Have I Been Pwned (HIBP), the renowned data breach notification service, has integrated almost 71 million email addresses linked to compromised accounts from the Naz.API dataset. This dataset is a colossal trove of 1 billion credentials amassed from credential stuffing lists and data pilfered by information-stealing malware.
Credential stuffing lists are notorious for harboring login credentials swiped from previous breaches, utilized in unauthorized access to accounts on various platforms. Meanwhile, information-stealing malware is designed to extract a broad spectrum of data from infected computers, targeting credentials in browsers, VPN clients, FTP clients, alongside SSH keys, credit card details, cookies, browsing history, and cryptocurrency wallets.
The stolen data, consisting of text files and images, is stashed in 'logs' and later uploaded to remote servers for attackers' retrieval. Regardless of the theft method, the credentials are either used for further account breaches, sold in cybercrime marketplaces, or released on hacker forums to bolster the perpetrator's reputation.
The Notoriety of Naz.API
The Naz.API dataset, unrelated to network attached storage (NAS) devices despite its name, has been circulating in data breach circles but gained infamy after powering an open-source intelligence (OSINT) platform, illicit.services. This platform allowed searches of stolen data, including personal information like names, phone numbers, and email addresses. Illicit.services temporarily shut down in July 2023 due to concerns over its misuse for Doxxing and SIM-swapping attacks but resumed operations in September.
Inclusion in HIBP
Troy Hunt, the founder of HIBP, announced the addition of the Naz.API dataset to his service, following its receipt from a notable tech company. Hunt elaborates in his blog post, "Here's the back story: this week I was contacted by a well-known tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forum."
The Naz.API dataset is massive, with 319 files totaling 104GB and encompassing 70,840,771 unique email addresses. Hunt notes the dataset's age, citing the presence of his and other HIBP subscribers' past passwords, some dating back to 2011, indicating the potential age of some data.
Implications and Recommendations
Individuals can check their exposure in the Naz.API dataset via HIBP. However, HIBP does not specify the exact websites from which credentials were stolen. Given the dataset's link to information-stealing malware, it is advised to change passwords for all stored accounts, including corporate VPNs, email, bank accounts, and personal accounts. Cryptocurrency wallet owners should also transfer assets to new wallets as a precaution.
The Illicit.Services website offers more detailed exposure information, though it currently faces overwhelming traffic.
This integration into HIBP underlines the escalating challenges in digital security and the importance of proactive measures to safeguard personal and corporate data against evolving cyber threats.
Cybersecurity experts from Specops Software and KnowBe4 have provided insights on the incident.
Darren James, a Senior Product Manager at Specops Software, an Outpost24 company:
"Many people reuse their passwords across both personal and business accounts, so demonstrating this on a well-respected site like Troy Hunt’s Have I been Pwned can really help regular users as well as cyber security professionals understand the risks. Although the 71 million emails and the 1 billion credentials in the NAZ.API sound like big numbers they really are just a small fraction of what’s available on the dark web and beyond."
"As Troy has mentioned many of these credentials were stolen a long time ago. However, most people rarely change their passwords on public sites and many businesses are adopting “never expire” password policies. Organizations that are concerned that their users accounts are at risk should look for solutions that utilize up to date feeds from all sources, including Honeypots, and Threat Intelligence platforms that gather data from malware infected systems and then continuously scan their users’ passwords against these breached password databases, not just when the user sets them."
Javvad Malik, Lead Security Awareness Advocate at KnowBe4:
"This is another huge list of compromised credentials added to HIBP, with a large percentage of these being new email addresses. Passwords remain the low hanging fruit for many criminals, hence why password stealing malware is so popular. It gives a good return on investment for those looking to compromise accounts. Which is why it's important that we don't just rely on people choosing strong passwords, because if that is compromised, then there's little protection remaining. Rather, encouraging people to use password managers and implementing MFA across websites is the preferred way to secure accounts. In addition, websites should consider controls that can detect and block password stuffing or brute force attacks to further make it difficult for criminals."