Summary:
A massive amount of 361 million email addresses from credentials stolen by password-stealing malware, in credential stuffing attacks have been added to Have I Been Pwned’s data breach notification service, allowing anyone to check if their accounts have been compromised. Researchers acquired these credentials from various Telegram cybercrime channels.

The dataset is unprecedented in its size and scope, containing a vast array of sensitive information, including:

• 361 million unique email addresses
• Passwords associated with these email addresses
• Website URLs linked to the stolen credentials

Security Officer Comments:
The size of the dataset makes it difficult to verify the legitimate credentials. However, Troy Hunt, the founder of HIBP, confirmed that many of the email addresses are valid and correctly associated with the websites listed in the stolen credentials. However, due to the enormity of the dataset, it's impossible to verify the legitimacy of every single credential. Users who have had their credentials stolen will need to take immediate action to reset their passwords and be aware that their accounts may have been compromised.

The origins of the stolen credentials are diverse, including:

• Password-stealing malware
• Credential stuffing attacks
• Data breaches

Suggested Corrections:
The dataset highlights the alarming prevalence of cybercrime and the importance of good cybersecurity habits, such as:

• Avoiding suspicious attachments and links
• Downloading software only from trusted sources
• Enabling file extensions in Windows
• Using antivirus software
• Keeping software updated

This incident also underscores the need for individuals and organizations to prioritize password security, use strong and unique passwords, and enable two-factor authentication (2FA) whenever possible.

Link(s):
https://www.bleepingcomputer.com/ne...en-accounts-leaked-on-telegram-added-to-hibp/