Blog site

UK donates 225 million stolen passwords to hack verification site

A password on a sticky note next to a keypad and a phone

British law enforcement has donated 225 million unique passwords to a cybersecurity project helping protect users against hackers.

The National Crime Agency (NCA) recovered the database of cybercriminals who had collected email addresses and passwords from real users.

This list was added to the free Have I Been Pwned (HIBP) online service.

It allows anyone to search hundreds of millions of passwords to see if theirs are in the hands of criminals.

Troy Hunt, the security researcher who manages the site, announced Friday that he now has a “pipeline” feature that allows law enforcement to add recovered passwords to the service.

“The principle is simple,” he wrote in a blog post.

“During their investigations, they come across many compromised passwords, and if they could feed them continuously into HIBP, all other services using Pwned passwords would be able to better protect their customers against attacks from account takeover. “

A takeover attack occurs when a hacker obtains the username and password of an online service and can take control of it.

HIBP is free, but accepts donations, advertising and sponsorships.

Mr Hunt said the US FBI and UK NCA will now be able to contribute using the open source systems his team has built. He especially thanked the NCA for the “donation” of 225 million new passwords.

“Prior to today’s announcement, there were already 613 million passwords in the Pwned Passwords live service, so the NCA corpus represents a significant increase in size,” he wrote .

“Working in conjunction with the NCA, I found 225,665,425 completely new passwords. Now each of these NCA passwords is searchable.”

The NCA now encourages people to search the website for their own passwords.

If your password appears in the database, it is in the hands of cybercriminals and you need to change it.

Chris Lewis-Evans, of the NCA’s National Cyber ​​Crime Unit, said the huge list of compromised passwords came from the largest set the NCA has ever recovered – more than two billion pairs of e -mails and passwords.

“Last year the NCA, working with UK police, identified that there had been a compromise in a UK organization’s cloud storage facility, resulting in the download of over 40,000 files. on their servers by cybercriminals, ”he said – without identifying which cloud provider was involved.

“Once the financial and other personally identifiable data was mitigated, officers were left with a lot of identifying information that could not be traced to specific data breaches,” he said. declared.

These 225 million passwords constituted the “gift” to HIBP.

Cyber ​​attacks “often” end with the theft of personal data such as passwords – as well as financial and other information – he said. The criminals then sell this data to others to commit fraud.

Making these passwords searchable for those trying to keep their accounts secure would “significantly” limit their usefulness to criminals, he said.