Huntwritesthat a well-known tech company contacted him about Naz.API, a collection of one billion credentials.
The fact a third of the email addresses have never been seen in previous leaks is significant.
Hunt posted a screenshot of the dataset that showed some of the stolen data.
The passwords appear in plaintext rather than being hashed and many are incredibly simple,commonly usedstrings.
Hunt contacted some people on the list to confirm that their credentials are or were at one time accurate.
Not all of the data comes from stealer malware.
A large percentage are the result of credential stuffing, which collates data from previous breaches.
One of Hunt’s own passwords appeared in the data, though he hasn’t used it since pre-2011.
