Leading data breach cross-checking service Have I Been Pwned has added about 71 million email addresses from “Naz.API,” a new dataset circulating on the dark web that contains a massive collection of leaked credentials and plaintext passwords.
The collection is noteworthy as security researchers have found that about a third of the included leaked credentials have not been seen before. The post that made the dataset public indicates that it was largely compiled from smaller “stealer logs” that were created by compromise of individual machines and networks, which are capable of logging keystrokes and retrieving passwords stored in browsers.
Massive new set of leaked credentials contains tens of millions of new email addresses and passwords
Naz.API appears to have been circulating in private hands for some time, but was made public on a widely used dark web forum on September 20 of last year. The dataset totals 104 GB in size and contains over a billion total leaked credentials with about 70.8 unique email addresses, many with plaintext passwords attached to them.
Research by security analyst Troy Hunt found that about 35% of these email addresses, or around 24 million, were not previously in Have I Been Pwned’s database and are thought to have not been publicly seen before.
The original source of the compilation appears to be a now-defunct site called “illicit.services,” which positioned itself as an “open source intelligence” (OSINT) tool for breach checking similar in function to Have I Been Pwned. However, the site ranged much farther in its capabilities by attaching things like physical addresses, driver’s license numbers and VINs when available to queries about a person’s name or username. The seemingly free service raised some controversy by charging at least $1 to remove a record, and ended up shutting down in July of last year due to claims of abuse by threat actors looking to dox individuals or gather verification information for SIM swap attacks.
A Telegram message from the site owner, who remained anonymous and posted under a pen name, indicated that the data set the site used would be kept in “cold storage” but potentially available for sale to “legitimate businesses” and members of the US-aligned intelligence community. The post did indicate that some portions of the data set, such as Naz.API, would not be shared with anyone under any circumstances. However, security researchers now believe that it got out somehow.
Troy Hunt’s research has also found that the list of leaked credentials is populated by a mix of stealer log records and the results of successful credential stuffing attacks that yielded access to assorted accounts. Much of it is also quite old, with username and password combinations dating back over a decade found within its depths. This means that users querying their own email address on Have I Been Pwned may not be sure if a match to Naz.API means that they have been infected with malware sometime in the recent past, or if their credentials are part of one of the many data breaches of the past decade-plus that were incorporated into the dataset.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, points out that this is yet another prompt to implement password managers and MFA: “This is another huge list of compromised credentials added to HIBP, with a large percentage of these being new email addresses. Passwords remain the low hanging fruit for many criminals, hence why password stealing malware is so popular. It gives a good return on investment for those looking to compromise accounts. Which is why it’s important that we don’t just rely on people choosing strong passwords, because if that is compromised, then there’s little protection remaining.
Rather, encouraging people to use password managers and implementing MFA across websites is the preferred way to secure accounts. In addition, websites should consider controls that can detect and block password stuffing or brute force attacks to further make it difficult for criminals.”
Ted Miracco, CEO of Approov, offers some suggestions for network defense: “Credential stuffing attacks, where stolen credentials are used to gain unauthorized access to multiple accounts, remain a prevalent threat. Additionally, automated bots leverage stolen credentials to manipulate login processes. To address these vulnerabilities, two advanced security measures stand out as effective solutions: mobile app attestation and token-based API security.
Token-based API security provides robust protection for API access by only granting authorized users a unique token and prevents unauthorized access attempts, even if attackers possess stolen credentials. This method has proven to be a formidable defense against automated bots and malicious actors attempting to exploit API vulnerabilities. Mobile app attestation ensures the integrity of mobile applications, making it significantly harder for attackers to utilize bots or brute force ATO attacks. This approach verifies that the mobile app is running in a secure and untampered environment, adding an extra layer of security to user authentication.”
Mega-collections continue to alarm security researchers
Naz.API represents a very significant amount of new leaked credentials, but the sheer size is equally concerning. Even if much of the material is old, these “mega-collections” continue to pull together ever more complete profiles on victims and provide ongoing value to scammers even if the listed passwords have been changed. Hunt notes that the largest single file in the collection is a list of 312 million rows of email addresses with plaintext passwords that has likely been coming together for some years.
While the present collection’s largest novel element is the collection of tens of millions of new email addresses, there are credentials included for nearly every major site one can think of. This includes accounts with crypto exchanges like Coinbase, social media platforms like Facebook, and online games like Roblox. When plaintext passwords are attached either to these accounts or to email addresses in a collection, it’s a reliable sign that they were originally taken by a malware infection and ripped from a stealer log; the vast majority of data breaches either do not involve passwords, or involve encrypted passwords that attackers do not waste their time attempting to crack (at least if it is not a target of particular interest or someone known to possess a crypto wallet).
Mega-collections of leaked credentials took off in 2019 when a dataset referred to as “Collection #1” surfaced near the beginning of the year, containing a total of 773 million records pulled together from prior data breaches. More of these so-called “combo file” collections began appearing in short order, sometimes containing millions of email addresses that had not been seen by security researchers before.
Aside from raising concerns about the growing convenience of access to stolen records, security analysts note that the data raises questions about the ongoing effectiveness of communicating good password hygiene to the average internet user. Hunt notes that there are a distressing amount of identical passwords in the collection of leaked credentials, as well as completely different accounts using the same (presumably simple and easily guessed) password.
Darren James, a Senior Product Manager at Specops Software, notes that much more work is needed in this area: “Many people reuse their passwords across both personal and business accounts, so demonstrating this on a well-respected site like Troy Hunt’s Have I been Pwned can really help regular users as well as cyber security professionals understand the risks. Although the 71 million emails and the 1 billion credentials in the NAZ.API sound like big numbers they really are just a small fraction of what’s available on the dark web and beyond. As Troy has mentioned many of these credentials were stolen a long time ago. However, most people rarely change their passwords on public sites and many businesses are adopting “never expire” password policies. Organizations that are concerned that their users accounts are at risk should look for solutions that utilize up to date feeds from all sources, including Honeypots, and Threat Intelligence platforms that gather data from malware infected systems and then continuously scan their users’ passwords against these breached password databases, not just when the user sets them.”