Naz.API dataset with almost 71M stolen credentials exposed

Almost 71 million credentials from Facebook, Yahoo, Coinbase, and other sites have been exposed by the Naz.API dataset in the last four months, nearly 25 million of which were not observed in previous leaks, Ars Technica reports. Such data dump, which has been added to the Have I Been Pwned? breach notification service, has affected 427,308 HIBP subscribers, with more than 65% of the exposed addresses already in HIBP, according to the service's operator Troy Hunt. "When a third of the email addresses have never been seen before, that's statistically significant. This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data," said Hunt. While attackers have claimed that the information included in the dataset was obtained from stealer logs, Hunt noted that the data was largely from credential stuffing attacks, as indicated by the presence of a password he had used before 2011.