Naz.API Account List Compromised with 71 Million Email Addresses

  • Home
  • Naz.API Account List Compromised with 71 Million Email Addresses

Naz.API Account List Compromised with 71 Million Email Addresses

Nearly 71 million email addresses associated with compromised accounts from the Naz.API dataset have been included in the data breach notification service Have I Been Pwned.

The Naz.API dataset, comprising 1 billion credentials, is a comprehensive compilation based on credentials stuffing lists and data stolen by information-stealing malware. The breach list includes login credentials obtained from previous data breaches, serving as tools to compromise accounts across various platforms.

According to a blog post by Troy Hunt, the creator of Have I Been Pwned?, the dataset comprises 319 files totaling 104GB and 70,840,771 unique email addresses.

Josh Hickling, Chief Advisor at Pentest People, explained the significance of this inclusion:

“Records added to databases of this nature can raise concern, especially when the credentials provide access to sensitive services. From a public impact perspective, this will depend on the locations the disclosed credentials provide access to. Attackers will conduct credential stuffing attacks on various online services (such as Facebook, Google Mail, online banking, etc.), using the disclosed credentials to potentially access any content behind affected services.”

He continued, “Of more concern is if the credentials are reused across multiple services, as it could provide access to multiple accounts across the internet.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech, stated:

“Naz.api is a prime example of how cybercriminals combine data from multiple data breaches and public sources to create detailed profiles of potential victims. Over time, such datasets will only grow larger and more complex, enabling cybercriminals to more effectively search for and target victims. In this case, cybercriminals will check Naz.api to see if any exposed passwords are in the database and then use these passwords for credential stuffing attacks on other services.”

Javvad Malik, Chief Security Awareness Advocate at KnowBe4, explained why password attacks are prevalent:

“For many criminals, passwords remain low-hanging fruit, hence the popularity of password-stealing malware. It offers a good return on investment for those looking to compromise accounts. That’s why we can’t rely solely on people choosing strong passwords, which is important because if a password is leaked, there’s little protection left. Instead, encouraging the use of password managers and implementing MFA across websites is the preferred method to protect account security. Additionally, websites should consider implementing controls that can detect and prevent password stuffing or brute-force attacks to further impede criminals.”

Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, advised:

“My first recommendation for any internet user is to visit the Have I Been Pwned website and register to receive notifications when their email address is included in data breaches. I strongly advise doing this for every email address they currently use or have used in the past. This helps alert them when they’ve been ‘pwned’.”

Jamie Akhtar, CEO and Co-founder of Cyber​​Smart, echoed this sentiment and emphasized the importance of checking for impacts:

“Although much of the information publicly available from the Naz.API dataset may be outdated, it’s worth checking if you appear on the list. Cybercriminals will certainly leverage this data for further attacks, so prevention is better than regret.

To do so, perform a search on Have I Been Pwned. If your email is associated, the website should warn you that your device has been infected with malware at some point. We also recommend using multi-factor authentication (MFA) for every account you use (if you haven’t already). MFA provides an additional security layer, meaning even if you’re compromised, it’s more difficult for cybercriminals to access your account.”

Nick Rago, Chief Technology Officer at Salt Security, advised for enterprises:

“For organizations, it’s crucial to provide MFA for your users. Don’t make it optional, especially when your applications handle sensitive data. And ensure you have appropriate defenses in place to identify and prevent malicious counter actions. Consumer digital security is also part of your responsibility.”

Erfan Shadabi, Cybersecurity Expert at Comforte AG, concurred:

“Organizations must realize that protecting user data is not just about compliance with regulations; safeguarding user trust is an obligation. Adopting a data-centric security strategy prioritizing the protection of user data is a crucial first step.”