Have I Been Pwned Incorporates Huge “Naz.API” Data Set of 70 Million Leaked Credentials

by | Jan 23, 2024

Have I Been Pwned is worth a stop to check on email addresses after its addition of over 70 million credentials from the now-public “Naz.API” dataset. The leaked credentials were dumped on the dark web back in late September, but were circulating for some amount of time before that.

The dataset contains some 24 million email addresses that security researchers say were not previously logged by Have I Been Pwned, and many of the entries are accompanied by plaintext passwords. The collection of leaked credentials seems to be a massive conglomeration of the results of “stealer logs” generated from compromised computers, combined with a lot of older information from prior data breaches.

New “combo file” is an advertisement for MFA and password managers

Naz.API is the latest massive “combo file” to surface, a trend that started with the appearance of the infamous “Collections #1 – #5” in 2019. Diligent scammers pull together leaked credentials from all sorts of different data breaches, but these files also often add substantial amounts of new information that come from sources security researchers have not previously identified.

That appears to be the case with Naz.API, which contained tens of millions of novel email address and password combinations that are now verifiable on Have I Been Pwned.

Though it contained over 300 million email addresses in total, Naz.API is also laden with leaked credentials for nearly every online service one can imagine (from crypto exchanges to games). Some of this is outside the purview of Have I Been Pwned, which primarily focuses on allowing email addresses to be checked against data breaches. Compromised passwords can also be searched, though the user will have no indication of what account they were connected to or where they were taken from.

The prevalence of plaintext passwords in Naz.API points to the new information in it largely coming from stealer logs. These logs are generated by malware planted on individual systems, which capture keystrokes or stored passwords and upload them to an attacker’s server for later perusal.

The inclusion of so many plaintext passwords also provides some insight into how messaging about security hygiene is going. If the leaked credentials are any indication, there is still much work to do. The new information is apparently laden with passwords previously compromised in older breaches, and the same password used across multiple accounts.

104 GB, about one billion entries in new set of leaked credentials

All told the Naz.API collection has around a billion records, though much of it is old material taken from previous data breaches. But the incident demonstrates that combo files are essentially permanent once they become public, and will only grow over time.

The incident is also a reminder that leaked credentials are an inevitability, and the best immediate answer to improving defenses against them is multi-factor authentication policies and the adoption of reliable password managers. More advanced layers of defense include mobile app attestation, which verifies that a connecting user is not running an operating system emulator or showing some other common signs of fraud, and tightening authorization for API access. These methods directly address the techniques used by botnets that underpin credential stuffing and brute force attacks.

Recent Posts

How can we help?

13 + 12 =

× How can I help you?