The UK’s National Crime Agency (NCA) shared more than 585 million passwords collected during an investigation with the Have I Been Pwned (HIBP) service.
This makes NCA the second law enforcement agency to engage in this operation, after the FBI contributed millions of passwords to HIBP earlier this year.
The NCA’s National Cyber Crime Unit (NCCU) collected the generous library of compromised passwords during the investigation of various cyberattacks. HIBP added the passwords to the Pwned Passwords section of the website.
After importing and processing data received from the NCA, HIBP detected 225,665,425 completely new passwords, HIBP’s creator, Troy Hunt, said in a blog post.
He added that, even if the NCA were to submit less than half of the password collection, the contribution would have still been significant to the service’s efforts.
Now, keep in mind that before today’s announcement, there were already 613M of them in the live Pwned Passwords service (and many millions more in my local working copy waiting for the next release), so the NCA’s corpus represented a significant increase in size. – Troy Hunt
Reportedly, the NCA told Hunt that the passwords originated from a UK business-owned cloud storage location that perpetrators used to store compromised login credentials.
Furthermore, investigators believe the passwords were harvested from several data breaches and used by third parties in other cyberattacks and attempts at fraud.
Have I Been Pwned is a service that lets users check if their email address or phone number has been compromised by querying several data breaches. 27 governments rely on HIBP to regularly check user accounts to detect if any sensitive data has leaked into the public domain.
Currently, the collection of ‘Pwned Passwords’ on HIBP’s website totals 5.5 billion entries, with 847 million unique ones. The password library can also be downloaded for free, so individuals and companies can perform cross-checks against it locally, without an Internet connection.