Today, Troy Hunt, the creator of Have I Been Pwned, announced he added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service.
The Naz.API is a dataset allegedly containing over 1 billion lines of stolen credentials compiled from credential stuffing lists and from information-stealing malware logs. Each line of data consists of a login URL, its login name, and an associated password stolen from a person’s device.
According to Hunt, the Naz.API dataset consists of:
- 319 files totalling 104GB
- 70,840,771 unique email addresses
- 427,308 individual HIBP subscribers impacted
- 65.03% of addresses already in HIBP (based on a 1k random sample set)
“That last number was the real kicker; when a third of the email addresses have never been seen before, that’s statistically significant. This isn’t just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it’s a significant volume of new data,” Hunt said.
Ted Miracco, CEO, Approov Mobile Security had this to say:
“While user authentication serves as a critical gatekeeper for accessing sensitive data, the Naz.API dataset containing over a billion lines of stolen credentials highlights that it’s essential to recognize its limitations in the face of these threats.
“Credential stuffing attacks, where stolen credentials are used to gain unauthorized access to multiple accounts, remain a prevalent threat. Additionally, automated bots leverage stolen credentials to manipulate login processes. To address these vulnerabilities, two advanced security measures stand out as effective solutions: mobile app attestation and token-based API security. Token-based API security provides robust protection for API access by only granting authorized users a unique token and prevents unauthorized access attempts, even if attackers possess stolen credentials. This method has proven to be a formidable defense against automated bots and malicious actors attempting to exploit API vulnerabilities.
“Mobile app attestation ensures the integrity of mobile applications, making it significantly harder for attackers to utilize bots or brute force ATO attacks. This approach verifies that the mobile app is running in a secure and untampered environment, adding an extra layer of security to user authentication.”
Brad Hong, Customer Success Lead, Horizon3.ai follows with this:
“Incidents like this continue to verify that from an attacker’s perspective, hackers rarely need to hack in; they simply log in.
“Why would they want to hack me? The age-old question of the layman. With recent advances in AI/ML driven combinatorics, lists like these serve as more than just loot and is the crown jewel of OSINT. For attackers, it’s always going to be about planting the first flag, regardless of how unimportant that person might seemingly be in the organization. And who knows? They just might share the same affinity for sports, pets or seasons as the CEO.
“With few giving their companies the courtesy of using a password unique to only their corporate devices, high volumes of statistical password reuse throughout an organization, rampant misconfigurations leading to excessively privileged credentials, and post-exploitation of locally stored credential databases to capture legitimate creds potentially leading to privesc, as the # of breaches go up, attackers are given more and more datasets to avoid having to take on the time intensive work of algorithmic hash cracking, and instead simply stuffing what seems to be an endless list of real-world credentials to get in with.
“By recycling the processes above, without invoking a single GPU for a hash cracker, attackers can easily be set up to capture hashes from an entire organization and achieve domain admin through legitimate passwords and abuse of built-in capabilities. What’s significant about the percentage of new users added to the master list is that it introduces a whole lot of new entryways to new organizations in the form of humans. And it can all start from one person who used the same password on their AD as they did on Uber.”
I’d recommend everyone pay a visit to https://haveibeenpwned.com and pop in their email address or addresses to see if they are part of this dataset. That way you can take action to protect yourself from whatever the threat actors behind this dataset plan on unleashing on the world.
HaveIBeenPwned.com Adds 71M Email Addresses From 1 Billion Lines Of Stolen Credentials
Posted in Commentary with tags HaveIbeenpwned.com on January 19, 2024 by itnerdToday, Troy Hunt, the creator of Have I Been Pwned, announced he added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service.
The Naz.API is a dataset allegedly containing over 1 billion lines of stolen credentials compiled from credential stuffing lists and from information-stealing malware logs. Each line of data consists of a login URL, its login name, and an associated password stolen from a person’s device.
According to Hunt, the Naz.API dataset consists of:
“That last number was the real kicker; when a third of the email addresses have never been seen before, that’s statistically significant. This isn’t just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it’s a significant volume of new data,” Hunt said.
Ted Miracco, CEO, Approov Mobile Security had this to say:
“While user authentication serves as a critical gatekeeper for accessing sensitive data, the Naz.API dataset containing over a billion lines of stolen credentials highlights that it’s essential to recognize its limitations in the face of these threats.
“Credential stuffing attacks, where stolen credentials are used to gain unauthorized access to multiple accounts, remain a prevalent threat. Additionally, automated bots leverage stolen credentials to manipulate login processes. To address these vulnerabilities, two advanced security measures stand out as effective solutions: mobile app attestation and token-based API security. Token-based API security provides robust protection for API access by only granting authorized users a unique token and prevents unauthorized access attempts, even if attackers possess stolen credentials. This method has proven to be a formidable defense against automated bots and malicious actors attempting to exploit API vulnerabilities.
“Mobile app attestation ensures the integrity of mobile applications, making it significantly harder for attackers to utilize bots or brute force ATO attacks. This approach verifies that the mobile app is running in a secure and untampered environment, adding an extra layer of security to user authentication.”
Brad Hong, Customer Success Lead, Horizon3.ai follows with this:
“Incidents like this continue to verify that from an attacker’s perspective, hackers rarely need to hack in; they simply log in.
“Why would they want to hack me? The age-old question of the layman. With recent advances in AI/ML driven combinatorics, lists like these serve as more than just loot and is the crown jewel of OSINT. For attackers, it’s always going to be about planting the first flag, regardless of how unimportant that person might seemingly be in the organization. And who knows? They just might share the same affinity for sports, pets or seasons as the CEO.
“With few giving their companies the courtesy of using a password unique to only their corporate devices, high volumes of statistical password reuse throughout an organization, rampant misconfigurations leading to excessively privileged credentials, and post-exploitation of locally stored credential databases to capture legitimate creds potentially leading to privesc, as the # of breaches go up, attackers are given more and more datasets to avoid having to take on the time intensive work of algorithmic hash cracking, and instead simply stuffing what seems to be an endless list of real-world credentials to get in with.
“By recycling the processes above, without invoking a single GPU for a hash cracker, attackers can easily be set up to capture hashes from an entire organization and achieve domain admin through legitimate passwords and abuse of built-in capabilities. What’s significant about the percentage of new users added to the master list is that it introduces a whole lot of new entryways to new organizations in the form of humans. And it can all start from one person who used the same password on their AD as they did on Uber.”
I’d recommend everyone pay a visit to https://haveibeenpwned.com and pop in their email address or addresses to see if they are part of this dataset. That way you can take action to protect yourself from whatever the threat actors behind this dataset plan on unleashing on the world.
Leave a comment »