This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data.
There's also a massive prevalence of people using the same password across multiple different services and completely different people using the same password.
Pwned Passwords remains totally free and completely open source for both code and data so do please make use of it to the fullest extent possible.
This is such an easy thing to implement, and it has a profound impact on credential stuffing attacks so definitely get out in front of this one as early as you can.
Can automatically scan all your passwords against Pwned Passwords which includes all passwords from this corpus of data.
If you have recycled passwords, change any others that used the same password.
Use a password manager to create and store long, complex passwords.
You can use this to see if you're in the real Naz.API dataset.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 18 Jan 2024 17:58:03 +0000