Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

Have I Been Pwned Adds 71 Million Emails From Naz.API Stolen Account List (bleepingcomputer.com) 17

An anonymous reader quotes a report from BleepingComputer: Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches that are used to breach accounts on other sites.

Information-stealing malware attempts to steal a wide variety of data from an infected computer, including credentials saved in browsers, VPN clients, and FTP clients. This type of malware also attempts to steal SSH keys, credit cards, cookies, browsing history, and cryptocurrency wallets. The stolen data is collected in text files and images, which are stored in archives called "logs." These logs are then uploaded to a remote server to be collected later by the attacker. Regardless of how the credentials are stolen, they are then used to breach accounts owned by the victim, sold to other threat actors on cybercrime marketplaces, or released for free on hacker forums to gain reputation amongst the hacking community.

The Naz.API is a dataset allegedly containing over 1 billion lines of stolen credentials compiled from credential stuffing lists and from information-stealing malware logs. It should be noted that while the Naz.API dataset name includes the word "Naz," it is not related to network attached storage (NAS) devices. This dataset has been floating around the data breach community for quite a while but rose to notoriety after it was used to fuel an open-source intelligence (OSINT) platform called illicit.services. This service allows visitors to search a database of stolen information, including names, phone numbers, email addresses, and other personal data. The service shut down in July 2023 out of concerns it was being used for Doxxing and SIM-swapping attacks. However, the operator enabled the service again in September. Illicit.services use data from various sources, but one of its largest sources of data came from the Naz.API dataset, which was shared privately among a small number of people. Each line in the Naz.API data consists of a login URL, its login name, and an associated password stolen from a person's device, as shown [here].
"Here's the back story: this week I was contacted by a well-known tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forum," explained Troy Hunt, the creator of Have I Been Pwned, in blog post. "Whilst this post dates back almost 4 months, it hadn't come across my radar until now and inevitably, also hadn't been sent to the aforementioned tech company."

"They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list."

To check if your credentials are in the Naz.API dataset, you can visit Have I Been Pwned.
This discussion has been archived. No new comments can be posted.

Have I Been Pwned Adds 71 Million Emails From Naz.API Stolen Account List

Comments Filter:
  • by Okian Warrior ( 537106 ) on Wednesday January 17, 2024 @10:45PM (#64169019) Homepage Journal

    Help us protect your account!

    Give us a phone number and we'll send you a txt or voice message that confirms that your number is associated with this account.

    That way when we eventually get hacked, not only do they get your account information they also get your phone number. Additionally, they'll be able to link all your other accounts on other services to this same number.

    Your phone number is now required for logging in. Please enter your phone number and choose "voice" or "txt" to receive your security code now.

    (Note: I have a perfectly useful YouTube account with videos that I can't log in to, and can't even delete because refuse to give Goggle my phone number so that they can associate one user across all my accounts. Thanks, YouTube!)

    • BUT, it's TFA! We don't know it's you unless it's you. Geez. Sheep up, motherfuck!

    • Your phone number is now required for logging in.

      You know what's the nastiest part, it isn't even "your" phone number, as in some number associated with the account, it is a phone number. How is a random phone number going to help more than the actual credentials to the account?! If there's a fraud-prevention limit to the number of accounts you can log into with the same number I couldn't get to it, that is after countless throwaway accounts and using the same phone number for support for all friends and fa

      • by TwistedGreen ( 80055 ) on Thursday January 18, 2024 @01:32AM (#64169103)

        The number itself doesn't really identify you, but once you provide it they can more-or-less safely assume that as long as you have access to that phone number, you're probably the same person as before. Admittedly it's a lazy solution to people using and reusing crap passwords.

        But there's no reason to use your personal phone number. I can log into my VoIP provider's portal, buy a new phone number and start receiving SMS on that number within a few minutes. It costs 85 cents per month for the number plus a 40 cent setup fee, and you can get the SMS messages directed to your email.

        • by pjt33 ( 739471 )

          I'm not convinced that "You can avoid the pain by contracting a subscription service you wouldn't otherwise require from a third party" really makes things much better.

        • by mjwx ( 966435 )

          The number itself doesn't really identify you, but once you provide it they can more-or-less safely assume that as long as you have access to that phone number, you're probably the same person as before. Admittedly it's a lazy solution to people using and reusing crap passwords.

          This, but perfect is the enemy of done.

          Google et al. could make things incredibly secure, but they wont because it would drive away users who just get too annoyed by it. See above about people who are getting upset about using a phone number. Admittedly it is an imperfect solution but we live in an imperfect universe (also google supports other methods of MFA, I've never given them my phone number which is good because I've not just changed numbers but moved countries in the last decade).

    • by Barny ( 103770 )

      Lucky Google now supports authenticator app codes as well as security keys.

  • Comment removed based on user account deletion
  • by twocows ( 1216842 ) on Thursday January 18, 2024 @08:16AM (#64169549)
    I was apparently in this one. I understand that for a lot of reasons they don't want to actually hold onto that information... but it's frustrating not to know which of the (I just checked) nearly 700 websites I have unique passwords on was affected. Yes, I'm not vulnerable on other sites because of this, but I'm still affected on whatever site originally had that information! Telling me to "use unique passwords" (which I already do) doesn't fix that!

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Working...