Troy Hunt Inside the Massive NazAPI Credential Stuffing List

pSponsored by ppIt feels like not a week goes by without someone sending me yet another credential stuffing list Its usually something to the effect of hey have you seen the Spotify breach to which I politely reply with a link to my old No Spotify Wasnt Hacked blog post its just the output of a small set of credentials successfully tested against their service and we all move on Occasionally though the corpus of data is of much greater significance most notably the Collection 1 incident of early 2019 But even then the rapid appearance of Collections 2 through 5 and more quickly became as I phrased it in that blog post a race to the bottom I did not want to take further part inppUntil the NazAPI list appeared Heres the back story this week I was contacted by a wellknown tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forumppWhilst this post dates back almost 4 months it hadnt come across my radar until now and inevitably also hadnt been sent to the aforementioned tech company They took it seriously enough to take appropriate action against their very sizeable user base which gave me enough cause to investigate it further than your average cred stuffing list Heres what I foundppThat last number was the real kicker when a third of the email addresses have never been seen before thats statistically significant This isnt just the usual collection of repurposed lists wrapped up with a brandnew bow on it and passed off as the next big thing its a significant volume of new data When you look at the above forum post the data accompanied the reason why becomes clear its from stealer logs or in other words malware that has grabbed credentials from compromised machines Apparently this was sourced from the now defunct illicitservices website which infamously provided search results for other peoples data along these linesppI was aware of this service because well just look at the first example query ppSo what does a stealer log look like Website username and passwordppThats just the first 20 rows out of 5 million in that particular file but it gives you a good sense of the data Is it legit Whilst I wont test a username and password pair on a service thats way too far into the grey for my comfort I regularly use enumeration vectors on websites to validate whether an account actually exists or not For example take that last entry for racedepartmentcom head to the password reset feature and mash the keyboard to generate a quasi random alias hotmailcomppAnd now with the actual Hotmail address from that last lineppThe email address existsppThe VideoScribe service on line 9ppExistsppAnd even the service on the very first lineppFrom a verification perspective this gives me a high degree of confidence in the legitimacy of the data The question of how valid the accompanying passwords remain aside time and time again the email addresses in the stealer logs checked out on the services they appeared alongsideppAnother technique I regularly use for validation is to reach out to impacted HIBP subscribers and simply ask them are you willing to help verify the legitimacy of a breach and if so can you confirm if your data looks accurate I usually get pretty prompt responsesppWhen I asked them to date when they might have last used that password they believed it was was either 2020 or 2021ppAnd another whose details appears alongside a Webex URLppAnd anotherppWhich got me wondering is my own data in there Yep turns out it is and with a very old password Id genuinely used pre2011 when I rolled over to 1Password for all my things So that sucks but it does help me put the incident in more context and draw an important conclusion this corpus of data isnt just stealer logs it also contains your classic credential stuffing username and password pairs too In fact the largest file in the collection is just that 312 million rows of email addresses and passwordsppSpeaking of passwords given the significance of this data set weve made sure to roll every single one of them into Pwned Passwords Stefán has been working tirelessly the last couple of days to trawl through this massive corpus and get all the data in so that anyone hitting the kanonymity API is already benefiting from those new passwords And theres a lot of them its a rounding error off 100 million unique passwords that appeared 13 billion times across the corpus of data Now what does that tell you about the general publics password practices To be fair there are instances of duplicated rows but theres also a massive prevalence of people using the same password across multiple difference services and completely different people using the same password there are a finite set of dog names and years of birth out there And now more than ever the impact of this service is absolutely hugeppWhen we werent looking haveibeenpwneds Pwned Passwords rocketed past 7 billion requests in a month pictwittercomhVDxWp3oQGppPwned Passwords remains totally free and completely open source for both code and data so do please make use of it to the fullest extent possible This is such an easy thing to implement and it has a profound impact on credential stuffing attacks so if youre running any sort of online auth service and youre worried about the impact of NazAPI this now completely kills any attack using that data Password reuse remain rampant so attacks of this type prosper 23andMes recent incident comes immediately to mind definitely get out in front of this one as early as you canppSo thats the story with the NazAPI data All the email addresses are now in HIBP and searchable either individually or via domain and all those passwords are in Pwned Passwords There are inevitably going to be queries along the lines of can you show me the actual password or which website did my record appear against and as always this just isnt information we store or return in queries That said if youre following the ageold guidance of using a password manager creating strong and unique ones and turning 2FA on for all your things this incident should be a nonevent If youre not and you find yourself in this data maybe this is the prompt you finally needed to go ahead and do those things right now ppEdit A few clarifications based on commentsppHi Im Troy Hunt I write this blog create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals ppHi Im Troy Hunt I write this blog run Have I Been Pwned and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals ppI often run private workshops around these heres upcoming events Ill be atppDont have Pluralsight already How about a 10 day free trial Thatll get you access to thousands of courses amongst which are dozens of my own includingpp
Send new blog posts
ppHey just quickly confirm youre not a robotpp SubmittingppGot it Check your email click the confirmation link I just sent you and were doneppThis work is licensed under a Creative Commons Attribution 40 International License In other words share generously but provide attributionppOpinions expressed here are my own and may not reflect those of others Unless Im quoting someone theyre just my own viewsppThis site runs entirely on Ghost and is made possible thanks to their kind support Read more about why I chose to use Ghostp