Almost 71 million email addresses linked to compromised accounts from the Naz.API dataset have been incorporated into the data breach notification service of Have I Been Pwned.
The Naz.API dataset, consisting of 1 billion credentials, is an extensive compilation derived from credential stuffing lists and data pilfered by information-stealing malware. Credential stuffing lists comprise login name and password pairs obtained from prior data breaches, serving as tools to compromise accounts on different platforms.
According to a blog post written by Troy Hunt, Have I Been Pwned?’s creator, the dataset included 319 files totalling 104GB and 70,840,771 unique email addresses.
Josh Hickling, Principal Consultant at Pentest People, explains why this addition is significant:
“Records that have been added to a database such as this can be concerning, especially if the credentials provide access to a sensitive service. From an impact perspective to the public, it would depend on where the disclosed credentials would provide access to. Attackers would undertake credential stuffing attacks across a variety of online services, i.e. Facebook, Google Mail, Online Banking etc, supplying the disclosed credentials to access whatever may be behind the affected service.”
He continues: “More worryingly, if the credentials are reused across multiple services, it may provide access to several accounts across the internet.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech, says:
“Naz.api is a good example of how cybercriminals can combine data from multiple data breaches and public sources to create detailed profiles of potential victims. Such datasets will will only get bigger and more sophisticated as time goes on, allowing cybercriminals to more effectively find and target victims. In this case, cybercriminals check Naz.api to see if you have any exposed passwords in the database, then use those passwords in credential stuffing attacks on other services.”
Javvad Malik, lead security awareness advocate at KnowBe4, explains why password attacks are common:
“Passwords remain the low hanging fruit for many criminals, hence why password stealing malware is so popular. It gives a good return on investment for those looking to compromise accounts. Which is why it’s important that we don’t just rely on people choosing strong passwords, because if that is compromised, then there’s little protection remaining. Rather, encouraging people to use password managers and implementing MFA across websites is the preferred way to secure accounts. In addition, websites should consider controls that can detect and block password stuffing or brute force attacks to further make it difficult for criminals.”
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, advises:
“My first recommendation for any internet user is to visit the Have I Been Pwned website to sign up for notifications when their email address has been included in a data breach. I strongly suggest doing this for each email address they either currently use or that they had used in the past. This helps alert users when they’ve been “pwned.””
Jamie Akhtar, CEO and Co-Founder of CyberSmart, echoes this point and highlights why it’s crucial to check if you’ve been affected:
“Although much of the information exposed by the Naz.API dataset is likely to be out-of-date, it’s worth checking whether you appear in the list. Cybercriminals are guaranteed to use this data to launch further attacks, so it’s better to be safe than sorry.
To do this, perform a search at Have I Been Pwned. If your email is associated, the site should warn you that your device has been infected with malware at some point. We also recommend using multi-factor authentication (MFA) on every account you use (if you haven’t done so already). MFA gives you an extra layer of security, meaning that even if you have been compromised, it’ll make it much harder for cybercriminals to gain access to your accounts.”
Giving his advice for businesses, Nick Rago, Field CTO at Salt Security, says:
“For organisations, require MFA for your users. Don’t make it optional, especially if your applications handle sensitive data. And make sure you have the appropriate defences in place to identify and protect against malicious adversarial behaviours. Your consumer’s digital safety is also part of your responsibility.”
Erfan Shadabi, Cybersecurity Expert at comforte AG, echoes this point:
“Organisations must recognise that the responsibility to secure user data extends beyond mere compliance with regulations; it is an obligation to protect the trust that users place in them. Adopting a data-centric security strategy that prioritises protecting user data at its core is a crucial first step.”