This Massive New Breach Of Passwords Stored Online Could Include Yours Too

A massive collection of compromised passwords, known as “Naz.API,” has been released by malicious actors, posing a significant threat to online security. Troy Hunt, the creator of the breach notification site “Have I Been Pwned,” revealed that this trove is one of the largest he has encountered, containing over 71 million email addresses and 100 million passwords. More than 400,000 Have I Been Pwned subscribers have already been affected.

While a portion of the data is not entirely new, with over 65 percent of the email addresses already existing in previous HIBP datasets, Hunt emphasizes that the remaining third represents a substantial volume of freshly harvested information.

New breach: The Naz.API stealer logs and cred stuffing lists were posted to a hacking forum in Sep. Data included 71M email addresses and 100M plain text passwords, often alongside the service they were used for. 67% were already in @haveibeenpwned. More: https://t.co/Uef4G7gOei

— Have I Been Pwned (@haveibeenpwned) January 17, 2024

The breach seems to derive from “stealer logs,” which are data logs captured by malware installed on users’ devices, particularly from illicit.services, a now-defunct site that facilitated easy searching for personal information.

Hunt’s analysis of the compromised data revealed that some passwords dated back to before 2011, highlighting the persistence of old, potentially insecure credentials. This underscores the importance of avoiding the practice of password reuse across different years and websites.

The researcher warns that as long as password reuse remains prevalent, the consequences of such breaches will persist. He points to recent incidents like the 23andme breach as evidence of the ongoing risks associated with password reuse.

When we weren't looking, @haveibeenpwned's Pwned Passwords rocketed past 7 *billion* requests in a month ? pic.twitter.com/hVDxWp3oQG

— Troy Hunt (@troyhunt) January 16, 2024

To mitigate the impact of this massive breach, Hunt strongly advises users to proactively address their online security by replacing recycled passwords with a password manager. By doing so, individuals can enhance their protection against unauthorized access and reduce the potential fallout from data breaches.

The urgency of the situation is underscored by the sheer scale of compromised information and the potential for malicious actors to exploit reused passwords across various platforms. Taking immediate action to adopt more secure password practices becomes crucial in safeguarding personal accounts and data from the far-reaching consequences of such security lapses.