They identify a list of stolen credentials with 71 million email addresses and 100 million passwords

Security researcher Troy Hunter has reported the publication of a list of stolen Naz.API credentials, which includes around 71 million email addresses and 100 million plain text passwords, along with the service for the that these credentials were used, including platforms such as Facebook or Roblox. It is common for malicious actors to publish lists of stolen user data credentials on pages or forums dedicated to this; these are leaks that appear as a result of cyberattacks or security breaches. In this sense, the cybersecurity specialist, creator of the Have I Been Pwned platform, has identified a new list of stolen credentials, which they refer to as Naz.API, which has leaked a total of 104GB of credential data, belonging to services such as Coinbase, Ebay, Yahoo, Facebook or Roblox. As Troy Hunter explained in a statement on his website, the Naz.API list was initially published in September on a hacking forum, and was created from data extracted from thieves’ logs. Thus, it contains data such as usernames and passwords saved in the browsers used by users. In this sense, the list includes up to 319 leaked data files. Among them, 70,840,771 unique email addresses and around 100 million related plaintext passwords have been found. All this, along with the service for which the credentials were used, such as Facebook or Roblox. According to the researcher’s verifications, 65.03 percent of the published addresses were already stored in the database of its Have I Been Pwned platform, which suggests that they are data from older leaks that have already been alerted. Therefore, almost 25 million of the 71 million email addresses included in the list have been exposed for the first time through the Naz.AP database. Likewise, the researcher has specified that, after carrying out checks with the data, they have “a high degree of confidence” regarding its legitimacy. For example, email addresses are verified in the services and platforms with which they are related. Therefore, this is a list of real credentials. Likewise, regarding passwords, users of Have I Been Pwned, who have participated in the investigation to help verify the legitimacy of the breach, have also assured that these are real passwords that they have used at some point. However, it should be noted that they have pointed out that these are old passwords that they previously used in some online services. In this context, Hunter has detailed that these passwords have been entered into its Pwned Passwords service, which allows users to check if they have been leaked. Likewise, he has recommended users use their services to check if their credentials are on said list, in order to avoid possible subsequent consequences and take action if they have been leaked. In the same way, the specialist has also recalled the importance of creating “secure and unique” passwords, as well as activating systems such as two-factor authentication (2FA) for all credentials.