Almost 71 million email addresses linked to compromised accounts from the Naz.API dataset have been incorporated into the data breach notification service of Have I Been Pwned.
The Naz.API dataset, consisting of 1 billion credentials, is an extensive compilation derived from credential stuffing lists and data pilfered by information-stealing malware. Credential stuffing lists comprise login name and password pairs obtained from prior data breaches, serving as tools to compromise accounts on different platforms.
According to a blog post written by Troy Hunt, Have I Been Pwned?’s creator, the dataset included 319 files totalling 104GB and 70,840,771 unique email addresses.
Josh Hickling, Principal Consultant at Pentest People, explains why this addition is significant:
“Records that have been added to a database such as this can be concerning, especially if the credentials provide access to a sensitive service. From an impact perspective to the public, it would depend on where the disclosed credentials would provide access to. Attackers would undertake credential stuffing attacks across a variety of online services, i.e. Facebook, Google Mail, Online Banking etc, supplying the disclosed credentials to access whatever may be behind the affected service.”
He continues: “More worryingly, if the credentials are reused across multiple services, it may provide access to several accounts across the internet.”
Paul Bischoff, Consumer Privacy Advocate at million emails added pwned stolen account
