Last Saturday, June 29, 2019, a group calling themselves Black Hawk Caphilates released a list of 37,122 email addresses, supposedly belonging to Nepali people and claimed it to be the largest email leak in Nepal’s history. The tweet was subsequently removed but can still be seen in other social networks- http://archive.is/NkxiP. They said that Nepal was their target as it is a Hindu nation and have since released another leak- claiming it as the largest data breach in India.
The emails included in the leak are mostly gmail addresses and make up more than 73% of the leaks. The other major bulk includes email addresses belonging to various .np TLD, making up more than 7% of the leak. The addresses found in the leak are mostly personal and seem to have been harvested from domain registrar register.com.np (previously register.mos.com.np). Small leaks from various other sources might also have contributed to the leak.
This is not the first time register.com.np was hacked and had its data leaked publicly. Given the lack of proper security practices and the nonchalant attitude towards it, it is no surprise that not only register.com.np but several Nepali government and organisational websites get hacked time and again. In fact, this current leak seems to have harvested data from register.com.np sometime in the past.
Taking more than 18,000 of the email addresses as sample data, we checked them against haveibeenpwned.com. It was found that more than 41% of these emails have been compromised previously in at least one data breach.
Amongst the breaches, a significant portion belongs to 000webhost. The cause for concern here is that in this breach, plaintext passwords were published which can still be found/bought publicly somewhere on the Internet. This generates significant risk of these emails being used for credential stuffing attack where leaked credentials are used by attackers to compromise accounts on other websites. As it is often a habit among people to reuse passwords, the passwords that have been leaked from previous data breaches can be used against various other websites to compromise user accounts.
Gathering and publishing email addresses in and of itself possess no serious harm, just crawling through some Nepali websites and analysing previous international data breaches we had found almost 20k unique Nepali email addresses (.np) during our research for “Threat Report 2018”. But, as plain-text password associated to these emails have previously been stolen and given that people tend to reuse passwords, a huge risk of accounts associated to these emails across all platforms being compromised exists.
If your email is in the list, we urge you to change your password on all accounts associated with that email. Also, to remain safe despite such leaks, you must never reuse passwords across different websites. Using strong passwords is critical for security. To come up with strong passwords and keep them safe we recommend the use of password managers. Using multi-factor authentication when possible is the surest way of eliminating the risk of credential stuffing attacks.