UK National Crime Agency finds 225 million previously unexposed passwords

Shares them with Troy Hunt’s Have I Been Pwned after sweeping them up from ‘compromised cloud storage’

The United Kingdom’s National Crime Agency and National Cyber Crime Unit have uncovered a colossal trove of stolen passwords.

We know this because Troy Hunt, of Have I Been Pwned (HIBP) fame, yesterday announced the agency has handed them over to his service, which lets anyone conduct a secure search of stolen passwords to check if their credentials have been exposed.

The NCA shared 585,570,857 with HIBP, and Hunt said 225,665,425 were passwords that he hasn’t seen before in the 613 million credentials HIBP already stored before the NCA handed over this new batch.

The NCA sent Hunt a statement explaining how it found the passwords:

During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown.

The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain and could be accessed by other 3rd parties to commit further fraud or cyber offences.

The NCA’s statement to Hunt did not reveal the source of the password trove, or how it was discovered. Hunt did reveal the following were found among the newly compromised passwords.

  • flamingo228
  • Alexei2005
  • 91177700
  • 123Tests
  • aganesq

Today's release brings the total Pwned Passwords count to 847,223,402, a 38 percent increase over the last release. 5,579,399,834 occurrences of a compromised password are represented across HIBP.

Hunt’s post also announced that HIBP’s new ingestion pipeline is now live and enables mass uploads of compromised passwords by law enforcement agencies. The FBI is already in on the action. ®

Other stories you might like

  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – and – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Password recovery from beyond the grave
    Does your disaster recovery plan include a mysterious missive at a funeral?

    On Call Every disaster recovery plan needs to contain the "hit by a bus" scenario. But have you ever retrieved a password from beyond the grave? One Register reader has. Welcome to On Call.

    Today's tale, told by a reader Regomized as "Mark" takes us back some 15 years when he was handling the IT needs for a doctor's office. The job was relatively simple and involved keeping the systems up and running as well as taking the odd call when things went wrong and he wasn't on-site.

    His contact at the practice worked at the reception desk, and Mark would exchange pleasantries with this individual on his way to deal with whatever that day's needs were. This went on for some time until there was a mysterious lull in contact. There was not a peep from the office until, after a few months, the on-call phone rang. It wasn't his usual contact, and Mark was asked if there any chance he could pop by?

    Continue reading

Biting the hand that feeds IT © 1998–2022