Photo of Generic Programming Code Which Includes the Word 'Password'
© Przemek Klos/Shutterstock.com

A massive trove of stolen data recently leaked online includes nearly 24 million email addresses that haven’t appeared in previous leaks and 100 million unique passwords, researcher Troy Hunt said on Thursday.

Hunt, operator of “Have I Been Pwned,” found this dataset on “BreachForums.is,” a hacking forum and underground marketplace where it was posted in September 2023.

The huge dataset, named “Naz.API,” includes stolen usernames, email addresses, and passwords used to log in to popular platforms like Facebook, Roblox, eBay, Coinbase, and Yahoo. The data was harvested from Illicit Services, a now-defunct website that allowed users to search for information about anyone.

Hunt conducted tests to confirm the data is legitimate; he even found an old password he used around 2011 in the leaked trove.

Over 104 GB of Leaked Data, Impact is “Huge”

In a blog post, Hunt said he was alerted to the leaked data by a “well-known tech company” that received a bug bounty submission related to the data. According to Hunt, there are 319 files totaling 104 GB in the dataset — including 70.8 million unique email addresses, a third of which have never been leaked before.

While analyzing the data, Hunt found a “massive prevalence of people using the same password across multiple services and completely different people using the same password.”

While one BreachForums user said the data was extracted from stealer logs (i.e., data swiped from compromised devices using malware), Hunt said some must have also come from credential stuffing lists.

This “corpus of data isn’t just stealer logs, it also contains your classic credential stuffing username and password pairs too. In fact, the largest file in the collection is just that: 312 million rows of email addresses and passwords,” Hunt wrote.

How to Keep Your Online Accounts Safe

It’s not uncommon for stolen data to be shared on dark web forums and sites like BreachForums. While stolen credentials are usually sold, sometimes — like in this instance — cybercriminals share them for free.

It’s easy to fall into the habit of reusing the same password for different accounts, but this is a major security risk. “Password reuse remain rampant so attacks of this type prosper,” Hunt said. To secure your accounts, Hunt emphasized the importance of using a password manager and ensuring your online accounts are protected with secure passwords and two-factor authentication.

Our cybersecurity experts have tested different password managers extensively, and NordPass is our top choice for privacy and security.

This password manager doesn’t just allow you to create strong passwords and autofill them on sites; it also comes with a proprietary Data Breach Scanner that you can use to check if your data (including credit card details) has been leaked online. NordPass even supports passkey, a newer and more secure method of authentication.

Cybercriminals are using increasingly sophisticated techniques to spread keyloggers, Trojans, and other malware. So, we also recommend using a tried and tested antivirus solution, like Norton360, to shield you from malware and other online threats.

Worried your data was exposed in this breach? You can check on Have I Been Pwned. Hunt and his team have added the email addresses and passwords to the site’s database.

If you find your data in the leaked trove, Tomas Smalakys, NordPass’ CTO, recommends changing your passwords immediately (and updating them regularly), and closely monitoring your accounts for any suspicious activity.

Check out the results of our NordPass tests to discover why this is our number one password manager. For more cybersecurity tips, read our guide to staying safe online.

For more news, follow us on X (Twitter), Threads, and Mastodon!

Leave a comment