UK Donates Stolen Passwords To Have I Been Pwned Website

National Crime Agency (NCA) donates a recovered database of 585 million stolen passwords to Troy Hunt’s famous disclosure service

UK and US law enforcement officials are now donating stolen passwords found during their investigations to Troy Hunt’s Have I Been Pwned (HIBP) website, which checks compromised login credentials.

In a blog post, Australian security researcher Troy Hunt confirmed the FBI and UK’s National Crime Agency (NCA) are now feeding stolen passwords into his service. Hunt said the UK’s NCA’s database represents a “significant increase in size” of HIBP’s data.

“Today, I’m really excited to mark a major milestone in the project thanks to the support of two of the world’s foremost law enforcement agencies, the FBI and the NCA,” he blogged.

Troy Hunt,Have I Been Pwned?
Troy Hunt,Have I Been Pwned?

NCA contribution

The HIBP website is a well known source in security circles as a simple location for people to check if their personal data had been compromised by any data breaches.

Hunt had created the HIBP website in December 2013 and he quickly became recognised as a data breach expert.

Hunt said he created the website after Adobe leaked 153 million usernames and weakly encrypted passwords back in 2013.

The HIBP website can be used by anyone who can enter an email address and discover if it is included in the exposed data. Users can also enter a password to see if it features in a data breach.

The UK’s NCA has now contributed more than 585 million passwords to the Have I Been Pwned (HIBP) service, adding to existing 613m Pwned Passwords data, which allows users to search if their email or password has been compromised by cyber criminals.

And Troy Hunt has confirmed that after parsing the NCA data, a set of 225 million compromised passwords were found to be completely new.

“The UK’s National Crime Agency has done some wonderful work over the years to combat cybercrime,” noted Hunt. “Back when I could travel, I’d often catch up with NCA folks in London and it was always fascinating to get just a little glimpse into how they were tackling things in that corner of the world.”

“A little while back I was having a chat with some NCCU folks (the NCA’s National Cyber Crime Unit), and talk turned to passwords,” noted Hunt. “Turns out that like the FBI, they come across rather a lot of them and they had a very large corpus (as in hundreds of millions) they believed weren’t already in HIBP.”

“Now, keep in mind that before today’s announcement, there were already 613M of them in the live Pwned Passwords service (and many millions more in my local working copy waiting for the next release), so the NCA’s corpus represented a significant increase in size,” said Hunt.

“Working in collaboration with the NCA, I imported and parsed out the data set against the existing passwords, I found 225,665,425 completely new instances out of a total set of 585,570,857,” he noted. “As such, this whole set (along with other sources I’d been accumulating since November last year) has all been rolled into a final version of the manually released Pwned Passwords data.”

NCA response

“During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility,” the NCA said. “Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown.”

“The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences,” noted the NCA.

“Because the credentials identified could not be attributed to any one company or platform, the NCCU engaged with Troy Hunt, the CEO and creator of the ‘Have I Been Pwned’ (HIBP) website,” the UK agency stated. “The NCCU’s Mitigation@Scale team conducted a comparison of the compromised data against the HIBP password repository to identify any previously unseen passwords now in the public domain.”

“As a result of this activity, over 225 million compromised passwords previously unseen by HIBP were provided by the NCA to HIBP for incorporation into their password repository, allowing them to be checked by individuals and companies worldwide seeking to verify the security risk of a password before usage, supporting the NCA’s mission to protect the public from cyber criminality,” it concluded.

HIBP’s Pwned Passwords project lets law enforcement agencies in multiple countries add passwords found during investigations.

With NCA’s contribution, the number of credentials in the Pwned Passwords service increased by 38 percent, to more than 847 million.