Advertisement

Massive Release of Breached Passwords Likely Includes Yours

Don't Pass Go

A gigantic trove of passwords has been released by bad actors, and there's a very good chance that yours is on there.

According to Troy Hunt, the man behind the excellent breach notification site "Have I Been Pwned" — which allows users to look up your email and see if and where your passwords and other user information have been compromised — it's one of the largest collections of breached data he's ever seen appear online.

To a data defender like Hunt, "large" is not an understatement. The cache of files, dubbed "Naz.API," contains more than 71 million email addresses and 100 million passwords. Thus far, more than 400,000 Have I Been Pwned (HIBP) subscribers have been impacted.

https://twitter.com/haveibeenpwned/status/1747621747073970679

It's not all fresh. The researcher said in his blog post that more than 65 percent of the email addresses in the breach had already been seen before in other HIBP datasets. This suggests, Hunt explained, that although a majority of the stolen data has already been floating around, over a third of it appears to be newly harvested.

"When a third of the email addresses have never been seen before, that's statistically significant," he wrote. "This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data."

Logged On

As Hunt explains, much of the data is from what's known as "stealer logs," or malware installed on someone's device that captures their login info. In the case of Naz.API, these lists were believed to have been gleaned from illicit.services, a now-defunct site that easily allowed bad actors to search for data based on someone's name or email address.

When trawling through the compromised data for his own, Hunt discovered a password he'd used before the year 2011, which seems to indicate that some of the info is very old indeed.

https://twitter.com/troyhunt/status/1747250819605381276

Perhaps the biggest takeaway, especially considering the more than decade-old password of his own that Hunt found in the dataset, is that reusing passwords across years and sites is a very insecure data practice. Citing the recent 23andme breach, the researcher pointed out that as long as "password reuse remain[s] rampant," so too will fallout from these kinds of hacks.

His advice?

"Definitely get out in front of this one as early as you can" by replacing your recycled credentials with a password manager.

More on massive hacks: Oops! 23andMe Admits Hackers Stole 7 Million Customers' Genetic Data