Data breaches are increasing in frequency and scale. With mass amounts of data leaked onto the dark web from “credential stuffing” attacks, more people want to know if their private information is secure. So they look for services like HaveIBeenPwned(HIBP), which has been rapidly increasing its user base as more people move to protect their privacy.
The latest “credential stuffing” example comes from a Naz.API dataset leak. Nearly 71 Million credentials, complete with plaintext passwords are now circulating the dark web. It was reported by Troy Hunt, who runs HIBP, and which we covered in the #AxisofEasy newsletter.
On the rising awareness of “credential stuffing” leading up to the Naz.API leak, Hunt writes:
“It feels like not a week goes by without someone sending me yet another credential stuffing list. It’s usually something to the effect of “hey, have you seen the Spotify breach”, to which I politely reply with a link to my old No, Spotify Wasn’t Hacked blog post (it’s just the output of a small set of credentials successfully tested against their service), and we all move on.
Occasionally though, the corpus of data is of much greater significance, most notably the Collection #1 incident of early 2019. But even then, the rapid appearance of Collections #2 through #5 (and more) quickly became, as I phrased it in that blog post, “a race to the bottom” I did not want to take further part in.
Until the Naz.API list appeared.”
Then nearly 71 million unique emails still shared on a popular hacker forum, and still available on the dark web.
How Do “Credential Stuffing” Leaks Happen?
- Weak or Vulnerable Passwords
- people reuse passwords (2/3 use same password across multiple accounts, Google, 2019)
- some web hosting companies and websites store passwords in plaintext (Facebook stored ‘hundreds of millions of passwords in plaintext, TechCrunch, 2019, Google did the same since 2005 until recently, Wired 2019, 30% of e-commerce stores still do, Makeuseof, 2019)
- web hosting companies, or a website holding your data gets hacked, now everybody in that database who re-uses passwords is vulnerable
OR:
- Malware
- people get infected with malware
- resident malware sniffs all their logins (and worse)
Adding to these vulnerabilities are the unreliable, common, and honestly lazy passwords people choose to protect themselves with. A study by cybernews reveals the top ten passwords of 2024:
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
Three Signs Your Credentials May Be Compromised Or at Risk
You reuse passwords. Stop reusing passwords, instead use a password manager like 1password, Bitwarden, or Vaultwarden (if you want to go open source).
Have you had anomalous activity in vendor accounts, but no indication of login failures? That would mean somebody logged in and already knew your password.
Can you view last logins and see accesses from outside your normal sphere? For example, are people logging from different countries, network carriers or, worse, anonymizers or tor exit nodes (remember that in your easyDNS security settings, you can limit logins by networks, IP address range and by countries).
What do you do when you become aware?
Let’s say you’ve been notified by HIBP, or your web hosting / DNS vendor that your credentials have been leaked. As you may know from past breaches, some vendors like easyDNS and Domainsure make it a practice to analyze credential dumps and mitigate end user accounts discovered in them. Before you do anything, it’s important to be aware of what cybersecurity measures your web hosting company, ecommerce, or websites you visit do to protect your username and password.
First, you need to check if your local devices are compromised or infected with malware. If you already run an antivirus, make sure the virus definitions are up to date, run deep scans.
Think about adding another virus scanner and run a local scan.
Second, once you’re confident your local devices are not compromised (or disinfected if they were), start with the following:
- change the passwords on your email accounts You want to secure this first because it is where login notifications and some second-factor authentication requests are sent.
Third, you need to do a total password reset across all your vendors, social media accounts – any system where you have to login. All of them.
Do not reuse passwords use a password manager to set unique logins for every site.
If you’re a business or organization, you should do a global password reset at least once per year.
Also important: As you’re working your way through this, enable two-factor authentication(2FA) on every service that has it available. If a service doesn’t support 2FA or MFA (Multi-factor-authentication), consider switching to one that does – the 2FA directory could help you source one.
If you’re already using 2FA, but the second factor is email or your mobile phone: use a proper authenticator app like Authy or Google Authenticator (I like Authy because they make it easier to move across devices when you switch phones).
Enable login and activity notifications across all platforms and vendors.
It may be an idea to register a separate canary email domain, and then use a unique email address under that domain for every vendor login (these also work great for subscribing to email lists and knowing who is sharing your data, and who’s been breached).
Finally, once you’re done with this process, always use a unique login and password for each new service, enable 2FA using an authenticator app for each one on a go-forward basis. Make this your new habit.
Conclusion
The recent Naz.API leak, compromised nearly 71 million credentials, email names, passwords, and all. This incident itself is growing reminder of the credential stuffing threat. Credential stuffing is effective because it preys on the common habit of password reuse, and the alarming negligence of secure password storage by some web hosting companies, e-commerce, and other websites.
The path forward demands individuals take a proactive approach to protecting their information and privacy. Adopting robust password management practices, ensuring the security of our devices against malware, and embracing two-factor authentication are no longer optional but necessary measures to safeguard our digital identities. Let this incident be a catalyst for change, prompting us to re-evaluate our online security measures and to adopt a more disciplined and informed approach to protecting our personal information.
References
https://www.troyhunt.com/inside-the-massive-naz-api-credential-stuffing-list/
Leave a Reply