Following the FBI’s password contribution to Have I Been Pwned earlier this year, the UK government has now shared 585 million passwords the service to allow users to check if their login information has been compromised.
After importing and parsing, Troy Hunt, the creator of Have I Been Pwned, announced that 225,665,425 passwords out of the entire set of 585,570,857 received from the National Crime Agency turned out to be unique. NCA’s data comes from the National Cyber Crime Unit (NCCU) collected during cybersecurity investigations.
Hunt also went out to say that in the last month, there were 1,260,000,000 occasions where a service used the HIBP API to check for stolen credentials. Like previous releases, the new version (8) is downloadable as SHA-1 and an NTLM hash.
Before the NCA’s contribution, there were already 613 million unique passwords with HIBP, with the millions in Hunt’s local working copy waiting for the next release. In his own words, “NCA’s corpus represented a significant increase in size.”
With this contribution, the total number of passwords in HIBP’s database now comes to around 847 million — an increase of 38%.
All these passwords are now searchable in HIBP’s live API, available free (and open-source) online for any service to protect its users from account takeovers and alert them in advance of any credential breaches.
According to the NCA, the passwords were stored in a cloud storage location belonging to a UK business being used by unidentified threat actors to deposit the stolen data. Since the identified credentials could not be linked to any one company or platform, the NCA went ahead and collaborated with HIBP, allowing the passwords to be searched by any individual or organisation.
“Over 225 million compromised passwords previously unseen by HIBP were provided by the NCA to HIBP for incorporation into their password repository, allowing them to be checked by individuals and companies worldwide seeking to verify the security risk of a password before usage, supporting the NCA’s mission to protect the public from cyber criminality,” the NCA said in a statement.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.