Nearly 71 million email addresses have been compromised in a significant data breach involving the Naz.API dataset. This dataset, which is now part of the breach notification service “Have I Been Pwned,” consists of a staggering 1 billion credentials obtained through credential stuffing lists and information-stealing malware.
Troy Hunt, the creator of “Have I Been Pwned,” shared insights into the breach in a recent blog post. He revealed that the Naz.API dataset comprises 319 files, weighing in at a total of 104GB, and contains 70,840,771 unique email addresses. These credentials, largely gathered from previous breaches, pose a serious threat as they can be used to compromise accounts across multiple online platforms.
Josh Hickling, Chief Advisor at Pentest People, emphasized the potential dangers posed by this breach: “Adding records like these to databases can be highly concerning, particularly when the exposed credentials provide access to sensitive services. The real-world impact will vary based on the nature of the services these credentials unlock. Cybercriminals often use these disclosed credentials in credential stuffing attacks, attempting to gain unauthorized access to online services such as Facebook, Google Mail, and online banking.”
Hickling also warned of the heightened risk if individuals reuse their credentials across multiple platforms, as this could lead to widespread compromise of their accounts.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, highlighted the broader implications: “The Naz.API dataset illustrates how cybercriminals aggregate data from various breaches and public sources to build detailed profiles of potential victims. These datasets will only grow in size and complexity over time, making it easier for cybercriminals to target their victims. In this instance, they will likely cross-reference Naz.API passwords with other services to carry out credential stuffing attacks.”
Javvad Malik, Chief Security Awareness Advocate at KnowBe4, explained why password attacks continue to be a preferred method for cybercriminals: “For many, passwords are an easy target, which is why password-stealing malware remains so prevalent. While it’s crucial to choose strong passwords, that alone isn’t enough. Once a password is leaked, there’s little protection left. That’s why using password managers and implementing multi-factor authentication (MFA) are essential steps in securing accounts. Additionally, websites should incorporate safeguards to detect and thwart password stuffing or brute-force attacks.”
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, advised internet users to take immediate action: “Visit the Have I Been Pwned website and sign up for notifications to know if your email addresses have been compromised in data breaches. Do this for all email addresses you currently use or have used in the past to stay informed if you’ve been ‘pwned’.”
Jamie Akhtar, CEO and Co-founder of CyberSmart, echoed the need for vigilance: “Even though some data in the Naz.API dataset may be outdated, it’s still vital to check if your email is listed. Cybercriminals won’t hesitate to exploit this information for further attacks, so it’s better to be safe than sorry. Use the Have I Been Pwned service, and if your email is compromised, take steps to secure your accounts, such as enabling MFA.”
For enterprises, Nick Rago, Chief Technology Officer at Salt Security, stressed the importance of robust security measures: “Organizations must offer MFA to their users, especially when handling sensitive data. Make it mandatory, not optional. It’s also crucial to have defenses in place to detect and prevent malicious activities. Protecting consumers’ digital security is part of your responsibility as a service provider.”
Erfan Shadabi, Cybersecurity Expert at Comforte AG, underscored the need for a proactive approach: “Protecting user data goes beyond regulatory compliance; it’s about maintaining user trust. Adopting a data-centric security strategy that prioritizes the protection of user information is a fundamental first step in fulfilling this responsibility.”