183 views 2 secs 0 comments

Inside the Massive Naz.API Credential Stuffing List

In News, Data Breach News
January 18, 2024

Troy Hunt of HaveIBeenPwned writes:

Whilst this post dates back almost 4 months, it hadn’t come across my radar until now and inevitably, also hadn’t been sent to the aforementioned tech company. They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list. Here’s what I found:

Post on BreachForums in September 2023. Image: The Data Breach Times.
  1. 319 files totalling 104GB
  2. 70,840,771 unique email addresses
  3. 427,308 individual HIBP subscribers impacted
  4. 65.03% of addresses already in HIBP (based on a 1k random sample set)

That last number was the real kicker; when a third of the email addresses have never been seen before, that’s statistically significant.

Read more at TroyHunt.com