Naz.API, Passwords and Credential Stuffing
By Corporal Punishment |
A new threat has emerged in the cybersecurity landscape, stirring widespread chatter among security experts.... The Naz.API dataset The Naz.api dataset could represent one of the larger, newer accumulations of compromised credentials recorded, underscoring the persistent threat of digital vulnerabilities.
This dataset, which encompasses 70 million plus compromised credentials, has apparently been assembled from various sources. It is currently being used in credential-stuffing attacks, the sinister handiwork of info-stealing malware.
Credential stuffing is a cyberattack strategy in which attackers exploit stolen login details to infiltrate user accounts across various platforms, leveraging the fact that many people reuse their passwords across multiple sites. For example, a hacker can get your username and password for your Dropbox account. They then hope to get lucky and find that you have reused that saved username and password for your bank account. Stuffing those credentials into all banking sites to see if they hit the jackpot.
.....And THAT is how we found out about Naz.api.
Our forums recently had a sudden rash of old, verified accounts posting spam on casual dating sites. (Fortunately, they clarify this spam as "Living" women. I mean, why make it weird, right?)
Looking into this, our geeky little cyber sleuths found that these accounts were all recently showing compromised emails in the naz.api dataset, according to Have I Been Pwned. HIBP is a platform created by security expert Troy Hunt, where users check if their personal data has been exposed to any data breach.
Further, this list is significant enough that Troy Hunt blogged about the data and, importantly, the uniqueness of the data. This is not the usual repacked list of old names and passwords floating around. There is a significant amount of new data in this set, and he was able to verify with users that at least some of the data is 100% real.
https://www.troyhunt.com/inside-the-massive-naz-api-credential-stuffing-list/
Ok, what does this mean for you? Well, if you use different passwords on sites and enable 2FA when available -- not much. But you should still look into it. If you don't typically use 2FA, here are some tips to fortify your digital defenses against such pervasive threats, adopting a few key practices.
Use Unique Passwords: Unique passwords stop credital stuffing in it's tracks. If you want a down-and-dirty way to always have a unique password for a site without the need of a password manager - read Password Management and the Lazy Geek.
Leverage Password Managers: Password Managers generate, store, and fill complex passwords automatically, significantly reducing the risk of credential reuse and blunting credential stuffing attacks' effectiveness. I have used RoboForm for years, but a ton of people we know use 1Password and swear by it. That said, we have a nice list of password manager choices that can fit any need here.
Enable Two-Factor Authentication: This adds an additional layer of security, ensuring that even if your password is compromised, unauthorized access to your accounts remains blocked. Always use it when possible.
Regularly Update Your Passwords: Changing passwords periodically can prevent unauthorized access, especially after data breaches.
Remove Old Accounts: If you are still hanging on to that MySpace account and haven't used it in 5 years, delete it. the more user accounts you have, the higher the likelihood you will be a beach victim.
Be Security Mindful: Keep your devices updated with the latest security patches and antivirus software. An infected device can compromise your passwords and other sensitive data faster than anything else.
Stay Informed: Subscribing to some news or services that keep up to date on current compromised services can be very handy. If you see a service you subscribe to has reported a breach - be proactive.
Consider this perspective: every time you use a password for an online service, there's a risk that it could end up in the wrong hands. Given cybercriminals' relentless efforts to exploit every possible vulnerability, treat your passwords with the assumption they might be compromised from the second you make them. Sophisticated hackers are constantly probing for weaknesses and finding success every day. So stay vigilant!
comments powered by Disqus
This dataset, which encompasses 70 million plus compromised credentials, has apparently been assembled from various sources. It is currently being used in credential-stuffing attacks, the sinister handiwork of info-stealing malware.
Credential stuffing is a cyberattack strategy in which attackers exploit stolen login details to infiltrate user accounts across various platforms, leveraging the fact that many people reuse their passwords across multiple sites. For example, a hacker can get your username and password for your Dropbox account. They then hope to get lucky and find that you have reused that saved username and password for your bank account. Stuffing those credentials into all banking sites to see if they hit the jackpot.
.....And THAT is how we found out about Naz.api.
Our forums recently had a sudden rash of old, verified accounts posting spam on casual dating sites. (Fortunately, they clarify this spam as "Living" women. I mean, why make it weird, right?)
Looking into this, our geeky little cyber sleuths found that these accounts were all recently showing compromised emails in the naz.api dataset, according to Have I Been Pwned. HIBP is a platform created by security expert Troy Hunt, where users check if their personal data has been exposed to any data breach.
Further, this list is significant enough that Troy Hunt blogged about the data and, importantly, the uniqueness of the data. This is not the usual repacked list of old names and passwords floating around. There is a significant amount of new data in this set, and he was able to verify with users that at least some of the data is 100% real.
https://www.troyhunt.com/inside-the-massive-naz-api-credential-stuffing-list/
Ok, what does this mean for you? Well, if you use different passwords on sites and enable 2FA when available -- not much. But you should still look into it. If you don't typically use 2FA, here are some tips to fortify your digital defenses against such pervasive threats, adopting a few key practices.
Use Unique Passwords: Unique passwords stop credital stuffing in it's tracks. If you want a down-and-dirty way to always have a unique password for a site without the need of a password manager - read Password Management and the Lazy Geek.
Leverage Password Managers: Password Managers generate, store, and fill complex passwords automatically, significantly reducing the risk of credential reuse and blunting credential stuffing attacks' effectiveness. I have used RoboForm for years, but a ton of people we know use 1Password and swear by it. That said, we have a nice list of password manager choices that can fit any need here.
Enable Two-Factor Authentication: This adds an additional layer of security, ensuring that even if your password is compromised, unauthorized access to your accounts remains blocked. Always use it when possible.
Regularly Update Your Passwords: Changing passwords periodically can prevent unauthorized access, especially after data breaches.
Remove Old Accounts: If you are still hanging on to that MySpace account and haven't used it in 5 years, delete it. the more user accounts you have, the higher the likelihood you will be a beach victim.
Be Security Mindful: Keep your devices updated with the latest security patches and antivirus software. An infected device can compromise your passwords and other sensitive data faster than anything else.
Stay Informed: Subscribing to some news or services that keep up to date on current compromised services can be very handy. If you see a service you subscribe to has reported a breach - be proactive.
Consider this perspective: every time you use a password for an online service, there's a risk that it could end up in the wrong hands. Given cybercriminals' relentless efforts to exploit every possible vulnerability, treat your passwords with the assumption they might be compromised from the second you make them. Sophisticated hackers are constantly probing for weaknesses and finding success every day. So stay vigilant!
comments powered by Disqus