Over 70 million Compromised Credentials Added to ‘Have I Been Pwned’ Database

Have I Been Pwned (HIBP) recently added 71 million entries to its extensive database, consisting of email addresses linked to stolen accounts, part of the Naz.API dataset.

Naz.API is a gargantuan collection allegedly comprising 1 billion credentials assembled from credential stuffing lists and data harvested with infostealer malware.

Credential Stuffing and Infostealer Logs

Credential stuffing attacks use lists of passwords leaked in previous data breaches to break into other accounts on different websites. Newly confirmed matching credentials get added to the list, contributing to its expansion and increasing the odds of the attack.

Infostealer-harvested data encompasses a broad range of information stolen from compromised devices, including credentials from various services, cookies, credit card information, SSH keys, and crypto-wallets.

71 Million Email Addresses Involved

Yesterday, Have I Been Pwned creator Troy Hunt announced the addition of the Naz.API dataset to the data breach notification service. Hunt pointed out that the 109 GB dataset consists of 319 files with 70,840,771 unique email addresses.

“This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data,” Hunt’s blog post reads. “When you look at the above forum post the data accompanied, the reason why becomes clear: it's from ‘stealer logs’ or in other words, malware that has grabbed credentials from compromised machines.”

Likely Old Data Included in Dataset

As Hunt clarifies, the Naz.API dataset contains email addresses from both stealer logs and credential stuffing lists.

Therefore, finding out that an email address has been associated with the Naz.API dataset on HIBP doesn’t necessarily mean you were infected with info stealer malware; you might’ve been the target of a credential-stuffing attack or a different type of security incident that led to the leak.

Some information in the dataset is likely old, as Hunt points out that he even found one of his old passwords used in 2011.

Protecting Against Data Leaks

Such a massive dataset is guaranteed to spark concerns. Data leaks can have devastating consequences, especially if the information falls into the wrong hands. However, good cybersecurity hygiene and specialized tools can help avoid such scenarios.

• Bitdefender Digital Identity Protection – helps you keep an eye on your digital footprint, including traces from no-longer-used services, notifies you of breaches involving your data, and lets you patch weak spots instantly
• Bitdefender Password Manager – helps you generate, manage, and store unique passwords for all of your online accounts, to avoid credential-stuffing attacks
• Bitdefender Ultimate Security – 24/7, comprehensive detection and protection against infostealer malware, viruses, Trojans, worms, spyware, ransomware, rootkits, zero-day exploits, and other digital threats