They're an odd thing, credential lists. Whether they're from a stealer as in this week's Naz.API incident, or just aggregated from multiple data breaches (which is also in Naz.API), I inevitably get some backlash after loading them: "this doesn't tell me anything useful, why are you loading this?!" The answer is easy: because that's what the vast majority of people want me to do:
If I have a MASSIVE spam list full of personal data being sold to spammers, should I load it into @haveibeenpwned?
— Troy Hunt (@troyhunt) November 15, 2016
Spam lists are the same kettle of fish in that once you learn you're in one, I can't provide you any further info about where it came from and there's no recourse available to you. You're just in there, good luck! And if you do find yourself in one of these lists and are unhappy not that you're in there, but rather that I've told you you're in there, you have 2 easy options:
- Ignore it
- Unsubscribe
Or, if you've come along to HIBP, done a search and then been unhappy with me, my guitar lessons blog post is an entertaining read 😊
That's all from Europe folks, see you from the sunny side next week!
References
- Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
- The Naz.API stealer logs and credential stuffing lists got a lot of attention (big shout out to the folks angry that I wouldn't either store truck loads of plain text passwords for them or link them through to the original breach of everyone's personal info 🤦♂️)
- Couple of phillips head screws through a laptop will stop it from disappearing (and if your takeaway is the correct identification of the laptop make, you're kinda missing the point...)