Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Laptop
Laptop
Technology
Rael Hornby

70+ million at risk as cache of stolen login details to popular websites unearthed

Passwords.

Whether through phishing, cracking, or malware attacks, your usernames and passwords to websites, apps, and services are at constant risk from online ne'er-do-wells looking hijack, misuse, and profit from your credentials.

Sadly, this is less of an uncommon occurrence and more of a fact of life. While there are plenty of steps we can take to keep ourselves safe, the threat is persistent and all too easy to succumb to.

Sometimes, victims won't even be aware that their login details have been compromised and are being traded and sold across the shadier corners of the internet until it's too late — and that could be the case for over 70+ million people after a cache of usernames and passwords for popular sites, apps, and services like eBay, Facebook, and Coinbase was unearthed.

Naz.API: A 70 million strong repository of stolen credentials

New of this massive credential cache comes by way of Troy Hunt, the creator of popular website breach tracking site "Have I Been Pwned", who was informed of the credential stuffing list by an unnamed but 'well-known' tech company.

The list, known as Naz.API, was hosted on a well-known hacking forum, and was attached to a post dating back nearly 4 months. Typically, something like this passing by without causing too much fuss would likely mean it's recycled information. However, after investigating further, Hunt came across the startling revelation that almost a third of the information he sampled had never appeared online before.

Meaning, out of a list of over 70 million unique email addresses, there could be up to 23 million new accounts compromised as part of this one list.

(Image credit: Troy Hunt)

Am I affected by this?

According the the original forum post, the information contained within the Naz.API list was sourced from "stealer logs," meaning information pilfered and snatched from machines infected with various forms of malware.

Once a machine is infected by a piece of malware, it can begin to siphon away credentials stolen through methods like keylogging, where every keyboard input registered by the machine is recorded and sent back to an attacker.

The full Naz.API list is a mix of older and newer information, though both are relevant if you have accounts included within the list — especially if those accounts are tied to bank cards with purchasing capabilities.

The emails found within Naz.API have since been compiled with the rest of the database on HaveIBeenPwned.com, where it is free to search by your email and see if your data was a part of this most recent uncovering.

HIBP is a safe and free service that only stores the email portion of information from breaches and lists. Performing a search will let you know if your email has been included in any data breaches or credential stuffing lists, giving you a heads up to change your passwords as soon as possible.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.