09 May 2017

Anti Public and Exploit.in release of credentials

Over the past few days there have been two significant releases of credentials, in lists known as Anti-Public and Exploit.in. In total, over 1 billion sets of details have been released.

  • The Anti-Public list has been in use since December 2016. It contains 458 million unique email addresses, many alongside multiple different passwords. This suggests they were stolen from multiple sites and online spaces.
  • The Exploit.in list appears to have been in use since late 2016, although the information has only recently been published in accessible forums. This list contains 593 million unique email addresses. 

At this time, the sources these credentials were stolen from is unknown. However, security specialist Troy Hunt has said that there are only 222 million instances of crossover between the two lists, which suggests that they’ve likely originated from different places. This also means that there’s a variation in the age of the credentials  some are years old, while some are more current.

It’s highly likely that these email addresses and passwords will be used for 'credential stuffing' attempts. Attackers will try the email and password combinations on different websites to see where passwords may have been reused, in order to gain access to a wide range of personal and financial information.

As a proactive measure, organisations like Spotify and DigitalOcean are encouraging all users to change their passwords urgently.

What to do


These releases have been extensively detailed by Troy Hunt, who runs the Have I been pwned? website. While CERT NZ has no affiliation with this website, and has not verified the data contained there, it does appear to be the central repository of all data breached in these releases. Users can visit the site to see if their email address is included in the list of released details.

Check your email address on Have I been pwned?

  • If your email address appears on the list of compromised details, CERT NZ strongly recommends changing the password for any website you use this email address to log in with. It’s important to ensure that you use unique passwords for all online accounts. 
  • If an email address from your company is found in one of the lists, CERT NZ recommends forcing an immediate roll of passwords for all systems that staff require credentials to log in to. 
  • For organisations concerned about the impact that this credential release may have had, CERT NZ suggests conducting an audit of access logs for the past three days and verifying whether any unauthorised remote login attempts have taken place. CERT NZ can provide more detailed advice on which logs to check for any organisation that requires it.

More information

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

Further information on the Anti Public and Exploit.in releases