UK National Crime Agency finds 225 million previously unexposed passwords
Shares them with Troy Hunt’s Have I Been Pwned after sweeping them up from ‘compromised cloud storage’
The United Kingdom’s National Crime Agency and National Cyber Crime Unit have uncovered a colossal trove of stolen passwords.
We know this because Troy Hunt, of Have I Been Pwned (HIBP) fame, yesterday announced the agency has handed them over to his service, which lets anyone conduct a secure search of stolen passwords to check if their credentials have been exposed.
The NCA shared 585,570,857 with HIBP, and Hunt said 225,665,425 were passwords that he hasn’t seen before in the 613 million credentials HIBP already stored before the NCA handed over this new batch.
The NCA sent Hunt a statement explaining how it found the passwords:
During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown.
The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain and could be accessed by other 3rd parties to commit further fraud or cyber offences.
The NCA’s statement to Hunt did not reveal the source of the password trove, or how it was discovered. Hunt did reveal the following were found among the newly compromised passwords.
Today's release brings the total Pwned Passwords count to 847,223,402, a 38 percent increase over the last release. 5,579,399,834 occurrences of a compromised password are represented across HIBP.
- Have I Been Pwned goes open source, bags help from FBI
- 3D printing site Thingiverse suffers breach of 228,000 email addresses amid sluggish disclosure
- Hole blasted in Guntrader: UK firearms sales website's CRM database breached, 111,000 users' info spilled online
Hunt’s post also announced that HIBP’s new ingestion pipeline is now live and enables mass uploads of compromised passwords by law enforcement agencies. The FBI is already in on the action. ®