UK Cyber Cops Share 225 Million Passwords with Breach Site

UK cyber investigators have handed over 225 million stolen passwords to a popular data breach checking website, significantly expanding its reach.

HaveIBeenPwned allows users to easily check if their email, phone number or password has been involved in a breach, enabling them to take action accordingly.

However, the service is only as useful as the volume of compromised information stored in its databases.

That’s why founder Troy Hunt is particularly grateful to the National Crime Agency (NCA) for the new addition, which amounts to roughly a third of the 613 million credentials already stored in the site’s Pwned Passwords service.

The full set handed over by the NCA was nearly 586 million but ­­reduced in size once already known passwords were stripped out.

“During recent NCA operational activity, the National Cyber Crime Unit’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown,” explained an NCA statemement.

“The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other third parties to commit further fraud or cyber-offenses.”

The NCA said that because the credentials were not attributable to a single platform or company, it decided sharing with Hunt would be the best option so individuals and companies globally could benefit.

The news comes as Hunt announced a new “ingestion pipeline,” which will enable law enforcement agencies like the FBI to continuously feed any newly discovered breached credentials into the service.

“The premise is simple: during the course of their investigations, they come across a lot of compromised passwords and if they were able to continuously feed those into HIBP, all the other services out there using Pwned Passwords would be able to better protect their customers from account takeover attacks,” said Hunt.

“If you’re using the Pwned Passwords API to check passwords, you’re already benefiting; every new password added to the service will automatically be checked each time you call that API. Further, passwords already in the service are having their prevalence value updated to ensure you know just how bad those passwords really are.”

What’s Hot on Infosecurity Magazine?