Researcher uncovers one of the biggest password dumps in recent history


Calendar with words Time to change password. Password management.
Getty Images

reader comments
65

Nearly 71 million unique credentials stolen for logging into websites such as Facebook, Roblox, eBay, and Yahoo have been circulating on the Internet for at least four months, a researcher said Wednesday.

Troy Hunt, operator of the Have I Been Pwned? breach notification service, said the massive amount of data was posted to a well-known underground market that brokers sales of compromised credentials. Hunt said he often pays little attention to dumps like these because they simply compile and repackage previously published passwords taken in earlier campaigns.

Post appearing on breach site advertising the availability of naz.api password data.
Enlarge / Post appearing on breach site advertising the availability of naz.api password data.

Not your typical password dump

Some glaring things prevented Hunt from dismissing this one, specifically the contents indicating that nearly 25 million of the passwords had never been leaked before:

  1. 319 files totaling 104GB
  2. 70,840,771 unique email addresses
  3. 427,308 individual HIBP subscribers impacted
  4. 65.03 percent of addresses already in HIBP (based on a 1,000 random sample set)

“That last number was the real kicker,” Hunt wrote. “When a third of the email addresses have never been seen before, that’s statistically significant. This isn’t just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it’s a significant volume of new data. When you look at the above forum post the data accompanied, the reason why becomes clear: it’s from ‘stealer logs’ or in other words, malware that has grabbed credentials from compromised machines.”

A redacted image that Hunt posted showing a small sample of the exposed credentials indicated that account credentials for a variety of sites were swept up. Sites included Facebook, Roblox, Coinbase, Yammer, and Yahoo. In keeping with the claim that the credentials were collected by a “stealer”—malware that runs on a victim’s device and uploads all user names and passwords entered into a login page—the passwords appear in plaintext. Account credentials taken in website breaches are almost always cryptographically hashed. (A sad aside: Most of the exposed credentials are weak and would easily fall to a simple password dictionary attack.)

Screenshot showing a sample of 20 credential pairs, with usernames redacted.
Enlarge / Screenshot showing a sample of 20 credential pairs, with usernames redacted.
Have I Been Pwned?

Data collected by Have I Been Pwned indicates this password weakness runs rampant. Of the 100 million unique passwords amassed, they have appeared 1.3 billion times.

post advertising the dataset said it came from a breach dubbed naz.api that had been donated to a different site earlier.

Hunt said that a large percentage of the credentials came not from stealer malware as claimed, but from credential stuffing, a form of account-hijacking attack that collects large numbers of stolen account credentials from previous breaches. Hunt said credential stuffing sources explained how a password he used “pre-2011” landed in the dump.

“Some of this data does not come from malware and has been around for a significant period of time,” he wrote. “My own email address, for example, accompanied a password not used for well over a decade and did not accompany a website indicating it was sourced from malware.”

Making passwords safe

There are dozens of useful primers online explaining how to properly secure accounts. The two main ingredients to account security are: (1) choosing strong passwords and (2) keeping them out of the sight of prying eyes. This means:

  • Creating a long, randomly generated password or passphrase. These passcodes should be at least 11 characters for passwords and for passphrases at least four words randomly chosen from a dictionary of no fewer than 50,000 entries. Bitwarden, a free, open-source password manager is a good choice and a great way for less experienced people to get started. Once a password is created, it should be stored in the password-manager vault.
  • Preventing strong passwords from being compromised. This entails not entering passwords into phishing sites and keeping devices free of malware.
  • Use two-factor authentication, preferably with a security key or authenticater app, whenever possible. This doubly applies to protecting the password manager with 2FA.
  • Better yet, use passkeys, a new, industry-wide authentication standard that’s immune to theft through stealer apps and credential phishing.

here.

Have I Been Pwned also allows users to search its database for specific passwords. More about k-anonymity and other measures Hunt uses to prevent password exposure and abuse of his service is here.

This post has been updated to correct inferences about how Hunt’s password ended up in the dataset.

Article Tags:
Article Categories:
Technology

Related Articles