It’s come to light that the UK’s National Crime Agency (NCA) and National Cyber Crime Unit have recently uncovered a whole host of stolen passwords.
This was after Troy Hunt of ‘Have I Been Pwned (HIBP), fame announced he’d been handed them to add to his service which allows anyone to check if any of their credentials have been exposed.
Apparently, 585,570,857 passwords were shared by the NCA, with over 225,665,425 being passwords that HIBP had never seen before.
That takes the number of credentials that people can now check with HIBP to over 840 million (847,223,402 to be exact).
During recent NCA operational activity, the NCCU’s [email protected] team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown. The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain and could be accessed by other 3rd parties to commit further fraud or cyber offences.
National Crime Agency statement
The NCA haven’t revealed were these passwords came from or how they came to light (outside of their above statement).
Before today’s announcement, there were already 613 million passwords in the live Pwned Passwords service… so the NCA’s corpus represents a significant increase in size. Working in collaboration with the NCA, I imported and parsed out the data set against the existing passwords, I found 225,665,425 completely new instances out of a total set of 585,570,857. As such, this whole set (along with other sources I’d been accumulating since November last year) has all been rolled into a final version of the manually released Pwned Passwords data.
Troy Hunt – HIBP Founder
HIBP have also confirmed they’ve added a new ingestion pipeline which allows law enforcement agencies around the globe to mass upload compromised passwords, with agencices such as the FBI already availing themselves of the service.