Data breach indexing site Have I Been Pwnd has just added a new data set of almost 71 million stolen user credentials from the Naz.API data set that includes 25 million previously unknown leaks.

The stolen credentials cover users on sites and services, including Facebook, Yahoo! Inc., Roblox Inc., Yammer and Coinbase Inc., and were first shared on a hacking forum. The full database, not yet shared, includes more than 1 billion stolen credentials, created by combining information obtained from credential-stuffing attacks and logs for information-stealing malware.

Credential stuffing is a form of attack where stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

The dataset released today contains 319 files totaling 104 gigabytes and containing 70,840,771 unique email addresses. The details were listed by Have I Been Pwnd to allow individuals to check if their email addresses have been compromised.

The data was collected in an organized manner, with text files and images containing stolen data compiled into archives and uploaded to remote servers. The credentials in the Naz.API datasets are believed to have been used in various malicious activities, including breaching more accounts, being sold on the dark web, or being released for free on hacker forums.

The listing of the data on HIBP once again highlights the issue of password reuse across multiple sites.

“Many people reuse their passwords across both personal and business accounts, so demonstrating this on a well-respected site like Troy Hunt’s Have I been Pwned can really help regular users, as well as cybersecurity professionals, understand the risks,” Darren James, senior product manager at Specops Software AB, an Outpost24 company, told SiliconANGLE. “Although the 71 million emails and the 1 billion credentials in the NAZ.API sound like big numbers, they really are just a small fraction of what’s available on the dark web and beyond.”

John Stringer, head of product at data loss prevention provider Next DLP Ltd., noted that a single credential can give threat actors access to multiple accounts when used for various logins. “Such compromised credentials could give cybercriminals unauthorized access to sensitive business data and systems, with attackers exploiting employee credentials to bypass security measures, making detection and prevention increasingly challenging,” he said.

Image: DALL-E 3