Naz.API 2023

In September 2023, over 100GB of stealer logs and credential stuffing lists titled "Naz.API" was posted to a popular hacking forum. The incident contained a combination of email address and plain text password pairs alongside the service they were entered into, and standalone credential pairs obtained from unnamed sources. In total, the corpus of data included 71M unique email addresses and 100M unique passwords.

• Date: Sep 20, 2023
• Category: Compilation
• Records Announced: 70,840,771
• Numer of lines: 1,042,413,766
• Records Imported: 1,039,601,086
• Size: 71.32 GB
• Data: Email addresses, Passwords
• Passwords: Plain
• Imported:
• Links:
  • breachforums.st
  • haveibeenpwned.com

Verifications.io 2019

In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.

• Date: Feb 25, 2019
• Domain: verifications.io
• Country: United States
• Category: Data Broker
• Records Announced: 763,117,241
• Numer of lines: 808,539,849
• Records Imported: 808,536,946
• Size: 159.51 GB
• Data: Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses
• Passwords: No
• Imported:
• Links:
  • breachforums.st
  • haveibeenpwned.com
  • raidforums.com

Exploit.in Combolist 2016

In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.

• Date: 2016
• Domain: exploit.in
• Country: India
• Category: Compilation
• Records Announced: 805,499,579
• Numer of lines: 805,499,579
• Records Imported: 804,330,534
• Size: 24.28 GB
• Data: Email addresses, Passwords
• Passwords: Plain
• Imported:
• Links:
  • haveibeenpwned.com
  • raidforums.com

腾讯 (QQ) 2020

Sometime in 2020, the Chinese website QQ suffered a data breach (Or was scraped). The attack led to the exposure of data including QQ Identifiers (User IDs) and Phone Numbers. In total, 719 million users were affected.

• Date: 2020
• Domain: qq.com
• Country: Switzerland
• Category: Chat
• Records Announced: 719,806,832
• Numer of lines: 719,806,832
• Records Imported: 719,806,830
• Size: 17.91 GB
• Data: QQ Identifiers (User IDs), Phone Numbers
• Passwords: No
• Imported:
• Links: breachforums.st

Onliner Spambot 2017

In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.

• Date: Aug 28, 2017
• Category: Malware
• Records Announced: 711,477,622
• Numer of lines: 395,627,110
• Records Imported: 257,351,519
• Size: 9.22 GB
• Data: Email addresses, Passwords
• Passwords: Unknown
• Imported:
• Links: haveibeenpwned.com