70 million usernames and passwords to connect to services like Facebook, Roblox, eBay and Yahoo are circulating on the Dark Web. A veritable gold mine for pirates, and a threat to everyone!
Cybercriminals will stop at nothing to steal your personal data. Phishing, hacking, malware… All means are good! And without you realizing it, your email address and passwords are on the Dark Web! Result: hackers just have to use it to access your online accounts, steal your identity and get their hands on your banking data. And you might just be affected! Troy Hunt, the site owner Have I Been Pwnd? – which could be translated as “has my password been hacked?” – discovered a new file, called naz.API, containing no less than 71 million email addresses associated with stolen accounts on the Net. If he usually comes across such large files, they are generally compilations of previously published email addresses and passwords. However, this time, around 35% of these addresses – or 25 million – had never before been revealed on the Dark Web.
naz.API: more than 25 million new addresses
No wonder Troy Hunt is sounding the alarm! “When a third of email addresses have never been listed before, that’s significant “, he explains. “This is not a list of recycled content with new packaging, but a significant volume of new data”. Some of them come from leaks and hacks of major platforms, such as Facebook, eBay, Roblox, Coinbase and Yahoo. Based on the data snippets released with the announcement, it also appears that some of it comes from stealer logs, or malware that has harvested credentials from compromised machines. It seems that these latter partially come from the site illicit.services – now offline –, which obtained its data through malware.
When contacted, some victims confirmed to Troy Hunt that the passwords present in the naz.API database are indeed legitimate, often coming from accounts created between 2020 and 2021. Note that some of the people had used the same password on several different services, which is strongly discouraged. Other completely different people also used the same password (dog’s name, year of birth, etc.). Also, we advise you to only use complex passwords – with uppercase letters, lowercase letters, numbers and special characters – and unique to each account. When possible, consider enabling two-factor authentication (2FA). And don’t hesitate to take a look at Have I Been Pwned and follow the advice in our practical sheet to see if your credentials have been hacked!