Skip to content

Have I been Pwned gets 225 million new passwords from UK’s NCA

  • by
  • 2 min read

Following the FBI’s password contribution to Have I Been Pwned earlier this year, the UK government has now shared 585 million passwords the service to allow users to check if their login information has been compromised.

After importing and parsing, Troy Hunt, the creator of Have I Been Pwned, announced that 225,665,425 passwords out of the entire set of 585,570,857 received from the National Crime Agency turned out to be unique. NCA’s data comes from the National Cyber Crime Unit (NCCU) collected during cybersecurity investigations. 

Hunt also went out to say that in the last month, there were 1,260,000,000 occasions where a service used the HIBP API to check for stolen credentials. Like previous releases, the new version (8) is downloadable as SHA-1 and an NTLM hash.

Before the NCA’s contribution, there were already 613 million unique passwords with HIBP, with the millions in Hunt’s local working copy waiting for the next release. In his own words, “NCA’s corpus represented a significant increase in size.” 

With this contribution, the total number of passwords in HIBP’s database now comes to around 847 million — an increase of 38%.

All these passwords are now searchable in HIBP’s live API, available free (and open-source) online for any service to protect its users from account takeovers and alert them in advance of any credential breaches. 

According to the NCA, the passwords were stored in a cloud storage location belonging to a UK business being used by unidentified threat actors to deposit the stolen data. Since the identified credentials could not be linked to any one company or platform, the NCA went ahead and collaborated with HIBP, allowing the passwords to be searched by any individual or organisation.

“Over 225 million compromised passwords previously unseen by HIBP were provided by the NCA to HIBP for incorporation into their password repository, allowing them to be checked by individuals and companies worldwide seeking to verify the security risk of a password before usage, supporting the NCA’s mission to protect the public from cyber criminality,” the NCA said in a statement.

In the News: Disney+ channels are back on YouTube TV; $15 discount stays 

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: