UK Security Agency Shares 225M Passwords With 'Have I Been Pwned'

The UK's National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have contributed 225 million new compromised emails and associated passwords with Have I Been Pwned (HIBP), a free service that tracks stolen credentials so people can know if theirs have been breached.

During recent NCA operations, the NCCU's Mitigation@Scale team identified more than 585.5 million potentially compromised credentials (emails and associated passwords), which were in a compromised cloud storage facility. In a statement on HIBP, the NCA says analysis revealed the credentials represented an accumulation of known and unknown datasets.

"The fact that they had been placed on a UK business's cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences," officials wrote.

NCCU officials reached out to Troy Hunt, the founder and CEO of HIBP, which already has 613 million passwords in its live Pwned Passwords service. Hunt imported and parsed out the NCA-provided dataset against the existing passwords and found more than 225.6 million new instances. Now, all passwords the NCA shared are now searchable in HIBP's live API.

Read more details here.