What happened
According to public breach records, the Naz.API data breach on September 20, 2023 is reported to have exposed the personal information of 70,840,771 accounts.
In September 2023, over 100GB of stealer logs and credential stuffing lists titled "Naz.API" was posted to a popular hacking forum. The incident contained a combination of email address and plain text password pairs alongside the service they were entered into, and standalone credential pairs obtained from unnamed sources. In total, the corpus of data included 71M unique email addresses and 100M unique passwords.
Passwords in this breach were reportedly stored in plaintext.
Naz.API is not a breach of a single company but a 104GB compilation of "stealer logs" (credentials harvested by infostealer malware from compromised computers), older credential-stuffing lists, and data from the now-defunct illicit.services site, posted to a hacking forum in September 2023. It surfaced publicly in January 2024 after a technology firm received a bug bounty submission referencing the list and forwarded it to Troy Hunt, who loaded roughly 70.8 million unique email addresses (paired with plaintext passwords) into Have I Been Pwned. What made it notable was that nearly one-third (about 35%) of the email addresses had never appeared in HIBP before, and the set contained about 100 million unique passwords seen 1.3 billion times, underscoring widespread password reuse.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Passwords
Breach details
| Detail | Value |
|---|---|
| Breach name | Naz.API |
| Date | September 20, 2023 |
| Accounts affected | 70,840,771 |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Naz.API; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change the password on any account using the exposed password, and on every other account that reused it — passwords appeared here in plaintext, so anything sharing that password is at immediate risk.
- Turn on two-factor authentication (preferably an authenticator app or security key) on email, banking, and other important accounts so a stolen password alone can't grant access.
- Because much of this data came from infostealer malware, run a full malware/antivirus scan on your devices — if a machine was infected, simply changing passwords won't stop continued theft.
- Use a password manager to generate unique passwords per site, and stay alert for phishing emails sent to the exposed address that reference real old passwords to appear convincing.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →