January 18, 2024 at 08:18AM
Australian researcher Troy Hunt discovered a credential stuffing list named Naz.API, consisting of over 70 million unique email addresses and passwords, sourced from malware and a defunct OSINT tool. One-third of the addresses were not previously known, and the data has been added to Have I Been Pwned and Pwned Passwords for free searches.
Following the meeting notes, it was revealed that a credential stuffing list containing over 70 million unique email addresses, named Naz.API, was discovered on a popular hacking forum by Australian researcher Troy Hunt. The list is 104 gigabytes in size and contains email addresses, associated passwords, and the websites they are used on.
Approximately one-third of the email addresses in the list were not previously known in data dumps. It was noted that the data mainly comes from stealer logs and is sourced from the defunct ‘Illicit Services’ OSINT tool and data breach search engine.
The data appears to include legitimate email addresses and associated accounts, but the passwords are likely to be old. Many Have I Been Pwned subscribers confirmed that the passwords on the list were previously used.
Troy Hunt added the data to Have I Been Pwned and Pwned Passwords, enabling individuals to check if their email addresses and passwords were impacted. Both services are offered free of charge.
In related news, data breaches impacting millions of users were reported for Zacks, Instant Checkmate, and TruthFinder. Additionally, over 71,000 accounts on Chick-fil-A were impacted by credential stuffing attacks.