Security researcher Troy Hunt has uncovered a massive breach involving nearly 71 million unique credentials, affecting websites such as Facebook, Roblox, eBay, and Yahoo. The data has been circulating on the internet for at least four months and was posted on a well-known underground market that trades compromised credentials. Unlike typical password dumps, this breach stands out because approximately 25 million of the passwords had never been leaked before, signifying a substantial volume of new data. The compromised credentials appear to be a result of “stealer logs,” indicating that malware collected them from compromised machines.
Hunt emphasized the significance of the breach, highlighting that a third of the email addresses had never been seen before, making it statistically significant. The passwords were exposed in plaintext, which is uncommon, as breached passwords are usually cryptographically hashed. The dataset was authenticated by contacting individuals associated with the listed emails, confirming the accuracy of the credentials. While the underground market post claimed the data came from a breach called naz.api, Hunt noted that a considerable portion of the credentials originated from credential stuffing rather than malware.
The impact of this breach is extensive, revealing widespread password weaknesses, with many reused passwords appearing across different services. Hunt’s analysis of the dataset, involving 100 million unique passwords, indicated their recurrence 1.3 billion times. The breach underscores the prevalence of weak and reused passwords, with some credentials reportedly valid as of 2020 or 2021. The exposure poses significant security risks, emphasizing the need for users to adopt stronger and unique passwords to mitigate the potential impact of such credential compromises.
