UK Security Agency Shares 225M Passwords With 'Have I Been Pwned'

The UK's NCA and NCCU have shared 225 million stolen emails and passwords with HIBP, which tracks stolen credentials.

Dark Reading Staff, Dark Reading

December 21, 2021

1 Min Read
Dark Reading logo in a gray background | Dark Reading

The UK's National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have contributed 225 million new compromised emails and associated passwords with Have I Been Pwned (HIBP), a free service that tracks stolen credentials so people can know if theirs have been breached.

During recent NCA operations, the NCCU's Mitigation@Scale team identified more than 585.5 million potentially compromised credentials (emails and associated passwords), which were in a compromised cloud storage facility. In a statement on HIBP, the NCA says analysis revealed the credentials represented an accumulation of known and unknown datasets.

"The fact that they had been placed on a UK business's cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences," officials wrote.

NCCU officials reached out to Troy Hunt, the founder and CEO of HIBP, which already has 613 million passwords in its live Pwned Passwords service. Hunt imported and parsed out the NCA-provided dataset against the existing passwords and found more than 225.6 million new instances. Now, all passwords the NCA shared are now searchable in HIBP's live API.

Read more details here.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights