All internet users have been urged to check whether their email address and passwords are in a new batch of 71 million leaked online.
It contains many details that have never been leaked before, warned Australian security consultant Troy Hunt.
Hunt, who runs the website Have I Been Pwned? (HIBP), said that it’s not unusual to see large collections of stolen addresses being sold online.
He explained that he normally ignores requests to examine them because most of the passwords and addresses have already been leaked online, and are part of the existing database you can search at HIBP.
But around a third of the 70,840,771 addresses in the latest leak, called ‘Naz.API’, aren’t listed by HIBP. This is “statistically significant”, Hunt said, meaning it’s likely they’ve never been made available online before for scammers to buy and use.
Hunt wrote on his blog (www.snipca.com/49031): “This isn’t just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it’s a significant volume of new data.”
He was advised to look at the data by a “well-known tech company”, which took it “seriously enough to take appropriate action against their (very sizeable) user base”.
The data, comprising 319 files and 104GB, was stolen using malware from infected computers, Hunt said.
Hunt revealed that the leak contained details of 427,308 HIBP subscribers. He then emailed some to check whether the accompanying passwords in the leak were real. This helped him confirm that the leak contained genuine data.
Check if your details are included
His team has uploaded the data to its database, so if your email address and passwords are in the leak they’ll appear when you search for them at HIBP.
To search for email addresses, visit https://haveibeenpwned.com then click Enter; for passwords it’s https://haveibeenpwned.com/ Passwords.
If you see the message ‘Good news — no pwnage found!’, it means what you searched for isn’t in any of HIBP’s sets of stolen details.
If you see ‘Oh no — pwned!’, it means your details were found, and you’ll see how many times. As an example, the password ‘Windows 12345’ is found 186 times in HIBP’s records (see screenshot).
Hunt launched HIBP in 2013, and has since added details from nearly 13 billion hacked
