Whether through phishing, cracking, or malware attacks, your usernames and passwords to websites, apps, and services are at constant risk from online ne'er-do-wells looking hijack, misuse, and profit from your credentials.
Sadly, this is less of an uncommon occurrence and more of a fact of life. While there are plenty of steps we can take to keep ourselves safe, the threat is persistent and all too easy to succumb to.
Sometimes, victims won't even be aware that their login details have been compromised and are being traded and sold across the shadier corners of the internet until it's too late — and that could be the case for over 70+ million people after a cache of usernames and passwords for popular sites, apps, and services like eBay, Facebook, and Coinbase was unearthed.
Naz.API: A 70 million strong repository of stolen credentials
New of this massive credential cache comes by way of Troy Hunt, the creator of popular website breach tracking site "Have I Been Pwned", who was informed of the credential stuffing list by an unnamed but 'well-known' tech company.
The list, known as Naz.API, was hosted on a well-known hacking forum, and was attached to a post dating back nearly 4 months. Typically, something like this passing by without causing too much fuss would likely mean it's recycled information. However, after investigating further, Hunt came across the startling revelation that almost a third of the information he sampled had never appeared online before.
Meaning, out of a list of over 70 million unique email addresses, there could be up to 23 million new accounts compromised as part of this one list.
Am I affected by this?
According the the original forum post, the information contained within the Naz.API list was sourced from "stealer logs," meaning information pilfered and snatched from machines infected with various forms of malware.
Once a machine is infected by a piece of malware, it can begin to siphon away credentials stolen through methods like keylogging, where every keyboard input registered by the machine is recorded and sent back to an attacker.
The full Naz.API list is a mix of older and newer information, though both are relevant if you have accounts included within the list — especially if those accounts are tied to bank cards with purchasing capabilities.
The emails found within Naz.API have since been compiled with the rest of the database on HaveIBeenPwned.com, where it is free to search by your email and see if your data was a part of this most recent uncovering.
HIBP is a safe and free service that only stores the email portion of information from breaches and lists. Performing a search will let you know if your email has been included in any data breaches or credential stuffing lists, giving you a heads up to change your passwords as soon as possible.