70 million account credentials were leaked in a massive password dump

[harlan4096]

A security researcher has unearthed what appears to be one of the biggest password dumps ever. Over 70 million unique credentials have been leaked on the dark web.

The news came to light when Troy Hunt, the owner of the popular breach notification service, Have I Been Pwned, wrote about the massive data leak on his blog. The usernames and passwords were leaked in a credential stuffing list, which is being called the Naz.API list.

Hunt says that a well-known tech company had pointed out the list to him, when someone had sent the company a bug bounty submission based on the list. After analyzing the list, which has been around for about 4 months on a hacking forum, the researcher found out the following.

The breach consisted of 319 files that totaled to 104 GB, and contained 70,840,771 unique email addresses (about 71 million). 427,308 individual Have I Been Pwned (HIBP) subscribers were affected by the leak. Hunt used a 1K random sample test, and came to the conclusion that 65% of the addresses were already in HIBP. Many of these accounts are used for popular web services such as Facebook, eBay, Roblox, Yahoo, Coinbase, Yammer, etc. The number 65% is critical here, as it means that the other 35% or one-third of the credentials in the leaked list have never been seen before.

Hunt's article, which was spotted by Ars Technica, goes into extensive detail about the credential leak. The credential list on the hacking site listed several usernames along with their passwords, and the website they belonged to, suggesting that the credentials were obtained using password stealers and similar malware.
...

Continue Reading