Incident Details
Receiving frequent credential stuffing lists has become a common occurrence for me. Individuals often reach out mentioning incidents like the purported Spotify breach, prompting me to reference my previous blog post denying the Spotify hack rumor. These lists typically consist of a limited number of credentials being tested on various platforms. Occasionally, however, the data holds greater importance, such as the significant Collection #1 leak in early 2019. Subsequently, Collections #2 to #5 emerged rapidly, leading to what I described as a detrimental trend that I chose not to engage with. The discovery of the Naz.API list altered this routine. Recently, an established technology company informed me about a bug bounty submission tied to a credential stuffing list shared on a popular hacking forum several months ago. Despite the delay in my knowledge of this incident, the company addressed the issue promptly within their extensive user base. Intrigued by this, I delved deeper into the list and discovered a striking detail: a substantial proportion of the email addresses had never been previously documented, indicating significant statistical relevance.
Incident
How Did the Breach Happen?
The security breach took place due to a credential stuffing list that was shared on a widely-used hacking forum. A renowned technology company received a bug bounty report related to this list, prompting additional scrutiny.
What Data has been Compromised?
The breach exposed a total of 70,840,771 individual email addresses, with an important observation being that 65.03% of these emails were already listed in the Have I Been Pwned (HIBP) database.
Why Did the company's Security Measures Fail?
The security protocols of the company proved ineffective in identifying and stopping the use of a credential stuffing list, resulting in unauthorized access to a substantial amount of user accounts.
What Immediate Impact Did the Breach Have on the company?
The company quickly responded to the breach by implementing measures to safeguard their user base, aiming to prevent any unauthorized access or compromises to user accounts.
How could this have been prevented?
In order to avoid such a security risk, the company needed to adopt more robust security measures like multi-factor authentication and consistent monitoring for any unusual activities. Furthermore, educating users about the significance of using unique and powerful passwords could have lessened the consequences of credential stuffing.
What have we learned from this data breach?
The incident of data compromise underscores the constant danger posed by credential stuffing attacks and the importance of implementing strong security protocols. It underscores the significance of consistent supervision, prompt action, and educating users to deter unauthorized entry into their accounts.
Summary of Coverage
70,840,771 unique email addresses were compromised in the Naz.API credential stuffing list breach, with many of them being unfamiliar. The breach was a result of using a credential stuffing list, prompting a technology company to take measures to safeguard its users. This event highlights the importance of implementing stronger security protocols and educating users about password practices to reduce the chances of falling victim to credential stuffing attacks.