Stop reusing passwords, already. Here’s what else you should do.

Almost 71 million sets of unique credentials have leaked, via an unnamed firm’s bug bounty program. Nicknamed Naz.API, the leak is making waves. After importing them into HaveIBeenPwned.com, it turns out that 24 million are fresh.

The site’s majordomo, Troy Hunt (pictured), sounds astounded. In today’s SB Blogwatch, we ran a scan.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Not Mario.

Have I? Yes, You Probably Have.

What’s the craic? Lawrence Abrams reports—“Have I Been Pwned adds 71 million emails”:

“Change passwords”
The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches. … Information-stealing malware attempts to steal a wide variety of data from an infected computer, including credentials saved in browsers.
…
This dataset has been floating around the data breach community for quite a while but rose to notoriety after it was used to fuel an open-source intelligence (OSINT) platform called illicit.services, which allows visitors to search a database of stolen information, including names, phone numbers, email addresses, and other personal data. [It] shut down in July 2023 out of concerns it was being used for Doxxing and SIM-swapping attacks. However, the operator enabled the service again in September.
…
Unfortunately, even if HIBP warns you that your email was in the Naz.API, it does not tell you for what specific website credentials were stolen, [so] it’s recommended to change passwords for all your saved accounts. This includes passwords for corporate VPNs, email accounts, bank accounts, and any other personal accounts.

How big is it? Rob Thubron also calls it “Massive”:

“Troy Hunt”
Not all of the data comes from stealer malware. A large percentage are the result of credential stuffing, which collates data from previous breaches.
…
News of the dataset comes from Troy Hunt, operator of the Have I Been Pwned service used to identify emails that appear in data breaches.

Horse’s mouth? The aforementioned Troy Hunt, obvs.—“Inside the Massive Naz.API Credential Stuffing List”:

“Pwned Passwords remains totally free”
Here’s the back story: this week I was contacted by a well-known tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forum. … They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further.
…
The real kicker: … A third of the email addresses have never been seen before. … This isn’t just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it’s a significant volume of new data. … There’s also a massive prevalence of people using the same password across multiple different services and completely different people using the same password.
…
Pwned Passwords remains totally free and completely open source for both code and data so do please make use of it to the fullest extent possible. This is such an easy thing to implement, and it has a profound impact on credential stuffing attacks so … definitely get out in front of this one as early as you can. [Good password managers] can automatically (and anonymously) scan all your passwords against Pwned Passwords which includes all passwords from this corpus of data.

OK, OK, I got it—it’s massive. But what should I do? “There’s no sense freaking out over it,” says u/_4nti_her0_:

Go to haveibeenpwned.com and see what they show has been compromised in this and any other breaches that show up. If passwords are on the list, change them. If you have recycled passwords, change any others that used the same password.
…
Don’t recycle passwords. Use a password manager to create and store long, complex passwords. … Just try to mitigate the damage as much as possible.

What else should I do? Nilt tilts:

For the sake of Pete, please [use two-factor authentication], especially [with a security key or authenticator app]! It’s one of the single most important ways in which you can secure your accounts in the modern setting. I also really wish the banking industry in the US would pull their heads out of their collective rear ends and stop relying solely on SMS for this.

Oh yeah. TwistedGreen couldn’t agree more:

The number itself doesn’t really identify you, but once you provide it they can more-or-less safely assume that as long as you have access to that phone number, you’re probably the same person as before. Admittedly it’s a lazy solution to people using and reusing **** passwords.

Wait. Pause. Is this really Naz.API? templeosenjoyer thinks not:

The leaked dataset Troy refers to wasn’t the real Naz.API list, and the “illicit.services” website [is] online at hxxps://search.0t.rocks/. You can use this to see if you’re in the real Naz.API dataset (which is way scarier than the data shared). … From what I remember it was essentially created as a “**** you” to Peter Kleissner, the creator of hxxps://intelx.io/, who charges exorbitant prices to search breaches.

Meanwhile, Frodo Douchebaggins expresses his love for Troy’s site:

Love HIBP. Makes it easy to know when it’s time to turn [email protected] into a bounced address before the spam actually starts hitting it en masse.

And Finally:

More than you could possibly want to know about progress bars

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Troy Hunt (cc:by-sa; leveled and cropped)